Government delegations will gather at the end of January for the concluding session on the UN Cybercrime Treaty. The outcome of these negotiations could dictate national cyber policies for years to come.
Six sessions of the Ad Hoc Committee to Elaborate a Comprehensive International Convention on Countering the Use of Information and Communications Technologies for Criminal Purposes, five inter-sessional consultations, and several informal consultations have not resolved many fundamental issues. A consensus has not emerged on the scope of the treaty, nor on key definitions, or on the most fundamental provisions in the chapters related to criminalization, law enforcement, and international cooperation. This lack of progress is evident in the revised draft text of the treaty published in November. It is also clear that the current text is overbroad and unbalanced. In fact, if adopted in its current form, the treaty would allow States to adopt measures undermining human rights protection as well as security of digital communications.
What is a cyber-crime? Still to be determined…
There remains significant disagreement on the scope of the future treaty, including what crimes it should cover. Given lack of consensus, one would expect the treaty to narrowly focus on cyber-dependent crimes – offenses in which Information and Communications Technologies (ICTs) are the direct objects as well as instruments of the crimes. Instead, the current draft is overbroad in at least three ways.
Firstly, the list of crimes in the revised draft goes well beyond cyber-dependent crimes. A useful reference for the types of crimes that are inherently ICT crimes can be found in Articles 2-6 of the Budapest Convention: illegal access to computing systems, illegal interception of communications, data interference, system interference, and misuse of devices.
The revised draft of the treaty does not include some of the most concerning crimes proposed by certain delegations, such as “extremism-related offenses” or “terrorism-related offenses.” These would have, in the absence of internationally agreed definitions for those crimes, inevitably justified human rights repressive practices, such as the prosecution of political opponents, human rights defenders, and journalists and the unlawful restriction of the exercise of the rights to freedom of expression and peaceful assembly. However, the draft text includes cyber-enabled offenses such as computer related theft or fraud (Article 12), laundering of proceeds of crimes (Article 16), and an open-ended provision to crimes under other “applicable international conventions and protocols” (Article 17). If adopted in its current form, Article 17 in particular would significantly expand the scope of the treaty.
Secondly, the proposed definition of the crimes does not include a requirement of criminal intent and harm. Standards currently in the text such as “without authorization” or “without right” are not sufficient to mitigate the risk of prosecuting individuals for behavior that did not, or could not have been expected to, cause any harm or damage. As a result, it could lead to the criminal prosecution of acts carried out with beneficial intent, such as security research, the activities of whistle-blowers, or investigative journalism. Ultimately it could act as a significant chilling factor, undermining the security of digital communications.
Thirdly, the scope of application of the investigative powers and international cooperation contained in the treaty is very broad. Indeed, there is a disconnect between the crimes included in the draft treaty (Chapter II) and the scope of application of the powers to investigate crimes and to provide cooperation across jurisdictions (Chapters IV and V). For example, under the current text, powers afforded to law enforcement agencies apply to the investigation of criminal offenses committed by means of a computer system as well as the collection of evidence in electronic form of any criminal offense (Article 23.2). Consequently, the scope of application of the treaty appears to be expanded well beyond cyber-dependent crimes. Arguably it makes the treaty one of the most far-reaching in criminal matters and international cooperation on criminal investigations.
Surveillance powers and transfer of data without effective safeguards
The draft text of the UN Cybercrime treaty gives sweeping, privacy-invasive powers to law enforcement agencies without robust human rights limitations and safeguards.
For example, the provision detailing the powers of search and seizure of information stored in a digital device (paragraph 4 of Article 28) is worded in a way that may result in States imposing obligations upon telecommunications and internet service providers to either disclose vulnerabilities of certain software or to provide relevant authorities with access to encrypted communications. This would open the door to government hacking or even undermine or weaken encryption, thereby compromising privacy and security of digital communications.
Articles 29 and 30 provide for real-time collection of traffic data and interception of content data, respectively. These are extremely intrusive measures that require a set of stringent limitations and safeguards, such as being limited only to serious crimes recognized under international law, following a prior judicial authorization that assessed their necessity and proportionality, including whether other less privacy-intrusive measures were not available to achieve the legitimate aim.
These safeguards are not reflected in the text of Article 24, which deals with conditions and safeguards. In its current form, Article 24 only applies to Chapter IV, on procedural measures. Further, it does not include some key conditions and safeguards which are well established under international human rights law, such as the principles of legality and necessity; prior independent (preferably judicial) authorization of surveillance measures that interfere with human rights; and the right to an effective remedy for abuses.
On international cooperation (Chapter V), the draft treaty is also very broad, covering not only the crimes listed in the Convention, but also the collection, obtaining, preservation and sharing of e-evidence of serious crimes (Article 35.)
When it comes to sharing of personal data across jurisdiction, Article 36 subjects transfers of data to domestic law and applicable international law. It further specifies that “States Parties shall not be required to transfer personal data in accordance with this Convention if the data cannot be provided in compliance with their applicable laws concerning the protection of personal data.” This wording fails to provide effective protection, particularly across jurisdictions that do not adequately regulate the processing of personal data in their national laws, for example lack of requirements for purpose limitation and data minimization, for appropriate measures to limit sharing of personal data and to prevent unauthorized access, as well as lack of effective oversight and redress.
During the negotiations at the 6th session of the Ad Hoc Committee, some state delegations made proposals to include data protection principles derived from existing international human rights law, which have been recognized in the Human Rights Committee General Comment on Article 17 of the International Covenant on Civil and Political Rights and in the report of the UN High Commissioner for Human Rights on the right to privacy in the digital age, as well as in resolutions of the UN General Assembly and the Human Rights Council on the right to privacy in the digital age. These proposals were regretfully not included in the current draft of Article 36, thereby failing to provide States parties with clear, precise, unambiguous, and effective standards to protect personal data, and to avoid data being processed and transferred to other states in ways that violate the fundamental right to privacy.
Significantly change it or reject it
Civil society organizations, such as Privacy International (where I work), and UN human rights experts have long documented the abuses of human rights under the guise of combating cybercrime. They have consistently recommended that any UN cybercrime treaty is narrow in scope and contains robust safeguards to mitigate the risks of these abuses.
Some of these concerns were expressed by state delegations during the previous sessions of the Ad hoc committee. The multi-layered track changes contained in the draft text of the Convention published in September 2023 show proposals by state delegations that would address some of the shortcomings of the draft treaty mentioned above. Regretfully these proposals have not by and large been taken up in the revised text released by the chair in November.
There are still opportunities for states to reaffirm these proposals during the informal negotiations that will take place in the coming weeks and at the concluding session. It is an uphill battle and the signs are not encouraging: the revised text released in November 2023 is a further step back on an already dangerously unbalanced treaty and does not take on board the concerns and recommendations made repeatedly by civil society organizations and human rights experts. However, failing to narrow the scope of the whole treaty to cyber-dependent crimes, to protect the work of security researchers, to strengthen the human rights safeguards, to limit surveillance powers, and to spell out the data protection principles will give governments’ abusive practices a veneer of international legitimacy. It will also make digital communications more vulnerable to those cybercrimes that the treaty is meant to address.
Ultimately, if the draft treaty cannot be fixed, it should be rejected.