While tensions run high across the globe over the invasion of Ukraine, the world’s governments are meeting at the UN this week and next to find common ground on a proposed treaty to facilitate international cooperation and coordination in computer crime investigations. The treaty, if approved, may reshape criminal laws and bolster cross-border police surveillance powers to access and share user data, implicating the privacy and human rights of billions of people worldwide. Earlier this week, EFF spoke to the treaty’s drafting committee, highlighting some of our privacy and human rights concerns.
Two weeks of initial negotiations, hosted by the Ad-Hoc Committee Secretariat from the UN Office on Drugs and Crime, kicked off on Feb. 28 with statements from over 60 Member States about what the treaty should encompass. Common themes include questions over what constitutes cybercrime, new expedited international cooperation powers, the need to build upon existing treaties, developing mechanisms for technical assistance and capacity building at the national level, especially for developing countries, and the importance of adherence to the protection of human rights and fundamental freedoms at the heart of the initiative.
Crisis in Ukraine
The Ukraine crisis looms large over the talks, with many Member States voicing solidarity with Ukraine and questioning whether Russia (who was the initial driving force behind the adoption of this treaty) could debate in good faith and defend claims of sovereignty in formulating cybercrime provisions while invading Ukraine and unleashing cyberattacks. "These cyberattacks are not conducive to a constructive engagement with Russia on this treaty," the EU representative pointed out, capturing a sentiment shared by many negotiating states. Despite high levels of distrust, Member States are proceeding with the negotiations as planned.
EFF addressed the Ad-Hoc Committee March 1, via videoconferencing, saying cybercrime poses a threat to human rights, and expressing concerns that investigative powers adopted in the treaty will seek to accommodate the worst police surveillance practices across participating states.
"Any proposed obligations to enable investigation and prosecution should adhere to human rights law…There is a real risk that, in an attempt to entice all States to sign a proposed UN cybercrime convention, bad human rights practices will be accommodated, resulting in a race to the bottom,” EFF Policy Director for Global Privacy, Katitza Rodriguez told the committee.
EFF also reminded the committee that cybercrime provisions have been used against whistleblowers, security researchers, human rights defenders, political dissidents and members of LGBTQ+ communities in ways that are inconsistent with human rights. Great care must be taken when enshrining these provisions in an international instrument.
The upcoming negotiations are sure to be contentious, with wide areas of disagreement about the very broad scope of the Treaty already apparent (as we discussed earlier). There is some agreement that the treaty should criminalize certain acts defined as “core cybercrime.” EFF understands this to include crimes that inherently target information and communications technologies (ICTs)—a list of potential crimes can be found in Articles 2-6 of the Budapest Convention and include: illegal access to computing systems, illegal interception of communications, data interference, system interference, and misuse of devices.
While even this core group of offenses has led to human rights problems in the past, some states would go further. New Zealand, Australia, UK and the US want to recognize new crimes, those where ICTs increase the scope, speed, and scale of the offense, at least to the extent information technologies are a factor. The US and Australia also point out that an online crime committed anonymously may play a role in framing what derivative crimes legitimately fall within the scope of the treaty.
Fighting Cybercrime Shouldn't Come at the Expense of Human Rights Protections
EFF addressed the Ad-Hoc Committee again on March 2, recommending that the objectives of this treaty should be dual: addressing specific challenges posed by cybercrime, on the one hand, and ensuring robust protections for human rights in cybercrime investigations, on the other. The scope of the treaty should be narrow, and content-based crimes such as hate speech, copyright infringement, and publishing misinformation must be categorically excluded. It is also essential that the scope of any convention be restricted to criminal matters, excluding national security, cybersecurity, cyberwarfare, or rules for internet governance.
In our statement, we caution against casting too wide a net when deciding what crimes to include within this instrument.
“Just because technology is used in the commission of a crime does not make that act a cybercrime, nor should the simple use of technology in the commission of an offense be an aggravating factor. Content offenses such as misinformation, incitement to terror, and copyright infringement should be categorically excluded from the negotiations.”
Covered offenses should be carefully articulated to avoid their misuse in ways that infringe fundamental human rights. Technologically-facilitated conduct is complex, and broadly scoped cyber crimes have been used to stifle legitimate and important activity.
If the treaty negotiations are able to make progress despite these disagreements (which will be a challenge), surveillance and privacy questions will be important to watch, too. The treaty might include provisions that expand law enforcement powers and increase data sharing between governments.
Broadly scoped investigative powers should not transform this instrument into a general-purpose vehicle for digital evidence gathering. Any cross-border investigative powers, in particular, should be carefully and narrowly crafted and remain closely linked to investigations of a specific, precisely worded criminal conduct.
In other global treaty processes, attempts to recognize the obligation of countries to ensure surveillance powers are necessary and proportionate (a baseline requirement for any limitation on a human right) have met resistance. But basing cross-border digital evidence gathering on robust protection is imperative. As the UN Security Council’s Counter-Terrorism Committee Executive Directorate (CTED) recently noted in an analysis:
"Agreeing on a common standard across States will almost certainly ultimately lead to a lower standard than one that would be achieved by identifying a high universal standard and asking States to “level up”. The concern is that, in order to address law enforcement’s jurisdictional problems, the substantive law will become weakened, giving law enforcement too-quick access with too-little due process. The trend towards universalization, in other words, could lead to a lowest common denominator in terms of due process."
Indeed, there is a real risk of a race to the bottom of privacy protections. Bearing in mind the global nature of the treaty, it will be crucial that human rights stay front and center during negotiations and that a race to the bottom in terms of human rights protections is avoided.
Civil Society Participation
We welcome the fact that every non-governmental organization that requested to participate in this treaty process is able to register with the Ad-Hoc Committee, including EFF, Derecho Digitales, Human Rights Watch, Access Now, Privacy International, and other civil society colleagues. This contrasts with many other negotiation processes, including those for the updated Protocol to the Budapest Convention, where civil society was excluded from listening or providing input during negotiations. For the UN treaty, multi-stakeholder participation should include attending committee sessions, making written submissions, and even speaking at the meetings. However, it remains to be seen if there will be opportunities for actual and meaningful participation of civil society organizations.
EFF supported Human Rights Watch’s oral intervention, which states, “building trust requires transparency and the involvement of civil society, including groups with digital security expertise and who work with vulnerable communities and individuals.” We and our civil society colleagues have an important role in maintaining a focus on the human rights implications of the treaty and keeping rights at the center of the discussion.
The Ad-Hoc committee meetings are live-streamed through March 11 on the UN Web TV website.