On 9 August, United Nations member states reached agreement on a global Cybercrime Convention. The convention was originally proposed by authoritarian Russia and co-sponsored by some of the world’s most repressive states, clearly intent on using it to stifle dissent. Civil society didn’t want the treaty, but as the process went on worked hard to try to limit its scope and introduce human rights safeguards. Some of the worst ideas states proposed have been rejected, but the convention could still have negative impacts. Civil society will keep working at every level to try to stop repressive states using cybercrime legislation to restrict human rights.

United Nations (UN) member states recently agreed the final draft of the Cybercrime Convention. The UN Office on Drugs and Crime (UNODC) hailed it as a ‘landmark step’ in tackling online dangers.

But human rights organisations, and many states, aren’t so sure. They thought the treaty wasn’t a great idea to begin with, and initially opposed it. Experts pointed out that existing international agreements aren’t enforced, particularly the 2001 Council of Europe Budapest Convention, which every state is free to ratify but most haven’t, leaving it only partially operational.

Ominously, the resolution that started the process, passed by the UN General Assembly in December 2019, was sponsored by authoritarian Russia and backed by some of the world’s most repressive regimes, including Belarus, Cambodia, China, Iran, Nicaragua, Syria and Venezuela. Some already had cybercrime laws they use to stifle legitimate dissent and scrutiny under the pretence of combatting vaguely defined online crimes such as insulting the authorities, spreading fake news or hate speech and inciting sedition. Many more have since passed such laws and are actively using them to criminalise dissent.

When Russia’s resolution was put to a vote, the European Union (EU), USA and many others, alongside human rights and digital rights organisations, urged states to reject it. But once the resolution passed, they had little choice but to engage with the process to try to prevent the worst possible outcome: a treaty lacking human rights safeguards that could be used as a repressive tool.

They succeeded in tempering some of the worst aspects of early drafts, but the results still leave much to be desired.

The treaty process

The December 2019 resolution established an ad hoc committee (AHC) to lead negotiations, chaired by UNODC and open to the participation of all UN member states plus others as observers, including civil society.

The pandemic delayed the process, and the AHC’s first meeting, focused on establishing procedural rules, took place in mid-2021. Brazil’s proposal to require a two-thirds majority for decisions when states couldn’t reach consensus prevailed over the simple majority rule favoured by Russia. The AHC approved a list of eligible stakeholders, including civil society organisations (CSOs), academic institutions and private sector representatives.

The first negotiating session in February 2022 took another important procedural: consultations would be held between negotiating sessions for stakeholders, including human rights CSOs, to provide input and feedback.

Numerous human rights and digital rights CSOs – including Access Now, Article 19, the CyberPeace Institute, Derechos Digitales, the Electronic Frontier Foundation, Global Partners Digital, Human Rights Watch, Privacy International and R3D – took part, joining together in coalitions. They were able to make written submissions, attend face-to-face and online meetings and make oral interventions, as well as participate in the intersessional consultations. The AHC also organised informal consultations.

Voices from the frontline

Pavlina Pavlova is a cyber policy expert and a fellow at New America.

 

Key divisions can be traced back to the beginning of the negotiations. The process started with a Russian proposal, with the fear from many others that the convention would end up serving authoritarian agendas.

The negotiation process revealed deep divisions in the global community about the role of human rights online. The main disagreements on the text revolved around the scope of criminal offences, law enforcement powers and cross-border data access.

One caveated win for stakeholders was the early agreement of ways of working that allowed for the participation of interested organisations, including civil society and the private sector, in the formal parts of negotiations. Civil society groups were also able to engage more effectively thanks to close coordination, both in-person during negotiations and remotely between sessions. This collaboration fostered partnerships and flexibility in addressing advocacy and awareness-raising opportunities collectively, enabled a more strategic approach to stakeholder engagement in multilateral negotiations and broadened outreach to governments across regions.

It is remarkable that this strong coordination was extended to coordination and joint statements with private companies and the cybersecurity community. This sent a powerful message – demonstrating that organisations’ positions were not isolated views but spoke to global, shared concerns.

 

This is an edited extract of our conversation with Pavlina. Read the full interview here.

Damage control

Ahead of the first negotiating session, some 130 organisations and experts signed a letter urging the AHC to ensure the treaty included human rights protections, warning that otherwise it could become ‘a powerful weapon for oppression’. They were up against numerous states that didn’t agree human rights safeguards were needed.

In the early stages of negotiations, civil society still questioned the need for a cybercrime convention, saying it would only legitimise and perpetuate the abuse of cybercrime laws. But by April 2022, many states initially opposed to the treaty had begun to participate actively, some even taking a leading role in negotiations, so civil society focused on damage control. By then it was apparent there wasn’t a clear definition of what constitutes a cybercrime and which cybercrimes the treaty should regulate. Several states aggressively pushed for broad and ambiguous provisions they claimed were needed to combat extremism, hate speech and terrorism.

Civil society insisted the treaty shouldn’t be overly broad and should only cover core cybercrimes or cyber-dependent crimes: those committed by using information and communication technologies (ICTs). These are crimes committed against computer systems, networks and data, including hacking, computing system interference, ransomware and the spreading of malware. And even when dealing with these crimes, civil society warned, treaty provisions shouldn’t apply to security research, the work of whistleblowers and other actions that benefit the public.

Above all, civil society insisted on the exclusion of cyber-enabled crimes: those that can be facilitated by ICTs but can also committed without them, such as arms and drug trafficking, money laundering and the illegal distribution of counterfeit goods. This category could potentially include numerous offences that would repress the online exercise of civic freedoms.

The Office of the UN High Commissioner for Human Rights echoed civil society’s concerns, stating that the treaty shouldn’t include offences related to the content of online expression and emphasising that it should clearly and explicitly reference binding international human rights agreements, such as the International Covenant on Civil and Political Rights, to ensure it would be interpreted and applied in line with universal human rights principles.

Tech companies also shared civil society’s concerns about the potential for expansive electronic surveillance in the name of fighting crime.

A second major concern was the scope and conditions for international cooperation. Here too civil society urged clear definitions and a narrower scope. It argued that if not clearly defined, cooperation arrangements could mean enhanced surveillance and bulk data sharing, violating privacy and data protection provisions, rather than the exchange of specific evidence. It warned that in the absence of the principle of dual criminality – which means extradition can only apply to an action that constitutes a crime in both the country making the request and the one receiving it – state authorities could be made to investigate activities that aren’t crimes in their countries on other states’ behalf. They could effectively become enforcers of the repression of others.

Voices from the frontline

Deborah Brown is deputy director of the Technology, Rights and Investigations division of Human Rights Watch.

 

The convention’s impact will only become clear once the UN General Assembly has adopted it and we see which governments ratify it and how they implement it. But we are already concerned it will expand government surveillance powers and facilitate international cooperation on a wide range of crimes without sufficient safeguards.

The convention will allow governments to collect electronic evidence and share it with foreign authorities for any ‘serious’ domestic crime, defined as an offence that carries a sentence of four years or more. This could include activities protected by international human rights law that some states criminalise, such as same-sex relationships, criticism of the government, investigative journalism, protest and whistleblowing.

Greater surveillance powers should be accompanied by stronger safeguards against abuse, but the convention largely leaves it to domestic law to provide human rights safeguards. As a result, people would be subject to national laws instead of benefiting from international standards such as the principles of necessity and legality or the right to be notified of surveillance to be able to challenge it. Even key safeguards such as the requirement for an independent court to authorise surveillance are left optional. While some governments may argue that the convention provides grounds for refusing requests that could lead to persecution based on gender, race, religion, nationality or political opinion, these are discretionary and could easily become the exception rather than the rule.

As a result, the convention risks becoming a global surveillance treaty and a tool for cross-border human rights violations. We are also concerned that governments could use it to justify problematic domestic cybercrime laws.

 

This is an edited extract of our conversation with Deborah. Read the full interview here.

Human rights sidelined

Civil society representatives involved in the process see the final draft as not as bad as it could have been – but much worse than it should have been, given that it lacks clear, specific and enforceable human rights protections. Rather than applying them as international standards, the treaty leaves human rights safeguards up to each state’s domestic law.

Civil society advocacy led to improvements on the first drafts, including an expanded article on human rights that references civic freedoms, and the inclusion of the right to an effective remedy in the article on conditions and safeguards. The most blatant attempts to weaponise the treaty to criminalise expression failed, although some cyber-enabled crimes still made it into the text. The activities of journalists, security researchers and whistleblowers aren’t adequately protected.

The convention includes a chapter on crimes against computer systems, networks and data, plus a limited number of cyber-enabled crimes, such as child sexual abuse. But while the list of crimes ended up being narrower than initially proposed, the scope of cooperation in collecting and sharing data became wider, raising real dangers of state overreach in the form of surveillance and invasion of privacy. Under the convention, states will be able to use broad electronic surveillance powers to collect and exchange information on a wide range of crimes, including some that don’t involve ICTs.

Still time

It isn’t game over yet. The final text will soon be put to a vote by the 193 member states at the UN General Assembly and, assuming a majority approves it, states will then need to ratify the convention. At least 40 ratifications will be needed for it to enter into force, a process likely to take several years. Two years after the General Assembly vote, negotiations are expected to begin on an additional protocol covering further crimes, which won’t be concluded until 60 states have ratified the convention. Civil society fears this is when the worst proposals to criminalise protected speech, so far excluded, will resurface.

Civil society will encourage governments to reject the convention and instead take a human rights-based approach to cybercrime. Once the UN General Assembly approves the convention, civil society will encourage national debate, warn of the dangers it poses to human rights and civil liberties and oppose ratification.

With or without an international convention, civil society will continue to work to ensure cybercrime legislation at all levels meets the highest human rights standards, including respect for civic freedoms, and isn’t used as a means of repression.

OUR CALLS FOR ACTION

  • States should consult with a wide range of civil society before taking any steps to ratify the Cybercrime Convention.
  • Civil society, supportive states and tech companies should work together to oppose any plans to develop an additional protocol to the convention to expand the range of crimes it covers.
  • States must ensure all their efforts to combat cybercrime comply with the highest human rights standards.