Human rights organizations are raising alarms about a United Nations cybercrime treaty being negotiated this week in New York, warning that the rules could expand the surveillance power of governments and give dictatorships further tools of repression.
Delegates from across the U.N. descended on Manhattan this week for the final negotiation sessions of the treaty — an effort kicked off by Russia in 2017 to develop global rules addressing the thorny issue of transnational internet crimes.
Representatives for Human Rights Watch, Electronic Frontier Foundation, Access Now, Kenya ICT Action Network, Article 19 and Privacy International held a press conference Wednesday on the sidelines to highlight a range of issues they have with the current draft of the treaty.
Deborah Brown, senior researcher at Human Rights Watch, said one of the core issues is a lack of consensus on what the goal of the treaty is or what it is trying to address.
“When the United Nations General Assembly first decided to move forward with drafting this treaty in 2019, there was no international consensus that this treaty was necessary or even what purpose it would serve. Four years later, we still don’t have clarity on the scope of the treaty, or even a definition of what cybercrime is,” she said.
“Is this really meant to represent or address a narrow set of issues and narrow set of crimes where communication networks are integral to their commission? Or is it meant to address any crime that includes technology?”
This confusion has not stopped countries from stuffing the treaty with measures that give governments new investigative powers, as well as opportunities to collaborate not just on cybercrimes but anything “that might be defined as serious crime,” she explained.
Several speakers at the event said they are alarmed by the lack of human rights language present in the draft text and the desire of several countries to use the treaty as a vehicle for their own pet issues.
In January, during negotiations in Vienna, the Chinese delegation proposed a redefinition of cybercrime to include the “dissemination of false information” online, while diplomats from Pakistan and Iran have sought to introduce a section that would establish religious insults as a cybercrime offense.
Diplomatic sources told Recorded Future News on Wednesday that the goal is to produce a “political document” that will allow law enforcement agencies to cooperate more on issues related to cybercrime.
A U.S. State Department spokesperson told Recorded Future News this week that they are optimistic that the negotiations are “on a path towards a consensus-based treaty that will help countries fight the scourge of cybercrime.”
The spokesperson said they are building a growing consensus among member states for a “narrowly tailored criminal justice treaty” that they believe would increase international cooperation, protect human rights, and support multi-stakeholder engagement.
This latest session of negotiations — the sixth so far — will involve line-by-line negotiations on the draft of the treaty, and the spokesperson said the U.S. plans to push for “practical outcomes” like criminal statutes specific to core cybercrime offenses; assurances that the convention will have the appropriate domestic legal authorization to preserve, collect, and share electronic evidence; and the promotion of international cooperation, as well as effective capacity-building and technical assistance initiatives.
Issues like cybersecurity, internet governance, terrorism, and the criminalization of speech are not within their mandate and should be left out of the treaty entirely, they said.
The U.S., the spokesperson said, will oppose broad or ambiguous proposals while seeking to include language that builds on “established international law, including existing criminal justice treaties.”
Repression and criminalization
Victor Kapiyo, a lawyer and human rights defender with Kenya ICT Action Network, warned that while some progress has been made in negotiations, the treaty currently offers a limited number of human rights safeguards, and they are largely optional.
The current draft does not address executive abuse or overreach, the invalidation of rights, the investigatory powers given to governments, or judicial oversight.
One article in the most recent draft states that parties’ commitments under the treaty shall be “consistent with their obligations under international human rights law.”
But Kapiyo called these protections slim. Human rights deserve their own standalone chapter in the convention, he said, with “clear, elaborate, comprehensive and robust principles, conditions and safeguards in line with international human rights standards.”
The lack of checks and balances stood out most to Kapiyo when it comes to cross-border collaboration between governments. There are no rules governing the collection of personal data.
Victor Kapiyo, a lawyer and rights advocate at Kenya ICT Action Network, speaks during a press conference at the United Nations alongside representatives from other human rights groups. Credit: Jonathan Greig/The Record
He also criticized Article 23, which would expand governments’ scope of surveillance powers. The section mandates that parties to the treaty create — legislatively or otherwise — an apparatus to carry out cybercrime investigations.
But it orders countries to investigate both traditional cybercrime scams alongside any “other criminal offenses committed by means of [a computer system].” The “collection of evidence in electronic form of any criminal offense” is also called for in the article.
“The scope should be limited to specific criminal investigations and criminal offenses,” Kapiyo said.
“The convention should not be a global evidence sharing treaty or a vehicle for investigation of any offense on the planet simply because information and communications technologies (ICTs) have been involved.”
Katitza Rodriguez, policy director for global privacy at the Electronic Frontier Foundation (EFF), warned that the treaty went far beyond cybercrime and was “poised to transform into an expansive global surveillance pact.”
Several articles within the treaty broadly expand domestic spying powers afforded to governments that can be used to investigate “practically any crime with minimal safeguards,” she explained, adding that it provides a legal basis for one nation to aid another in carrying out surveillance.
This becomes particularly thorny with countries that have limited data protections, allowing other nations to effectively rely on loopholes to spy on anyone they wish, she said.
States could not only intercept contacts and communications but could also track metadata in real time for almost any kind of criminal investigation.
EFF has called for minimum data protection standards alongside judicial authorization before any investigations, tracking or data collection.
Raman Jit Singh Chima, Asia policy director at the digital rights organization Access Now, focused his concerns around the dangers the treaty posed to cybersecurity researchers and white-hat hackers ethically reporting on vulnerabilities.
The treaty includes measures to stop the unauthorized access of networks, interception of messages, interference with computer systems, and the misuse of devices — all activities “performed every day by security researchers and ethical hackers,” he said.
“Any discovery of vulnerabilities requires probing networks and poking around to find vulnerabilities in systems and exploits that other bad malicious actors may use… They will also undermine the work of journalists and those in civil society investigating digital systems, whether private sector or government actors.”
One provision that incensed Chima was around “prior authorization” — which would mean researchers are only given legal protection if they ask companies before they conduct research on bugs.
Hundreds of bugs are reported every day without initial authorization, he explained.
Carey Shenkman — human rights attorney for Article 19, a non-profit promoting freedom of expression — noted that the vagueness of the rules would allow governments to criminalize almost any content and “gives a loaded gun to states that already use cybercrime laws to ruin lives.”
Specifically, Article 13 of the treaty criminalizes written material that describes harm to children – a measure that he said could allow countries to ban popular stories like Game of Thrones, and others. He warned that the treaty could be misused by states to police LGBTQ content online.
The current negotiations are scheduled to run until September 1. Experts have observed a range of interesting debates on the treaty, not only among member states but also among regional blocks like the European Union and the Caribbean’s CARICOM.
Once the final text is hammered out, member states will reconvene in January 2024 where the treaty could either be passed by consensus or by a two-thirds vote in the general assembly.
Chima said CARICOM, Russia, China and India are, to varying degrees, arguing for a broader treaty while the European Union and others want something more limited.
Some states, like Vietnam, argued that human rights language should be removed entirely from the document, while Uruguay and Australia have argued that it should in fact be strengthened.
China, and others, have tried to put language in the treaty that would make sections on human rights applicable only to countries that have ratified other separate human rights treaties like the International Covenant on Civil and Political Rights (ICCPR), EFF’s Rodriguez said. Such a provision would make the rule essentially toothless.
Asked by Recorded Future News if they would vote to approve the current draft of the treaty, each speaker said they would not, but pointed to encouraging aspects of the negotiations.
Chima said the current draft is “still far from the version that we should accept” but noted that throughout the week, countries have proposed dozens of thoughtful amendments in opposition to concerning sections.
He also warned that moving forward without an agreement would risk alienating states in the global south that would feel their concerns about cybercrime and surveillance were not addressed by Western countries.
This could be exploited by states like China and Russia to “advance further rights-harming proposals around new treaties to combat the supposed misuse of ICT mechanisms.”
Rodriguez said that while EFF has long had concerns about the necessity of a global cybercrime treaty, she has been “profoundly inspired” by recent developments involving a diverse array of nations rallying to uphold human rights within the treaty.
Uruguay, for example, proposed safeguards for gender identity that were backed by an array of Latin American countries, the U.S., Brazil, Canada, the United Kingdom, New Zealand and more.
“If the treaty is accepted in its current form, with expanded surveillance powers and lacking robust human safeguards, it should not be approved at all,” Rodriguez said.
Human Rights Watch, meanwhile, warns that the treaty could do more harm than good.
“The worst case scenario is that this treaty not only legitimizes current abusive behavior by governments that we’re already seeing, but that it expands those practices in countries that don’t yet have cybercrime laws,” Brown said.
“Vague cybercrime laws against ‘fake news’ are already being abused by governments to arrest journalists and more. This ambiguity invites governments to address their own laundry list of priorities when investigating and legislating cybercrimes.”
She added that the treaty would perpetuate worrying trends whereby governments threaten technology companies with the prospect of shutdowns, blocks or throttling if they do not provide user information or take down certain content.
“This treaty should clearly articulate the harm it is seeking to address and only cover specific core cyber crimes,” she said. “The prospect of a vaguely worded global cybercrime treaty would be disastrous for human rights.”
Jonathan Greig is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.