Russia-pushed UN Cybercrime Treaty may rewrite global law. It's ... not great
Let's go through all the proposed problematic powers, starting with surveillance and censorship
Special report United Nations negotiators convened this week in Vienna, Austria, to formulate a draft cybercrime treaty, and civil society groups are worried.
"We are here for the fifth session on the negotiations of this new treaty on cybercrime, which will have the potential to drastically redraft criminal law all around the world," said Thomas Lohnninger, executive director of Austria-based tech policy group Epicenter.works, in a media briefing on Thursday about the treaty negotiations.
"It represents a tectonic shift because of its global nature when it comes to the cross border access to our personal information."
The UN Cybercrime Treaty, to the extent it gets adopted, is expected to define global norms for lawful surveillance and legal processes available to investigate and prosecute cybercriminals. And what has emerged so far contemplates [PDF] more than 30 new cybercrime offenses, with few concessions to free speech or human rights.
This fifth negotiating session involves representatives from more than 100 member states trying to come up with draft chapters covering international cooperation, technical assistance, cybercrime prevention, implementation details and other provisions.
This Ad Hoc intergovernmental committee met for the first time on February 28 last year, and a sixth session is planned for August, in New York, followed by a seventh session in January, 2024, when the finalized draft of the convention is scheduled to be delivered for consideration by the UN General Assembly.
Katitza Rodriguez, policy director for global privacy at the Electronic Frontier Foundation, explained that current cross-border cybercrime cooperation comes from the Budapest Convention, negotiated in 2001, by member states at the Council of Europe.
Russia, however, Rodriguez said, has objected to the convention for infringing state sovereignty by allowing other nations to investigate cybercrimes in its jurisdiction. So in 2017, Russia proposed negotiating a new treaty, and in 2019 the UN adopted a resolution to do so, backed by Russia, Cambodia, Belarus, China, Iran, Myanmar, Nicaragua, Syria and Venezuela.
The US and members of the European Union opposed the proposal citing concerns about lack of human rights protections. Nonetheless, Rodriguez said, Russia pushed its proposal forward and the UN opened negotiations just days after Russia invaded Ukraine.
Despite criticism by UN members, she said, "by April 2022, many democratic countries that had strongly opposed the draft treaty were actively engaging in the negotiations and pursuing compromise through amendments."
What concerns Rodriguez and other representatives of advocacy groups at the briefing is that the treaty negotiators will compromise on surveillance, privacy, and human rights.
Part of the problem lies in the vague language of the proposed chapters. Rodriguez cited the chapters on international cooperation, which could open the door to bulk data sharing rather than investigations related to specific evidence. Another problem, she said, is the dual criminality provision which could bring state authorities into investigating activities that they do not consider crimes in their own country.
"Unfortunately, instead of progressing towards a human rights-based approach in the negotiation of the treaty, as of now, the current draft is moving away from them," said Rodriguez. "Countries such as India, Russia, China, Iran, Syria, Egypt, and Tonga have even proposed to delete references to international human rights obligations."
- UN mulls Russia's pitch for cybercrime treaty
- Lloyd's to exclude certain nation-state attacks from cyber insurance policies
- Cops cuff teenage 'Robin Hood hacker' suspected of peddling stolen info
- Russia tells UN it wants vast expansion of cybercrime offenses, plus network backdoors, online censorship
Another problematic section, she said, endorses "special investigative techniques." It would make any form of surveillance acceptable, whether it exists currently, like facial recognition, or has yet to be developed.
"This provision also has a very problematic clause, which allows the removal or replacement of data being transmitted over networks," said Rodriguez.
Barbora Bukovská, senior director for law and policy with ARTICLE 19, a UK-based human rights organization, said many of the proposed new crimes are speech-based offenses.
"Those are offenses when you're punished for speaking or doing something online, because this peripherally involves using computer or digital technology," said Bukovská. "And there are extremely vague and overbroad provisions which the states would have to then replicate their national legislation."
One consequence of this, she said, would be to restrict freedom of expression.
"It should be a concern to journalists, human rights defenders, and activists in general because you might be prosecuted under these provisions if adopted in national legislation," she said.
Raman Jit Singh Chima, senior international counsel and global cybersecurity lead for Access Now, a US-based digital rights group, said that the goal of a cybercrime treaty should be to make people more secure, but the current draft proposal does the opposite by failing to make affordances for good-faith security security research.
"We had hoped that the cybercrime treaty process would seek clear language that protects these researchers by making it obligatory on states to put very heightened requirements for intent to say that it's not just intrusion into a network, but that it is specific intrusion with malicious intent or with intent to do harm that should be there," he said.
"And instead, we've seen states pushback. We've seen some states say that, no, we want to have as broad a criminal provision as we can."
Vague rules that could result in the prosecution of security researchers are not simply an academic matter, said Chima. To illustrate the real risk of a poorly crafted treaty, he pointed to the example of Swedish computer security expert Ola Bini, who was arrested in Ecuador in 2019. Bini faced a long, difficult criminal trial prior to acquittal, just because he connected to a government system to look for potential vulnerabilities.
Tanja Fachathaler, policy advisor at Epicenter.works, said her group has been advocating for the inclusion of a requirement that investigative powers granted authorized under the treaty should not compromise the security of digital communications or systems.
"It must be ensured that government hacking must not be justified in any way," said Fachathaler. "Government hacking is unlike any other form of existing surveillance techniques. It is far more intrusive. It permits remote and secret access to personal devices and data stored on them. It can conduct various forms of real time surveillance. It can manipulate data on devices without leaving any trace."
It must be ensured that government hacking must not be justified in any way
Fachathaler said the current proposals also lack any remedy for privacy violations and any power to audit investigations to ensure compliance with applicable law.
"We're not against more modern law enforcement techniques because we understand modern law enforcement in response to new developments in this field of cybercrime is of course important and necessary," she said. "But the present draft goes far beyond that simple goal."
Last August, retired Ambassador Deborah McCarthy, US lead negotiator for the UN Cybercrime Treaty, made clear that the US wants the treaty to acknowledge human rights obligations. The current negotiating document [PDF] at least mentions human rights a few times.
A US State Department spokesperson told The Register in an email, "The United States believes the Ad Hoc Committee (AHC) is on a path towards a consensus-based treaty that will help countries fight the scourge of cybercrime. We are working with a broad variety of Member States and aim to have a narrow criminal justice treaty that increases international cooperation, protects human rights and supports multi-stakeholder engagement."
"The current session of the AHC is focused on critical chapters covering international cooperation, technical assistance, preventive measures, and treaty implementation. Issues such as cybersecurity, Internet governance, and the criminalization of speech or terrorism, are beyond the scope and mandate of the AHC. The United States will continue to engage broadly with Member States and multi-stakeholders to set a global standard to cooperate effectively to combat cybercrime." ®