This is Part IV in EFF’s ongoing series about the proposed UN Cybercrime Convention. Read Part I for a quick snapshot of the ins and outs of the zero draft; Part II for a deep dive on Chapter IV dealing with domestic surveillance powers; and Part III for a deep dive on Chapter V regarding international cooperation: the historical context, the zero draft's approach, scope of cooperation, and protection of personal data.
The proposed UN Cybercrime Convention could shatter security, and harm political and social activists, journalists, security researchers, whistleblowers, and millions more around the world for decades to come, we told a packed house at DEFCON in Las Vegas on Thursday - but it’s not too late to stop this bad treaty from being adopted.
Delegations from Member States as well as observers from civil society will convene August 21 at UN Headquarters in New York City for a two-week negotiation session on the convention’s “zero draft.” The zero draft is the first full text, the result of State-led negotiations that began in February 2022. EFF will be there again this month to lobby Member States and provide expert opinion to ensure the protection of your rights. If the Member States can’t reach total consensus on the text, it could go to a vote by the Member State governments in which a two-thirds majority would be required for adoption. A concluding session is scheduled for early next year in New York City.
At DEFCON, we highlighted the foremost dangers posed by the zero draft, and the direction in which negotiations seem to be headed. The proposed treaty features five chapters: criminalization, or the categorization of acts deemed a crime under this treaty; domestic and cross-border spying powers, for example, the powers and limits to conduct surveillance both within their borders and across international boundaries; and two additional chapters on technical cooperation and proactive measures.
Our DEFCON talk focused on the computer crimes that could potentially affect security researchers––those programmers and developers engaged in cutting-edge exploration of technology. Security and encryption researchers help build a safer future for all of us using digital technologies, but too many legitimate researchers face serious legal challenges that inhibit their work or prevent it entirely. EFF has long been fighting for coders’ rights––in courtrooms, congress and global policy venues. It’s a cause close to our heart.
The section on criminalization, for example, is extremely worrisome. It references a list of specific crimes, borrowing language from the flawed Budapest Convention. If the final text gets consensus approval, it could obligate 194 member states to incorporate these crimes into their domestic legislation. This will pave the way for nations to harmonize these core cybercrimes across the world and to easily assist others in surveillance on targets related to these crimes. While these core cyber crimes have been debated for years in the U.S., leading to significant advancements, these progressions can’t be automatically applied universally. Organizations like EFF have spent years advocating for these legal reforms, yet the capacity to influence a country's legal system varies widely among nations: In some places it’s impossible, in others litigation can be riskier or costlier. This is why our aim is to incorporate these safeguards into the draft treaty so every country abiding by it must include them in their domestic legislation.
EFF and other organizations have urged Member States that this treaty’s scope be limited only to “core cybercrimes,” such as specific, technical attacks against computers, devices, and communications systems. But the zero draft is a veritable Swiss cheese of loopholes that would make a cybercrime of any crime that is committed with technology and is covered by any other treaty that the country has ever acceded to— think drug trafficking, for example. This could potentially extend to even more obscure treaties or any treaty adopted in the future. Essentially, Article 17 could compel states to recast traditional crimes as cybercrimes. Applying physical world legal frameworks to digital conduct is bad legislative practice that could create more harm than good. States may miss the nuance that’s needed to distinguish between digital and real-world crimes. Together with Article19 and others, we are fighting to remove Article 17 from the proposed treaty.
The zero draft’s Article 22, regarding jurisdiction, is also concerning. It would let a nation claim authority over any of these core cybercrimes if they occur within its territory, or aboard its vessels or aircraft, but also if the offense involves its nationals either as perpetrators or victims or is committed against the state itself. It’s a jurisdictional nightmare that once claimed against a security researcher could easily be twisted to repressive political ends by undemocratic governments or can force the applications of domestic laws to corporations that could be disproportionate and arbitrary in nature. We don't think the proposed treaty is the place to deal with jurisdiction.
Another concerning provision is Article 6. It mandates each nation to legislate and implement measures ensuring that unauthorized access (or access without right) to either a computer system or information and communication technologies —whichever term gets adopted—is a criminal act when done with intent. While the text grants nations the flexibility to decide when to criminalize unauthorized access, such as in cases of breached security measures or dishonest intentions, these specific conditions are left largely to the individual states' judgment and definitions. The text fails to require that any cybercrime acts under Article 6 and 10 should cause serious harm or damage to qualify for action under the treaty. There's also no stipulation that the breached security measure must be effective. We strongly argue that only breaches of effective security measures should be a mandatory criteria for criminalization. This request is consistent with EFF’s domestic advocacy on the Computer Fraud and Abuse Act —avoiding arguments that bypassing an IP block is unauthorized access, for example—and with the several complaints EFF and our allies have made in our oral and written interventions during the negotiations in Vienna. The text also lacks any kind of public interest exception to protect whistleblowers, journalists or security researchers.
Also, the vague concept of doing things “without right” could threaten to elevate private business disputes—based on rules and terms written by providers, not legislatures—to criminal activity. Again, this concern is consistent with EFF’s domestic advocacy. In the Supreme Court's Van Buren case for example, the Justice Department argued that a police officer who used a law enforcement database for an unauthorized purpose engaged in authorized access because his use was not allowed in the applicable use policy. This is arguably "without right," as would be any cases where the owner of the computer argues the user "should have known” their use was unauthorized, such as when the owner fails to protect an area of a website that is obviously supposed to be private and instead makes it publicly accessible. Consistent with our arguments, the Court rejected such an assumption, and adopted a “gates up or down" approach: Either you are entitled to access the information, or you are not. This initial assumption could criminalize journalism that involves using obscure but publicly available information online. The treaty must include safeguards against this.
The draft also makes a mess of dealing with tools and data used in security research or for other non-criminal, everyday purposes. For example, Article 10 of the zero draft discusses “misuse of security tools” that could conceivably apply when your mom shares her Netflix password with you: It’s a breach of the terms of service, which is access without right. So again, the treaty could be turning private disputes into criminal liability.
But what could be worse about the zero draft is its threat to security.
The treaty’s vaguely-written Article 28, containing an expanded version of a Budapest Convention provision on compelled assistance, could be interpreted to order people who have knowledge or skills in breaking security systems to help law enforcement break those systems. This must be removed, lest the power even be interpreted to include compelled disclosure of vulnerabilities and private keys. Security is hard enough; government mandates to help break security won’t make things better.
To be honest, many people around the world don’t spend a lot of time worrying about what the United Nations is up to. In this case, however, they definitely should: Treaties are binding upon signatory countries, who are obliged to comply. They become part of international law, and in the United States, treaties have the same force as federal law. Bad treaties are an end run around thoughtful, democratic domestic political processes.
We were gratified to see that thousands of DEFCON attendees get the message that the futures of hacking, cybersecurity, and human rights are at risk. With negotiations re-convening in just a few short days, it’s crucial that everyone lift their voices to ensure this proposed treaty doesn’t set human rights and tech law back by decades.