As a UN-convened committee of government experts from around the world gets ready to begin negotiations to draft a Cybercrime Treaty, there's a pronounced lack of consensus among UN member states about what constitutes a "cybercrime" and how expansive the treaty will be. After years of discussion, the UN General Assembly voted to begin negotiating a Cybercrime Treaty that has potential to reshape policing on a global scale, with serious implications for human rights. UN Resolution 74/247 created the Ad Hoc intergovernmental committee who will draft the proposed treaty. The committee is scheduled to hold its first negotiating session from February 28th to March 11, 2022.
There's a pronounced lack of consensus among UN member states about what constitutes a "cybercrime" and how expansive the treaty will be.
Most states agree on the inclusion of so-called “pure” cybercrimes like network intrusion or interference with the operation of a computing system. But a broader range of ‘cyber-enabled’ crimes— such as fraud or drug trafficking that do not inherently target information and communications technologies but where Information and Communication Technology (ICTs) occasionally play a significant role—are also on the table. Other states warn that the treaty must remain focused on cybercrime and avoid delving into broader issues of national security, cybersecurity, or cyberwarfare.
Our analysis of early submissions to the UN Ad Hoc committee from interested UN Member States begins to paint a picture of what this treaty might ultimately include.
Is it Just About Crime?
A number of states have expressed concerns that the treaty might ultimately include everything from cyberwarfare, to national security, to a new set of rules for internet governance. These concerns have prompted comments that the treaty should remain focused on crime and law enforcement.
A number of states, including Brazil, Dominican Republic, the European Union (EU), Liechtenstein, Norway, Switzerland, the UK, and the USA, are particularly advocating for a narrower crime-related focus, warning against the use of this treaty to impose broader controls on the internet. At the global level, technical and policy coordination of the internet currently occurs through a range of multi-stakeholder bodies such as the IETF, ICANN, and the Internet Governance Forum. Past attempts to “take over” control over these multi-stakeholder bodies have proven schismatic, and it appears these divisions are alive and well.
Many of the same states also caution against the inclusion of cybersecurity, national security, or cyberwarfare within the scope of this treaty. For example, the EU and its Member States emphasize the need to exclude “national security” or “state behavior matters,” while Brazil would exclude “international peace and security” and “cyber defense.” By contrast some states (e.g. Turkey) would include crimes “related to the security of critical infrastructure facilities,” which may signal adoption of more open-ended cybersecurity related powers. The line between cybercrime on the one hand and national security, cybersecurity, and cyberwarfare on the other has been blurring, with military and security agencies increasingly involved in addressing online crime. But these agencies wield their expansive powers with minimal oversight and control that should not form the basis for treaty obligations.
Consensus regarding what constitutes acts of war in cyberspace has also remained elusive and difficult to define, making the subject ill-suited to an international treaty. Another UN Committee (Open-Ended Working Group and Group of Governmental Experts on responsible state behavior in cyberspace states) is trying to build consensus among governments on how they should responsibly behave when it comes to international conflict in cyberspace.
A (Cyber) Crime by Any Other Name?
Even where states agree to maintain a law enforcement focus (Chile, USA, UK, Canada, the EU and its Member States, Colombia, New Zealand, Australia, Norway, Switzerland, Nigeria, Indonesia), questions arise regarding what crimes should be specifically encoded in the treaty. Many, if not most, crimes can now have a technological dimension to them, making the substantive scope of this treaty potentially vast. Indeed, one regional cybercrime treaty (the Council of Europe’s Budapest Convention) even includes copyright infringement as one of its central criminal prohibitions.
Some crimes inherently involve information technologies, and most states appear to agree that these “pure” cybercrimes should be captured within the convention. These would include, for example, crimes where data or a computer system are the target of the offense (Nigeria, the USA and, to some degree, the EU).
Most other states would go further. Australia, the EU, New Zealand, Nigeria, Switzerland and the USA, for example, highlight the need to include cyber-enabled crimes within the treaty. But defining what constitutes “cyber-enabled” can be tricky. Many crimes (corruption, drug trafficking, terrorism) are already prohibitted at the international level and a number of international instruments have already created frameworks for police cooperation (e.g. United Nations Convention against Transnational Organized Crime (UNTOC) and UN Convention against Corruption (UNCAC)). Duplicating these instruments while trying to capture the uniquely “cyber” component of each constituent crime may lead to duplication (as pointed out by Japan, Liechtenstein, New Zealand, and Switzerland) or even disruption of existing international efforts (as New Zealand warns).
Some states have therefore suggested that only crimes where the scope, speed, and scale of the offense is increased by use of information and communications technologies should be legitimately included (New Zealand, Australia, UK and the USA), at least to the extent information technologies are a factor. The USA and Australia also point out that an online crime committed anonymously may play a role in framing what derivative crimes legitimately fall within the scope of the treaty. Australia, for example, has suggested that the proposed treaty should address “these crimes judiciously, by developing a clear framework for identifying why certain crimes are so significantly altered by a ‘cyber element’ as to require a new harmonized international standard that elevates this conduct above ‘traditional’ crimes."
Some states have also called for the inclusion of content-related crimes, such as incitement of terror (China, Russia), disinformation (China, Indonesia), and copyright infringement (Indonesia, Liechtenstein, Mexico, Norway, Russia, USA). The UN Office of the High Commissioner for Human Rights (OHCHR), by contrast, has argued that any inclusion of technology-facilitated offenses (as opposed to “core”cybercrimes) should be limited.
In terms of specific crimes, those most commonly proposed for explicit mention in the treaty include: illegal access to a computer or computer system (China, EU, Indonesia, Liechtenstein, Norway, Mexico, Russia, USA), illegal interception of communications or traffic data (Indonesia, Liechtenstein, Norway, Russia, USA), data or system interference (Chile, EU, Indonesia, Liechtenstein, Norway, Panama, Russia, USA), misuse of devices (Liechtenstein, Norway, Russia, USA), cyber-fraud, (Australia, China, Indonesia, Mexico, New Zealand, Norway, Russia, USA), offenses related to infringements of copyright and related rights (Indonesia, Liechtenstein, Mexico, Norway, Russia, USA), and offenses related to child pornography (Australia, EU, Indonesia, China, Russia, New Zealand, Norway, Mexico, UK, USA).
An indicative list of other specific crimes that have been floated by some states includes: use of the internet to incite and commit acts of terrorism (China, Russia); disinformation, conspiracy, hoax (China, Indonesia); material that contains racial, nationality, religion, or political based hostility (Indonesia), offenses related to arms trafficking (Mexico, Russia), use of cryptocurrencies and dual-use assets for criminal purposes (Mexico), unauthorized access to personal data (Russia, USA), offenses related to the distribution of narcotic drugs and psychotropic substances (Russia), and illicit distribution of counterfeit medicines and medical products (Russia).
Beyond the list of specific offenses, the scope of culpability is also in question. Many states would criminalize attempts to commit covered offenses, as well as aiding and abetting and conspiracy, or even the criminalization of the laundering of the proceeds of cybercrime (Chile, China, Nigeria, Norway, Russia, USA). Last but not least, criminal responsibility for legal (as opposed to natural) persons seems to be on the table, too, meaning that corporations may be culpable of a crime (Mexico, Russia, USA).
Finally, many member states highlight that the treaty needs to be future-proof to survive the fast development of technologies and deployment of creative new ways to commit crimes in cyberspace, Australia, Japan, Liechtenstein, Nigeria, the UK and the USA advocate for clear and technology-neutral language to avoid the need to amend the treaty frequently as technology evolves.
Whither Human Rights?
Both the OHCHR and civil society have said that any new cybercrime treaty should include explicit safeguards for the public interest, as cybercrime laws have been used to stifle legitimate activity.
The OHCHR cautions against the inclusion of any content offenses, pointing to the danger that these types of crimes will be applied disproportionately at the national level. For example, laws purporting to combat misinformation and online support for or glorification of terrorism and extremism have been misused to imprison bloggers or block entire platforms in some states.
A letter by over 130 civil society groups (which we helped spearhead) echoes the OHCHR’s concerns regarding content-based offenses, and both also point out the need to include explicit safeguards to protect the public, because cybercrime laws has been used to stifled lawful conduct. Weaponization of cybercrimes to target journalists, whistle-blowers, political dissidents, security researchers, LGBTQ communities, and human rights defenders is, in the words of the OHCHR, a “well documented” practice. Precise definition of the conduct that is being criminalized will also be essential if human rights are not to fall by the wayside when this treaty is ultimately applied by various states around the world at the national level. Vaguely worded cybercrime laws such as those criminalizing unauthorized access to computer systems have been used to target digital security researchers, whistleblowers, activists, and journalists with some governments arguing that any disclosure of information in violation of a corporate or government policy could be treated as “cybercrime.” As noted by the OHCHR, the Legality Principle requires criminal law provisions to be “publicly accessible, clear, and precise in scope, so that individuals can reasonably ascertain which conduct is prohibited and adjust their behavior accordingly. Vague and imprecise definitions of offenses leave room for arbitrary interpretations and risk infringement of human rights.”
Many of the states’ initial submissions also include calls on ensuring adherence to human rights standards and paying special attention to the potential adverse impact on freedom of expression and other human rights. Due to the global nature of the treaty, it is imperative that human rights are placed front and center in the treaty negotiations.
Cybercrime is not a new phenomenon, and we have already witnessed far too many examples of anti-cybercrime laws being used to persecute, chill human rights, and bring spurious and disproportionate charges against researches, activists, and whistleblowers. The stakes are high, so human rights safeguards in the potential cybercrime treaty must be a priority.