Civil Society Consultation with States regarding the UN Cybercrime Treaty hosted by AccessNow.

July 2023

Dear Delegates,

As a representative of civil society, I am here today with a humble request for your thoughtful consideration. 

Our first recommendation pertains to Article 35 of the proposed treaty. We advocate for the narrowing of its scope to ensure that international cooperation focuses solely on offenses that are universally recognized as criminal acts under this treaty (Articles 6-16). This is not only an appeal for the principle of dual criminality to be explicitly upheld as a cornerstone of international cooperation (and not as a choice), but also a request to delete the reference to Article 17 to ensure that international cooperation is based on universally recognized crimes that are consistent with international human rights law. 

Across our diverse global community, we can observe a variety of legal systems, each uniquely molded by social and cultural practices and history. This diversity, while enriching, can also lead to divergent definitions of what constitutes a criminal act. Actions considered an exercise of free expression in one jurisdiction may be deemed criminal in another. Our proposed amendment aims to prevent the unintentional misuse of the draft treaty to suppress these freedoms.

In response to the perspective that the broad scope may not affect certain nations due to their commitment to internationally recognized crimes and the principle of dual criminality, I urge you to think globally. Yes, while it is true that each state primarily operates within its own legal boundaries and can choose to enforce its dual criminality principle, it is crucial to remember that you are setting a legal basis and creating norms for the global stage. These groups of nations, through this treaty, have the opportunity and the responsibility to help set a universal standard that focuses on the fight against cybercrime in a way that is consistent with international human rights law and the UN Charter. By narrowing the scope of this Article, we are not only preserving these rights but also preventing the potential misuse of the treaty in jurisdictions where freedoms and human rights may not be as robustly protected. 

Regarding the 24/7 networks, we propose to narrow its scope to focus solely on specific criminal investigations and limit the role of the point of contact to technical advice and swift response. We also recommend implementing secure and authenticated communication methods to protect data exchanged and prevent unauthorized access or misuse. We also believe that this article needs more discussion in the session. I would like to ask what are the key functionalities you envision for such a 24/7 network? The current text includes an obligation to collect and share evidence. How can we ensure it respects privacy and human rights, and such a process does not bypass the MLAT system's conditions and safeguards and data protection principles? Should the police, rather than an independent authority, be exchanging potential evidence? Does this article open the door for parallel constructions?

Finally, in the chapter on criminal procedural measures, we are calling for the removal of Article 28(4), which makes it possible for states to order “any person who has special knowledge” of a particular computer system to provide the necessary information to search that computer system. Article 28(4) is one of the most alarming provisions under consideration, and we sincerely hope it does not make the final cut. This article raises serious concerns about individual rights, as it leaves room for interpretation that might force someone with knowledge, for example, an engineer, to involuntarily assist in breaking security measures or reveal an unpatched vulnerability to authorities. There's also an implicit threat of obliging engineers to hand over encryption keys, including signing keys, under the guise that they provide "necessary information" for surveillance purposes. Article 28(4) hints at the possibility of compelling individuals to relinquish encryption keys, which would endangering both personal and wider digital security. Such a provision could potentially enable states to compel engineers to bypass established corporate policies and pressure individual employees to reveal confidential data.

Let us remember that your primary goal is not just to combat cybercrime, but to safeguard human rights, the very principles that define us as a global community. You have the obligation to shape this treaty as a beacon of fairness, where both these objectives coexist without compromising the other.

Thank you for your time, attention, and commitment to this pressing matter.