The same day that the United Nations General Assembly convened an emergency special session to respond to Russia’s full-scale invasion of Ukraine in early March, a very different set of negotiations was underway in another U.N. conference room. More than two years after its establishment, the Ad Hoc Committee to Elaborate a Comprehensive International Convention on Countering the Use of Information and Communication Technologies for Criminal Purposes (hereinafter the Ad Hoc Committee) held its first substantive session. In what are sure to be contentious negotiations over the next two years, government officials will meet several more times, with the goal of completing a global agreement by early 2024 that aims to facilitate international cooperation and coordination on cybercrime.

Our concerns about the treaty predate the first session, and some of these concerns were confirmed by statements made by various States and civil society organizations (CSOs) during the session. While many States (nearly a third of U.N. members) initially opposed the treaty, those same States are actively participating in negotiations, with some even taking up leadership roles. In the meantime, States, CSOs and other stakeholders just submitted their written views on some of the most consequential chapters of the treaty, and those bear close examination as well.

The main purpose of the first session was to debate the objectives and scope of the proposed treaty, how it would be structured, and the key elements it would contain. As such, it provided a valuable view into where states stand on the potential treaty, what it may aim to achieve, and its political viability.

What is Cyber Crime?

There is significant disagreement on the scope of the future treaty, in particular what conduct it should aim to cover.

There is no commonly agreed definition of “cybercrime,” something that was glaringly obvious from debates at the first session. States expressed broad support to include “core cyber crimes,” such as illegally gaining access to, intercepting, or interfering with computer data and systems. However, many states wish to go further and cover “cyber-enabled” crimes, i.e. when the use of information and communication technologies (ICTs) play a significant role in crimes, by facilitating the reach of the crime or speeding it up. Such offenses include fraud, forgery, child sexual abuse, and related crimes. Arguably, technology could expand the reach or speed up the commission of any crime, so opening up the scope of the treaty to some “cyber-enabled” crimes and not others would inevitably amount to drawing an arbitrary line.

What is most worrying, though, is that some states continue to argue for the inclusion of content-related conduct, which can result in the criminalization of protected expression in violation of international human rights law. Worrying examples include provisions on incitement to terrorism, supported among others by China, Russia, India, Turkey, and Syria; disinformation, favored by, among others, China, Indonesia, and India; hate speech, put forward, among others, by Pakistan, Kuwait, China; and copyright infringement, supported by countries such as China, Eritrea, Jamaica, Ghana, Indonesia, Liechtenstein, Mexico, Norway, Russia, and the United States.

But such an approach to broaden the scope of the treaty poses real risks to fundamental human rights, including freedom of expression, especially when provisions describing it are vaguely worded or framed in overbroad terms. These concerns were highlighted in a joint letter signed by more than 130 civil society organizations and experts and published ahead of the session.

Our concerns stem from the work we have done documenting trends in legislation and practices around the world. Vaguely worded cybercrime laws purporting to combat misinformation and online support for or glorification of terrorism and violent extremism have been misused to violate freedom of expression, target dissenters, and put them in danger. In 2019 and again in 2021, the U.N. General Assembly expressed grave concerns that cybercrime legislation was being misused to target human rights defenders or hinder their work and safety. This follows years of reporting by U.N. independent human rights experts and non-governmental organizations on human rights abuses stemming from overbroad cybercrime laws. The U.N. Office of the High Commissioner for Human Rights (OHCHR) has emphasized that content offenses have been problematic for human rights and should not be included in the proposed treaty.

As such, any future cybercrime convention should expressly ensure that its provisions neither apply nor could be interpreted to apply to improperly restrict conduct protected under international human rights law.

Even a broad definition like “using ICT for criminal purpose” in the treaty would also risk including content crimes. This concept has been used in quite different ways by different States, sometimes to refer to activities with only an incidental ICT element, and the current use of the term seems to be too broad.

In our interventions (Privacy International, Human Rights Watch, Electronic Frontier Foundation), we told the committee that when regulating core cybercrimes, safeguards such as a public interest defense need to be put in place to ensure that laws don’t lead to prosecuting whistleblowers, activists, and journalists. Moreover, core crimes need to include the element of malicious intent and to define access “without authorization” narrowly, to exclude legitimate activities such as those by security researchers and journalists.

Finding consensus on the scope of the treaty will be a challenge, as the positions expressed by various states remain quite far apart. But we see a significant risk that the scope of the treaty could end up being overbroad in defining the types of offenses involving the use of ICTs that states should criminalize.

The Place for Human Rights in the Future Treaty

Many delegates, including from Africa, the Americas, Asia, Europe, and others, strongly support human rights protection among the objectives of the future treaty. For example, the European Union argued for including the same protections and promotions of human rights and fundamental freedoms as those enshrined in international human rights instruments. It also favored recognizing individual states’ obligations to protect privacy and personal data, as well as adherence to the principles of legality, necessity, and proportionality. Ghana supported adding explicit safeguards for human rights, including protecting privacy as part of the objectives and scope of the proposed convention. The United States echoed these prominent statements, saying that protecting human rights and ensuring safeguards should be at the core of the treaty. Canada called for a human rights-based approach, in compliance with international obligations, paying special attention to the impact of cybercrimes on women and girls. Australia, Chile, Costa Rica, Colombia, Ecuador, Germany, Honduras, Mexico, South Africa, and the UK also supported paying special attention to the gendered nature of cybercrime.

Overwhelming support for including human rights came from enough delegations that the Russian Federation remarked that it had the impression that States were negotiating a new human rights treaty instead of one on cybercrimes.

The support for including human rights protection is welcomed. But the discussion was short on detail. Should human rights be included as an objective of the proposed treaty, and included in its general provisions and preamble? Or should human rights be mentioned only in specific provisions, and if so, which ones? Should it be a general clause referring to existing international human rights treaties or a specific section dedicated to human rights safeguards?  These important issues still need to be addressed, particularly considering other states argued for detailed investigative measures to be included in the treaty as part of international cooperation. If such measures are introduced without detailed and robust human rights protections, they would threaten human rights, most notably rights to privacy, freedom of expression, and due process.

India, for example, said that the convention should facilitate sharing of metadata with speed and efficacy, bypassing existing mutual legal assistance treaties (MLATs) that are time-consuming and ineffective. It also contended that access to metadata does not raise privacy concerns. This erroneous assumption that access to communication data, including metadata, does not interfere with privacy has long been rebutted by the U.N. Special Rapporteur on the right to privacy and in resolutions adopted by the U.N. General Assembly and the U.N. Human Rights Council. (For a compendium of relevant references, see Privacy International’s Guide to International Law and Surveillance.)

India and Sri Lanka also made reference to the use of encrypted communications by people they allege to be “terrorists” and “criminals.” But the human rights implications of seeking to limit access to anonymous means of communications online or to give law enforcement agencies the powers to undermine encryption have been the focus of the U.N. Special Rapporteur on freedom of expression and other independent human rights experts.

Future negotiating sessions will reveal whether there is sufficient political will to ensure that the future treaty reflects in its provisions the obligation of states to ensure that any criminal investigations (including the sharing of personal information) are conducted in accordance with the principles of legality, necessity, and proportionality, as recognized in international human rights law.

The concern is that, because respect for human rights varies widely among states, and because we currently lack a set of common robust standards for accessing private data, the standards adopted will represent the lowest common denominator. This problem has been well articulated in a research paper published by the U.N. Security Council’s Counter-Terrorism Committee Executive Directorate (CTED), which noted:

“Agreeing on a common standard across States will almost certainly ultimately lead to a lower standard than one that would be achieved by identifying a high universal standard and asking States to ‘level up’. The concern is that, in order to address law enforcement’s jurisdictional problems, the substantive law will become weakened, giving law enforcement too-quick access with too-little due process. The trend towards universalization, in other words, could lead to a lowest common denominator in terms of due process.”

Civil Society Participation

We’re happy to report that civil society organizations have been welcomed to participate in talks by the U.N. Ad Hoc Committee overseeing the negotiations.

All civil society groups that applied to the committee were allowed remote participation at the first session. This was accompanied by an acknowledgment by some states of the role civil society can play to support this process, with their knowledge and expertise in technology and human rights law and standards. It is an approach that stands in stark contrast to the experience some of us had during the negotiations of the new Protocol to the Budapest Convention, a treaty governing procedures for accessing digital evidence across borders in criminal investigations, and in other U.N. processes on “cyber” issues, and bodes well for future engagement.

While civil society participants, unlike States, could not attend the first session in person and were not given access to revised draft documents being debated, we are hopeful that future sessions will continue to build upon inclusive and meaningful participation.

Conclusions

It is certainly premature to predict the outcome of the negotiations on this cybercrime treaty. What the first session confirms, however, is that there are still significant gaps between what different states would like to see the treaty achieve. So much so that the committee was not able to adopt a consensus text on the objectives and scope of the treaty, and instead opted to leave this open.

The nature of the debates in the first session also confirmed that the treaty, if adopted, will have significant impact in the way cybercrime is regulated and investigated across the world. We remain particularly concerned that the treaty may offer a justification for abusive practices and allow governments to criminalize and prosecute legitimate expression and dissent. Even if its scope is narrow, the treaty is likely to increase the capacity of cross-border police surveillance, accessing, and sharing of people’s data.  And there is a real risk that it won’t include effective and robust safeguards to respect and protect the right to privacy and other fundamental rights.

The Ad Hoc Committee will convene again in late May. In the meantime, States and CSOs have submitted their contributions on some of the most consequential chapters of the treaty, namely the preamble, general provisions, provisions on criminalization (what constitutes a cybercrime), and procedural measures and law enforcement (investigative powers and other international cooperation measures). Key things to look for in states’ submissions include if, how, and where they include human rights protections, how cybercrime is defined; and which offenses will be included; and to what extent investigative powers for law enforcement comply with international standards on privacy and data protection. In other words, the hard work of drafting a treaty on which there are longstanding, divergent views, is just getting started.

IMAGE: Ships moor outside Cape Town harbor, after the State-owned transport/logistics company Transnet was affected by a cyberattack, in Cape Town on July 27, 2021. The cyberattack shut down many of Transnet’s systems, forcing many ports to use manual systems instead. (Photo by RODGER BOSCH/AFP via Getty Images)