This is Part I of EFF’s ongoing series about the proposed UN Cybercrime Convention. Read Part II for a deep dive on Chapter IV dealing with domestic surveillance powers; and Part III for a deep dive on Chapter V regarding international cooperation: the historical context, the zero draft's approach, scope of cooperation, and protection of personal data. Part IV deals with the criminalization of security research.
The much-anticipated official first negotiated draft of the proposed UN Cybercrime Convention—shaped by many months of Member States-led negotiations in which EFF has been deeply involved—is now public.
The convention, if approved, will result in the rewriting of criminal laws around the world dealing with law enforcement access to personal data across borders, the use of surveillance technologies by one country to spy on people in another country, and the extent to which countries can force one another to cooperate in, for instance, real-time interception of people's communications. EFF and its international partners have been standing up for users since the convention was first proposed several years ago, calling for robust human rights protections, reviewing proposed convention language, submitting recommendations and opposing concerning provisions, and addressing Member States in person at negotiating sessions this year and last.
With the release of this “zero draft,” Member States will start article-by-article negotiations to reach a consensus on a final draft during a two-week marathon session from August 21 through September 1. EFF will be there, continuing our push for robust human rights protections in the treaty.
EFF and Privacy International have been poring over the zero draft, and have sent Member States our first set of amendments. But before we delve into the most concerning features of the text, here is a quick recap of how we got here.
A Quick Recap of the UN Cybercrime Convention
From the very start of the negotiations, EFF has opposed the draft convention as a whole, deeming it unnecessary. Despite our reservations, we’ve actively engaged in good faith at every stage of the negotiation process. We want to ensure that the proposed convention is specific and confined in its scope, and does not incorporate content-related offenses or authorize inherently arbitrary, excessive, or open-ended surveillance powers. Furthermore, any surveillance authorities—including those that are transnational—should be subject to appropriate limitations.
We fervently hope that the proposed convention won’t become an instrument for transnational repression, as has happened with other law enforcement cooperation mechanisms in the past. INTERPOL, for instance, is an intergovernmental organization of 193 countries that facilitates worldwide police cooperation. But Human Rights Watch has documented numerous allegations of how China, Bahrain, and other countries have abused INTERPOL’s Red Notice system, an international “wanted persons” list, to locate peaceful critics of government policies “for minor offenses and most importantly for political gain.” The UN treaty shouldn’t give governments a legal basis to justify the use of open-ended surveillance powers for ill-defined crimes that could be exploited for political gain, petty crimes, or crimes that are inherently inconsistent with international human rights law—especially when this can lead to horrors such as torture or forced disappearances. We will keep advocating for heightened safeguards to restrict law enforcement’s misuse of surveillance powers.
The proposed convention should represent a minimum standard rather than a maximum limit—it must serve as a baseline, not an upper threshold. And it should not be used to undermine preexisting, robust domestic human rights safeguards.
The proposed convention is slated for adoption in January 2024. We anticipate that Member States will strive to reach a consensus to encourage widespread adoption of the draft text. A vote may occur if consensus can’t be reached after exhausting all negotiating tactics, as the stakes and threats that this proposed convention addresses are significant. As of now, it is unclear if Member States will arrive at an agreement in January or if the timeline would need to be extended.
These are two posts summarizing our first takeaways after an initial review of the zero drafts; we’ll have more to say leading up to the New York meeting next month. It’s worth reiterating the principle of multilateral negotiations that “nothing is agreed until everything is agreed”— the draft text could shift in future negotiations.
What’s in the Zero Draft?
Most Proposals to Explicitly Include Non-Cybercrime Offenses Are Toned Down, Yet Ambiguous and Overly Broad Text in Article 17 Still Persists
Previous texts of non-negotiated provisions contained more than 30 offenses, such as drug trafficking, included only because computer systems were used in the commission of the crime. The new draft drops some of these offenses, and no longer explicitly references non-cybercrime offenses. Effectively, this means that under this convention, only "core" cybercrimes—not crimes where a perpetrator used email, but crimes targeting computer systems, such as using malware to break into a computer system—should be the only ones defined as “cybercrimes." However, this is a bittersweet victory. The list of crimes in the zero draft has been made shorter, a huge relief, with most non-cybercrime offenses removed, as we advocated. Only 11 of the 30 crimes are explicitly listed in the zero draft. Regrettably, these offenses are not entirely off the table–although they haven’t come back in their original form. States made a tradeoff, trimming down the laundry list of crimes, but allowing more room for cross-border spying powers to investigate and prosecute these laundry lists of crimes.
Moreover, the zero draft preamble (Paragraph 3) still references states' concerns about the impact of computer systems on the scale, speed, and scope of criminal offenses like “terrorism,” “trafficking in persons, smuggling of migrants,” “illicit manufacturing of and trafficking in firearms, their parts, components and ammunition,” and “drug trafficking and trafficking in cultural property.”
This suggests an appetite for an expanded scope of evidence collection and sharing, including across borders, beyond the crimes explicitly stated in the text, which may be attempted, for example, by invoking the open-ended Article 17 or the concept of “serious crimes,” “other crimes” or simply illegal acts. The preamble is generally not legally binding or directly enforceable, however, as per the Vienna Convention of the Law of the Treaties, it plays a crucial role in determining the context for interpreting the convention and clarifying the intent of the drafters.
Speech-Related Offenses Are No Longer Explicit in the Draft Treaty, But Article 17 Covertly Revives Non-Cybercrimes and Speech-Related Offenses as Cybercrimes
Similar to the section above, the earlier versions of the non-negotiated text leading up to the zero draft had proposed dozens of new crimes related to online content. This would have criminalized certain speech as a cybercrime just because it was posted online. It included provisions that we had criticized as overly broad, ill-defined, and subjective; as we have noted before, similar provisions in different countries have been used extensively against journalists, activists, and human rights defenders. These included offenses lacking any universally agreed upon definitions—which many states have abused to suppress free expression or association—such as copyright infringement, “extremism-related offenses,” “terrorism-related offenses," and distributing materials “motivated by political, ideological, social, racial, ethnic or religious hatred,” and “the spreading of strife, sedition, hatred or racism,” among others.
This laundry list of content-related offenses has been removed from the criminalization chapter. Unfortunately, the zero draft new Article 17 compels States to apply the convention to crimes “established in accordance with other international conventions and protocols,” which reintroduce some of these non-cyber crimes offenses back into the text and turn them into cyber crimes. Such amendments can be done on the ground that the off line version already exist in previous treaties and to use Article 17 for the purpose of expanding the scope of cross border evidence collection for the investigation of Article 17 crimes. These international treaties and protocols can range from trade agreements to drug trafficking, and those treaties who may become applicable in the future.
Special Investigative Techniques Have Been Removed Entirely, But Real-Time Collection and Interception Powers Remain
Earlier versions of the non-negotiated text oddly authorized Member States to adopt legislation that will allow the use of “special investigative techniques,” without defining what they are. Such language could have allowed any type of surveillance technology, from malware to IMSI catchers, predictive policing, and other mass surveillance tools. However, there are still other investigative provisions in the zero draft, including very intrusive powers for real-time collection of traffic data and interception of communications.
Those two surveillance powers were sidelined in “informal consultations” in previous sessions, and are now back in the zero draft, and will be discussed for the first time in the August session’s plenary meeting. We have previously asked for the removal of such powers because we have seen a lack of consensus on including robust legal safeguards among Member States. But our concerns go beyond that: there are huge disparities among Member States when it comes to the level of protection over this type of data, including concerns about the rule of law, and lack of impartiality and independence of the judiciary.
Copy, Paste, Repeat the Domestic Surveillance Problems: The 2001 Budapest Convention Language Came Back, Now with Diluted Safeguards Against Surveillance Powers
Proposals on the criminal procedural and law enforcement chapter (Chapter IV) are now based directly, almost word-for-word, on preexisting text from the 2001 Budapest Convention on Cybercrime—which has a lot of problems, but which many countries have already signed. Unfortunately, some problematic provisions from the Budapest Convention were imported wholesale, and when modifications were made, they weakened safeguards and limitations to surveillance powers.
Missed Opportunity: Cross Border Police Surveillance Powers Must Have Ironclad Safeguards to Protect Users’ Privacy and Free Speech Rights
The Budapest Convention contains a provision on conditions and safeguards that put checks and balances on the use of surveillance powers, a positive though it's not as robust as we would want. The zero draft, in one of a relatively small number of deviations from the Budapest language, actually dilutes the safeguards. While it keeps the reference to the principle of proportionality, it fails to explicitly include the principle of necessity. The draft convention, if nothing else, should not only retain the principles outlined in Article 15 of the Budapest Convention but should extend the Article to incorporate additional safeguards.
Notably, it should require a factual basis justifying access or application of surveillance powers; and the obligation to require a valid and substantiated rationale for invoking and applying these procedural powers. These powers should be rooted in objective and verifiable facts and establish clear minimum standards. Without such provisions, the convention could enable arbitrary, biased, or speculative use of surveillance. An independent prior, preferably judicial, authorization of surveillance powers should be mandated. This safeguard serves as an additional layer of protection to prevent potential abuses, bolstering accountability and upholding the rule of law. The article should also require States to publish “periodic disclosure of statistical data on the use of powers and procedures,” to further enhance transparency and accountability. This check provides a layer of accountability to make sure States aren’t overstepping or misusing their powers and allows for public scrutiny and debate.
While maintaining and extending the safeguards is a crucial initial move towards embracing a convention that respects human rights, such safeguards in itself will still be insufficient. As we noted before, there is a conspicuous absence of a robust and efficient system to enforce human rights at the international level, and the majority of Western countries have shown hesitation in controlling their own excessive surveillance powers. Take, for instance, the OECD's efforts to restore trust in cross-border data flows, following the Snowden revelations. The initiative sets out essential principles that include the principle of proportionality, necessity, and legality. However, the text ironically also states that the surveillance practices of the signatories are in line with human rights, albeit numerous counter-examples that suggest otherwise.
Finally, for the convention to genuinely become a human rights-respecting instrument, it should, at the very least, authorize the UN's human rights bodies to scrutinize the implementation of the Convention and evaluate States' compliance with the Convention's safeguards, as well as States' human rights treaty obligations.
In Part II of our analyses, we'll review troubling provisions of the zero draft text that expand the scope of the criminal procedural measures, international cooperation, treat dual criminality as optional, and leave out human rights safeguards. We will continue to provide updates as we develop our positions and prepare to discuss these concerns in person next month in New York.