In December 2019, the United Nations (UN) passed a resolution establishing the Ad Hoc Committee to Elaborate a Comprehensive International Convention on Countering the Use of Information and Communications Technologies for Criminal Purposes (AHC), and negotiations began in early 2022. As cybercrime has grown, its widespread impact has resulted in the need for a collaborative international approach to facilitate better information sharing and bring nefarious cyber activity to account.
Six negotiating sessions, three in Vienna and three in New York, discussed each part of the treaty including its chapters on criminalization, procedural measures, role of law enforcement international cooperation, technical assistance, preventive measures and implementation. Following the conclusion of the sixth session, which was intended to finalize disagreements before a formal vote in January 2024, the treaty is still drowning in a sea of redlines.
Unless disagreements between western democracies and authoritarian regimes on key issues such as the scope of the treaty, definitions of cybercrime, and human rights protections are resolved quickly, it’s unlikely that a treaty will materialize in 2024.
How did we get here?
The most effective international mechanism to address cybercrime to date has been the 2001 Budapest Convention; the first multilateral treaty addressing internet and computer related crimes. The Convention criminalizes a range of illegal conduct, provides for procedural law tools enhancing the investigation of cybercrime, and promotes effective international cooperation. While the Budapest Convention has remained the primary mechanism for addressing international cybercrime, it has been criticized for its lack of safeguards on human rights and undermining individuals’ privacy. Others assert that having developed out of the Council of Europe; it is not truly an international product -- though 68 countries are today party to it.
The idea for a new treaty was proposed by Russia and was intended to replace the Budapest Convention of which Russia is not a signatory. The goal was to create a new framework that incorporates more of Russia’s influence, as the Budapest Convention has been viewed as primarily Western oriented. In 2019, Russia in addition to over 12 countries including China, Belarus, Nicaragua, and Cambodia passed a UN resolution to establish an international convention on cybercrime. While the treaty is intended to make it easier to address cybercriminality and set the standard for safeguarding human rights in international agreements on cybercrime, many fear the current status of the treaty could allow for authoritarian repression of the internet.
Key Issue Areas
Scope: One of the most prominent tensions in the current draft of the treaty is the scope of its application to criminalize activities beyond “core cybercrimes.” The draft text does not clearly articulate what constitutes a cybercrime, and while it seems as though criminalized offenses are limited to Articles 6-16, Article 17 (Offenses Relating to Other International Treaties) leaves the scope rather open. Article 17 states that any offense included in a binding treaty becomes a cybercrime, which expands the list of offenses to include anything from smuggling migrants to drug related crimes. Expanding the scope of the treaty could enable authoritarian governments to crack down on free speech, increase surveillance, bolster policing power, and request data on crimes related to cyber.
Human Rights: Another main concern regarding the draft treaty is its potential to undermine human rights. Article 13 (Offenses Related to Online Child Sexual Abuse) and Article 14 (Solicitation of a Child for Sexual Purposes through a Computer System) criminalize vaguely defined online content that could restrict the rights of children seeking information about sexual and reproductive rights. Article 15 (Non-Consensual Dissemination of Intimate Images) could be used against survivors of gender-based violence. The article would criminalize the documentation and transmission of evidence of sexual abuse, even if it was for the purposes of seeking justice. Additionally, disputes regarding Article 5 (Respect for Human Rights) could impact human rights among minority groups that are more likely to be targeted by cybercrime. In order to avoid doing so, Article 5 should articulate the human rights protections necessary to ensure the convention does not threaten rights to privacy, freedom of speech, and due process.
Security Research: There are provisions included in the draft text that lack the safeguards necessary to protect security researchers and ethical hackers. Incidents included in Articles 6-16 are written in a way that threatens to risk criminalizing legitimate activities of human rights defenders, journalists, and researchers that keep the cybersecurity ecosystem safe. Instead of requiring the acts listed in Articles 6-16 be committed “intentionally,” it should be revised to specify “malicious” or “criminal” intent, to avoid outlawing common practices.
Surveillance Power: The draft treaty also includes provisions that could wildly expand state surveillance power. Article 48 bis (Special Investigative Techniques) was proposed by the Russian Federation and would allow states to “jointly take the necessary measures to allow for the use of covert special investigative techniques, such as electronic or other forms of surveillance, online undercover operations or extended searches… and to ensure the evidence collected is admissible in judicial proceedings.” This article does not include safeguards to allow data custodians to notify targets of surveillance, and could lead to jurisdictional disputes regarding conflicts with existing data protection laws. If included in the final version of the treaty, it could undermine the overarching effort to combat cybercrime by enabling states to jointly conduct invasive surveillance.
Moving Forward
Private sector and civil society organizations have weighed in throughout the negotiations process to highlight the problematic impact that some of the included provisions could have. Many experts feel that they have been shut out from the process and are concerned about obligations to cooperate with authoritarian governments if changes are not made.
The concluding session for this Ad Hoc Committee is scheduled to take place in January 2024 in New York. If consensus cannot be reached on the draft, a two-thirds majority voting rule will apply. Many of the aforementioned issue areas in the text could grant authoritative states the power to suppress dissent, access to information, increase surveillance, and exploit human rights under the guise of fighting cybercrime.
In order for the treaty to be best positioned for the international community to pursue cybercriminals without infringing upon human rights, the following recommendations should be considered:
- Limit the scope of application to core cybercrime offenses to avoid infringing upon freedom of expression and the right to privacy.
- Retain a narrow definition of cybercrime, and avoid criminalizing the work of security researchers and ethical hackers by only prosecuting acts with “malicious” or “criminal” intent.
- Incorporate human rights safeguards to minimize conflict with international human rights law.
- Limit government surveillance access to data and increase transparency by allowing data custodians to notify users when their data is impacted.
Read Next
The U.S. and UN Cybercrime Convention: Progress, Concerns, and Uncertain Commitments
The U.S. issued an updated position seeking to move forward the UN Convention Against Cybercrime, a treaty intended to improve the global community’s ability to combat evolving cybercrime threats.
The Counter Ransomware Initiative with Hamish Hansford (DCP S2 E8)
In the latest Distilling Cyber Policy, Alex Botting and Jen Ellis are joined by our second-ever Australian guest: Hamish Hansford, the Deputy Secretary of Cyber and Infrastructure Security Group at the Australian Department of Home Affairs.
Counter Ransomware Initiative Adds Private Sector Members
Earlier this month, more than 68 countries and organization members met for the fourth annual International Counter Ransomware Initiative (CRI), which included the addition of a public-private advisory panel.