UN Cybercrime Convention: could the cure be worse than the disease?
Negotiations for an international treaty aimed at addressing the cross-border problem of cybercrime could have far-reaching consequences for people’s fundamental rights. The deadline for concluding negotiations is fast approaching without basic agreement having been reached on the scope of the treaty, the definition of the crimes it would cover and the safeguards needed to prevent it becoming a means for authoritarian states to repress legitimate online activity. Civil society is engaging with the process to try to stop this happening, mindful of the fact that no agreement would be a much better outcome than one giving repressive states stronger tools to stifle dissent.
If you’ve never heard of the Cybercrime Convention, you’re not alone. And if you’re wondering whether an international treaty to tackle cybercrime is a good idea, you’re in good company too. Many who are actively participating in the negotiations, states and civil society alike, initially opposed the idea but were drawn into the process when it was launched at the United Nations (UN).
Negotiations have been underway for more than three years now: the latest negotiating session was held in April, and a multi-stakeholder consultation has just concluded. A sixth session is scheduled to take place in August, with a draft text of the convention expected to be approved by February 2024, to be put to a vote at the UN General Assembly (UNGA) later next year. But there’s still much to determine and some big potential pitfalls ahead.
In December 2019, the UNGA voted to start negotiating a cybercrime treaty. The kick-off resolution was sponsored by Russia, which two years earlier had started circulating a draft proposal. Russia’s initiative was co-sponsored by several of the world’s most repressive regimes: Belarus, Cambodia, China, Iran, Myanmar, Nicaragua, Syria and Venezuela. Many of these states had already passed national cybercrime laws that they use to stifle legitimate dissent and scrutiny under the pretence of combatting a variety of vaguely defined online crimes such as insulting the authorities, spreading ‘fake news’, hate speech, extremism, sedition or inciting terror.
Tackling cybercrime certainly requires some kind of international cooperation, since it’s a form of crime that crosses borders. It’s a global phenomenon that impacts on many and that people are rightly concerned about. A treaty could facilitate international cooperation by providing a means for countries to collaborate, including by exchanging information, sharing expertise and cooperating to prevent, investigate and prosecute cybercrimes. It could provide incentives for states to align domestic laws with international standards, ensuring consistency, simplifying cross-border investigations and enhancing legal certainty.
But this doesn’t necessarily mean there’s a need for a new treaty. Civil society organisations (CSOs) still have their doubts. Freedom of expression organisation Article 19, for example, insists the treaty isn’t necessary. Experts have pointed out that the real problem may be the insufficient enforcement of international agreements that already exist, particularly the 2001 Council of Europe’s Budapest Convention. Open to states around the world, it’s only been ratified by 68 and isn’t fully operational.
When Russia’s resolution was put up for a vote, the European Union (EU), USA and many others, alongside human rights and digital rights organisations, urged the UNGA to reject it. But once the resolution passed, they engaged with the process, trying to prevent the worst possible outcome – a treaty lacking human rights safeguards that could be used as a repressive tool. To critical civil society observers, this meant states were increasingly ready to compromise, introducing and accepting amendments that could result in the erosion of key human rights guarantees.
The December 2019 resolution set up a ‘UN Ad Hoc Committee negotiating a treaty on Countering the Use of Information and Communications Technologies for Criminal Purposes’ (AHC), chaired by the UN Office on Drugs and Crime (UNODC) and open to the participation of all UN member states plus others as observers, including civil society.
The AHC’s first meeting to set the procedural rules took place in mid-2021, delayed by the pandemic. Brazil’s proposal that a two-thirds majority vote be needed for decision-making – to be used only when consensus couldn’t be achieved – was accepted, instead of the simple majority rule favoured by Russia. A list of stakeholders enabled to participate was approved, including CSOs, academic institutions and private sector representatives.
Another key procedural decision was made in the first negotiating session in February 2022: intersessional consultations were to be held between negotiating sessions to solicit input from stakeholders, including human rights CSOs. These consultations have given CSOs the chance to make presentations and participate in discussions with states.
Voices from the frontline
Ian Tennant is chair of the Alliance of NGOs on Crime Prevention and Criminal Justice, a broad network of CSOs advancing the crime prevention and criminal justice agenda, and head of the Vienna Multilateral Representation and Resilience Fund at the Global Initiative Against Transnational Organized Crime. Both organisations participate as observers in negotiations for the UN Cybercrime Treaty.
The negotiations for the treaty have been opened for CSOs to contribute to the process through an approach that does not allow states to veto individual CSOs. There is space for CSOs to bring in their contributions under each agenda item, and through intersessional meetings where they can present and lead discussions with member states. This process is in some ways a model that other UN negotiations could follow as a best practice.
CSOs, as well as the private sector, are bringing vital perspectives to the table on the potential impacts of proposals made in the treaty negotiations, on practical issues, on data protection and on human rights. Fundamentally, CSOs are providing fact-checking and evidence to back up or challenge the arguments made by member states as proposals are made and potential compromises are discussed.
It is up to the negotiators from all sides, and how far they are willing to move in order to achieve agreement, whether the treaty will have a meaningful impact on cybercrime while also staying true to international human rights standards and the general human rights ethos of the UN. This is the optimal outcome, but given the current political atmosphere and challenges, it will be hard to achieve.
There is a chance the treaty could be adopted without adequate safeguards, and that consequently only a small number of countries ratify it, thereby diminishing its usefulness, but also directing the rights risks to only those countries who sign up. There is also a chance the treaty could have very high human rights standards, but again not many countries ratify it – limiting its usefulness for cooperation but neutering its human rights risks.
This is an edited extract of our conversation with Ian. Read the full interview here.
Human rights concerns
Several human rights and digital rights CSOs – including Access Now, Article 19, the CyberPeace Institute, Derechos Digitales, the Electronic Frontier Foundation, Global Partners Digital, Human Rights Watch, Privacy International and R3D – are trying to influence the treaty process, individually and as part of broader civil society and multi-stakeholder coalitions.
As the Electronic Frontier Foundation put it, this treaty has ‘the potential to rewrite criminal laws around the world, possibly adding over 30 criminal offenses and new expansive police powers for both domestic and international criminal investigations’. Given what’s at stake, in advance of the first negotiating session, around 130 CSOs and experts urged the AHC to embed human rights safeguards into the treaty, warning that otherwise it could become ‘a powerful weapon for oppression’ and result in ‘a race to the bottom among jurisdictions with the weakest human rights protections’.
Voices from the frontline
Stéphane Duguin is chief executive officer of the CyberPeace Institute, a CSO founded in 2019 to help humanitarian CSOs and vulnerable communities limit the harm of cyberattacks and promote responsible behaviour in cyberspace.
The main challenge has been to define the scope of the new treaty, that is, the list of offences to be criminalised. States generally agree that the treaty should include cyber-dependent crimes. The inclusion of cyber-enabled crimes, however, is more controversial. There’s no internationally agreed definition of cyber-enabled crimes. Some states consider offences related to online content, such as disinformation, incitement to extremism and terrorism, as cyber-enabled crimes. These are speech-based offences, the criminalisation of which can lead to the criminalisation of online speech or expression, with negative impacts on human rights and fundamental freedoms.
Many states that are likely to be future signatories to the treaty use this kind of language to strike down dissent. However, there is general support for the inclusion of limited exceptions on cyber-enabled crimes, such as online child sexual exploitation and abuse, and computer-related fraud.
There is no way we can reach a wide definition of cyber-enabled crimes unless it’s accompanied with very strict human rights safeguards. In the absence of safeguards, the treaty should encompass a limited scope of crimes. But there’s no agreement on a definition of safeguards and how to put them in place, particularly when it comes to personal data protection.
For victims as well as perpetrators, there’s absolutely no difference between cyber-enabled and cyber-dependent crimes. If you are a victim, you are a victim of both. A lot of criminal groups – and state actors – are using the same tools, infrastructure and processes to perform both types of attacks.
Even though there’s a need to include more cyber-enabled crimes, the way it’s being done is wrong, as there are no safeguards or clear definitions. Most states that are pushing for this have abundantly demonstrated that they don’t respect or protect human rights, and some – including China, Egypt, India, Iran, Russia and Syria – have even proposed to delete all references to international human rights obligations.
This is an edited extract of our conversation with Stéphane. Read the full interview here.
As early as the first negotiating session, it became apparent that there wasn’t a clear definition of what constitutes a cybercrime and which cybercrimes should be regulated by the treaty. There’s still no clarity.
UNODC identifies two main types of cybercrimes: cyber-dependent crimes such as network intrusion, computing system interference or the distribution of malware, which can only be committed through the use of information and communications technologies (ICTs), and cyber-enabled crimes, which can be facilitated by ICTs but can also committed without them, such as drug or arms trafficking, money laundering or the illegal distribution of counterfeit goods.
Throughout the negotiation process there’s been disagreement about whether the treaty should focus on a limited set of cyber-dependent crimes, or whether it should also address a variety of cyber-enabled crimes. These, human rights groups warn, include various content-related offences that could be invoked to repress the fundamental civic freedoms of association, expression and peaceful assembly.
These concerns have been highlighted by the Office of the UN High Commissioner for Human Rights, which has maintained that the treaty shouldn’t include offences related to the content of online expression and emphasised that it should clearly and explicitly reference binding international human rights agreements, such as the International Covenant on Civil and Political Rights, to ensure it’s interpreted and applied in line with universal human rights principles.
The aims of the new treaty are to reduce the likelihood of attacks, and when these happen, to limit the harm and ensure victims have access to justice and redress. This is not about protecting states but about protecting people.
A second major disagreement concerns the scope and conditions for international cooperation. If not clearly defined, cooperation arrangements could result in bulk data sharing, violating privacy and data protection provisions, rather than the exchange of specific evidence linked to investigations. In the absence of the principle of dual criminality – under which extradition can only apply to an action that constitutes a crime in both the country making an extradition request and the one receiving it – state authorities could be made to investigate activities that aren’t crimes in their own countries on other states’ behalf. They could effectively become enforcers of the repression of others.
Civil society has pushed for recognition of a set of principles on the application of human rights to communications surveillance. According to these, dual criminality should prevail, and where laws differ and those of more than one state could apply, the one with the higher level of rights protections should be applied. It must be ensured that states don’t use mutual assistance agreements and foreign cooperation requests to circumvent domestic legal restrictions. Processes to comply with such agreements should be clearly documented, publicly available and subject to procedural fairness guarantees.
Ahead of the negotiations to tackle #cybercrime, ARTICLE 19 warned against the Convention, deeming it to be ‘unnecessary and ill-advised.’— ARTICLE 19 (@article19org) April 11, 2023
⤵️ We recently stated why the latest draft does not meet international human rights standards on #FreeSpeechhttps://t.co/s059wRE43D
Led by Russia, the group of states that promote a wide-ranging treaty without explicit human rights safeguards is far more united than those seeking the opposite. This group includes China and many African and Caribbean states as well as members of the Arab Group.
On the other side, backing a treaty that includes a limited number of cyber-dependent crimes with strong privacy, data protection and human rights safeguards, stand EU states, Japan, the USA, several Latin American states and others that have adopted the Budapest Convention. This group agrees on core principles but disagrees on several key issues including data protection clauses, some content-related crimes such as copyright infringement and the acceptable scope of cooperation. In particular, the EU and USA have been at odds on issues of privacy and data protection.
Within the second group, some states have shifted positions. For instance, as negotiations entered their fourth session, some came to accept a broader level of cooperation under the treaty as long as the scope of crimes included remained narrow enough. But some have since gone back to insisting that limited-scope cooperation is needed to mitigate risks for journalists, whistleblowers, researchers and civil society activists.
Those in the first group however appear to be growing bolder, recently going as far as questioning the inclusion of human rights language in the treaty’s preamble and proposing the elimination of basic human rights safeguards against surveillance powers.
A more recent faultline between the two groups emerged over the formal requirements for the treaty to enter into force, with the Russia-led group pushing for a quick process requiring just 30 signatures and the other group seeking a higher bar of 70.
An uncertain future
Following the third multistakeholder consultation held in November 2022, the AHC released a draft text known as a ‘consolidated negotiating document’. In the fourth negotiating session in January 2023, civil society’s major concerns focused on the long and growing number of criminal offences listed in the draft, many of them content-related – now including, on China’s initiative, that of ‘disseminating false information’.
But the most contentious issues, such as the inclusion of vaguely defined content-related crimes and the definition of procedures for the interception of content, the collection and storage of data and the administration of electronic evidence, weren’t discussed in the plenary sessions, but rather in informal groups not open to civil society.
The fifth negotiating session produced a mechanism– a ‘conference of the parties’ as used in other treaties – for the agreement’s implementation but brought no consensus on substantial issues. This means agreement was reached on how to implement a treaty that doesn’t yet exist and may never fully materialise.
It’s unclear how the AHC intends to bridge the current deep divide to produce the ‘zero draft’ that it’s expected to share in the next few weeks. If it complies with the deadline by leaving contentious issues undecided, the next session, scheduled for August, may bring a shift from consensus-building to voting – unless negotiating states decide to give themselves some extra time.
As of today, the process could still conclude on time, or with a limited extension, following a forced vote on a harmful treaty that lacks consensus and therefore fails to enter into effect, or does so for a limited number of states that ratify. Or it could be repeatedly postponed, lose momentum and fade away. Civil society engaged in the process may well think such a development wouldn’t be so bad: better no agreement than one that gives repressive states stronger tools to stifle dissent.
OUR CALLS FOR ACTION
States must limit the scope of the treaty to a clearly defined set of cyber-dependent crimes.
States must make sure that explicit procedural and human rights safeguards are in every section of the treaty.
States should show their willingness to tackle cybercrime by acceding to the Budapest Convention.
Cover illustration by CIVICUS