‘Whether the Cybercrime Convention will do more good than harm will hinge on implementation and monitoring’
CIVICUS discusses the recently approved United Nations (UN) Cybercrime Convention with Pavlina Pavlova, a cyber policy expert and a #ShareTheMicInCyber fellow at New America, who took part in the negotiations.
After three years of negotiations, on 8 August UN member states agreed by consensus a draft Convention on Cybercrime, which now goes to the UN General Assembly for adoption. Civil society and technology companies warn that the convention’s broad scope and lack of human rights safeguards could expand surveillance, threaten privacy, restrict freedom of expression and enable government repression. Many in civil society see the convention as the result of concerted Russian efforts to shift global online norms in a more authoritarian direction, while the convention’s supporters believe it will harmonise global efforts and align the cybercrime laws and investigatory police powers of states.
What are the objectives and main elements of the Cybercrime Convention?
The instrument aims to set global standards to investigate and prosecute cybercrime more effectively and streamline cooperation on transnational cybercrime.
As there is no universally accepted definition of cybercrime, the chapter on criminalisation outlines what offences are understood as ‘cybercrime’ to be covered by the treaty. This is not unusual as the Council of Europe’s Budapest Convention takes a similar approach. What has been viewed as problematic is that the negotiations dealt with proposals for a broad range of crimes, many of them cyber-enabled and some constituting speech offences.
In the final draft, the chapter on criminalisation has been tamed compared to earlier versions. However, the agreed procedural and law enforcement measures apply to other criminal offences committed by means of an ICT system and the collection of evidence in electronic form of any criminal offence.
Under provisions on international cooperation, states agreed to allow evidence to be collected, obtained, preserved and shared in electronic form for any serious crime, defined as an offence punishable by a maximum deprivation of liberty of at least four years. The treaty also deals with prevention measures and technical assistance, and strongly focuses on the ability of law enforcement agencies to track and collect data, which may inadvertently incentivise the acquisition of surveillance technology.
What were the main divisions and areas of disagreement?
Key divisions can be traced back to the beginning of the negotiations. The process started with a Russian proposal, with the fear from many others that the convention would end up serving authoritarian agendas.
The negotiation process revealed deep divisions in the global community about the role of human rights online. The main disagreements on the text revolved around the scope of criminal offences, law enforcement powers and cross-border data access.
The chapter on criminalisation has seen a long list of proposals, and in the final negotiating rounds, negotiators started to tilt toward an agreement that the list of criminalised offences will be narrower but the scope for collection and exchange of data will be broad. State overreach in the form of privacy violations therefore presents an acute danger. At the same time, the convention includes only minimal safeguards on international cooperation, and many organisations, including the UN Office of the High Commissioner for Human Rights, have raised the issue that some provisions fall short of meeting international human rights standards.
How did civil society contribute to the process?
One caveated win for stakeholders was the early agreement of ways of working that allowed for the participation of interested organisations, including civil society and the private sector, in the formal parts of negotiations. Civil society groups were also able to engage more effectively thanks to close coordination, both in-person during negotiations and remotely between sessions. This collaboration fostered partnerships and flexibility in addressing advocacy and awareness-raising opportunities collectively, enabled a more strategic approach to stakeholder engagement in multilateral negotiations and broadened outreach to governments across regions.
It is remarkable that this strong coordination was extended to coordination and joint statements with private companies and the cybersecurity community. This has sent a powerful message – demonstrating that organisations’ positions were not isolated views but spoke to global, shared concerns.
What’s your assessment of the final draft?
As someone who works with vulnerable and marginalised groups, I personally would like to see the convention extend protection to targets and victims of cybercrime and improve access to justice. Provisions on victim assistance and protection outline procedures to provide victims with access to compensation and restitution, along with assistance for their physical and psychological recovery, taking into account their age, gender, circumstances and needs. However, these measures are left to domestic law and do not increase protection through a commitment to align with international human rights standards.
Furthermore, cybercrime is not gender blind. Technology-enabled gender-based violence and non-consensual sharing of intimate images are some of its forms that have gendered impacts. Ransomware attacks on healthcare systems can also expose data and information that leaves women and gender and sexual minorities more vulnerable because of the sensitivity of data and societal discrimination. The concepts of data protection and gender mainstreaming featured prominently in negotiations, but due to a lack of consensus, they are ultimately referenced in weak terms. Stronger, more prescriptive language would be welcome to explicitly require states to actively safeguard privacy and non-discrimination rights while affirming a commitment to gender equality.
What are the next steps?
The draft convention is expected to be adopted by the UN General Assembly and then opened for ratification by individual governments. This process will take a few years and may require parliamentary approval or other procedures, depending on countries’ domestic systems. Once the convention reaches 40 ratifications, it will become a UN instrument, and the first global, legally binding treaty on cyberspace. The framework will co-exist with other related conventions, notably the Budapest Convention and the African Union’s Malabo Convention, as well as the UN Convention against Transnational Organized Crime (UNTAC) and the UN Convention against Corruption (UNCAC).
The convention’s effectiveness – and whether it will do more good than harm – will hinge on its implementation and diligent monitoring. Although the implementation process may vary and be inconsistent and uneven across countries, the convention will shape cybercrime laws for the coming decades. It will be critical for civil society organisations, the private sector and the expert community to serve as watchdogs and guides, ensuring the framework is implemented in a way that respects human rights and taps into its potential to strengthen the fight against cybercrime.