The first day of September this year marked the end of the sixth round of negotiations of the UN Ad Hoc Committee (AHC) on Cybercrime. The two weeks of debates and informal consultations concluded with applause. Despite all the efforts of the AHC chair and many delegations to bridge the different positions, however, it is hard to remain optimistic about these negotiations and their possible outcome.
What is this all about?
The UN cybercrime process was launched by a controversial UN General Assembly Resolution 74/247 in December 2019, adopted narrowly 79-60 with 33 abstentions. The resolution was opposed by the EU member states, the USA, and many other governments. Civil society organisations warned about the dangers of a proposed treaty and questioned the need for it. However, despite all the controversies, many states and other stakeholders got involved in the negotiations in good faith, believing that if done right, the convention might strengthen international capacity to tackle cybercrime and even promote and uphold a human rights-centric approach.
Indeed, the negotiations offered a unique opportunity to build capacity and trust, support cooperation in criminal investigations, and improve cybercrime frameworks around the globe by mainstreaming gender into the proposed UN treaty. The inclusion of non-governmental stakeholders into the process – even if they were not allowed to take part in informal negotiations on specific contentious proposals – also raised hopes that participation of civil society, industry, academia, and think tanks would help to shape the new framework by offering a wealth of expertise.
However, the warning signs about seemingly impossible-to-bridge differences between the states’ positions emerged from the early days of substantive negotiations, which started in February 2022 – only a few days after the Russian invasion of Ukraine. The process unfolded under the notion that nothing is agreed until everything is agreed, letting countries put forward and discuss their positions. All contentious decisions were deferred until the last substantive meeting. Meanwhile, the disagreements piled up. Five rounds of substantive negotiation marathons culminated in two (1, 2) redlined consolidated negotiating documents. These two papers contained a laundry list of provisions that various national delegations wanted – or didn’t want – to be included in the future cybercrime treaty.
One could sincerely applaud the UN AHC chair and the Secretariat for trying to bridge these positions in the so-called “zero draft”, published on 29 May 2023. The document eliminated suggestions without broad support and focused on identifying the provisions that could move negotiations forward. While still receiving criticism from civil society organisations and private industry, the draft could have provided a basis for further improvements enabling consensus.
Those hopes were dashed at the sixth and the last substantive round of negotiations in New York, which finished September 1. With only one concluding meeting left to wrap up the development and agree on the final text of the treaty in January-February 2024, anybody who was cautiously optimistic about consensus should reassess the prospects. During two weeks of negotiations, the 37-page zero draft exploded into 77 pages of redlined text, where many of the controversial provisions were re-added upon request of certain national delegations. These suggestions would probably be taken out in the following draft document yet again. Still, the time is running out: only a few months are left for intersessional negotiations, and a concluding session is on the horizon. There is a looming danger that the agreement on the final text, if reached, would be rushed through and would leave various loopholes for legitimising the use of criminal law and criminal procedure as an instrument for oppression.
Make no mistake: the proposed treaty is not only about “cyber” crime. Nowadays, practically any criminal act leaves digital traces. Law enforcement agencies worldwide struggle with accessing digital evidence, especially when it is located outside their jurisdiction. The future convention, if ever adopted, will be a global criminal justice treaty that could shape approaches to the collection and exchange of electronic evidence across borders. This could potentially concern any investigation that relies on digital data as evidence, whether in online or offline crime. The ways to collect digital evidence, such as access to metadata, real-time interception of content, or access to stored content via providers, are seamless and very intrusive. If done right, the UN cybercrime treaty could demand robust safeguards against unwarranted and disproportionate surveillance in criminal investigations. If it fails to set the bar high, it will give the state powers that could easily be abused. While some governments already misuse their national surveillance frameworks, giving a “license” for such behaviour through the UN treaty would be a huge blow to human rights worldwide.
But don’t we all want to put all those (cyber)criminals behind bars?
Indeed, the idea of bringing cybercrime offenders to justice is at the very core of the UN negotiations. The question, however, is what kind of “cyber” acts should entail criminal liability? One could think about hacking into computer systems, distributed denial of service attacks, ransomware, and other well-known threats. However, what about arresting female influencers and accusing them of violating family values under cybercrime laws? Or making “fake news” a cybercrime to muzzle anybody who speaks against the government? Around the world, governments use criminal law – including cybercrime laws – to silence dissenting voices, oppress freedom of speech, and prosecute security researchers and whistleblowers. The vague definitions of prohibited conduct in these laws allow for arbitrary interpretation. Add surveillance frameworks and the possibility for cross-border exchange of evidence to the mix, remove strong safeguards, and you get a perfect recipe to turn the global cybercrime treaty into a powerful tool that could legitimise and strengthen oppressive practices.
Various possibilities for abuse of criminal law and criminal procedure place human rights at the centre of the UN AHC negotiations. While some delegations, such as Syria and Iran, claim that the proposed instrument is a criminal justice treaty, not a human rights convention, human rights pertain to every aspect of criminal justice. There is also a misunderstanding that potential abuse can be prevented simply by having a general provision in the convention that obliges the countries to respect their human rights obligations. Having international human rights obligations has not stopped many states from engaging in human rights abuses, and a general commitment to human rights would not make the current situation any better. The only way to mitigate the risk is to ensure that every article of the treaty is drafted in a way that minimises the possibility of abuse and arbitrary interpretations. This task is complex, and the fight for human rights has been an uphill battle since the start of the AHC negotiations.
There are three main areas where the proposed convention impacts human rights the most: the scope of criminalisation (designating a particular act as a crime), the scope of investigative powers, and mutual legal assistance in crime investigations. Unsurprisingly, these three issues have also been the areas of significant divergencies among the UN member states.
The scope of criminalisation
Since the beginning of the negotiations, the debates about the scope of criminalisation – meaning, which acts the states could agree to consider criminal – have been an epitome of “the good, the bad, and the ugly.” One of the broadest approaches to scope was suggested by Russia, which proposed its vision of the treaty at the very early stages, even before the start of the first substantive round. Some of the controversial provisions of the Russian draft were criticised for overreach in criminalisation, especially the vaguely drafted criminalisation of acts related to terrorism, extremism, encouragement of or coercion to suicide, and others. On the other end of the spectrum, the European Union and its member states initially proposed a very narrow-scoped document, which was drafted closely to the most recognised existing set of standards – Council of Europe Cybercrime Convention (the Budapest Convention) 2001 – and contained only crimes against integrity, confidentiality, and availability of computer data and systems.
Between these two extremes, the UN member states put forward various proposals for criminalisation that included multiple offences such as child abuse material, non-consensual dissemination of intimate images, computer fraud and forgery, and others. The Chinese delegation even suggested including a crime of “dissemination of false information” – in other words, criminalising so-called “fake news”. Ultimately, the consolidated negotiating document became a laundry list of criminal acts that the UN member states wished to incorporate into the treaty. As if that wasn’t enough, the consolidated document included a provision called “Other illegal acts” that suggested that the treaty “shall not preclude” states from criminalising many other acts. One could ask, doesn’t a state already have a sovereign right to designate any behaviour that causes substantial harm as illegal – bearing in mind that it would still have to adhere to its international human rights obligations? Yes, a state can designate a harmful act as an offence in its domestic law. However, emphasising this power in the UN cybercrime treaty without limiting it by human rights obligations is one of those perfect ways to give license to legitimise overreach in criminalisation.
Although there are many legal nuances, the difference between a narrow and broad scope is simple. When the scope is broad, the risk of arbitrary interpretations and misuse of the future treaty becomes higher, especially concerning vaguely worded crimes such as terrorism and extremism. This is why many stakeholders called for a narrowly scoped convention that focuses on the crimes that cannot be committed without a “cyber” element, such as crimes against confidentiality, integrity, availability of data and systems such as illegal access, interception of data, and interference with data and system and computer fraud and forgery. This approach has been taken by the Budapest Convention and has been largely successful so far.
Even the proposals aimed at the narrow scope of the convention still sparked controversies in relation to the protection of security researchers and others acting in the public interest (e.g., whistleblowers and investigative journalists). Civil society organisations repeatedly warned that if these provisions do not require elevated intent, the work of security researchers is at risk.
In the “zero draft” issued before the sixth round of negotiations, the AHC chair took a narrow approach, excluding the crimes that didn’t enjoy broad support and reducing more than 30 provisions related to criminalisation to 11. The sixth round of negotiations, nevertheless, put many of these excluded provisions put back into its outcome document via suggestions and redlines. This includes terrorism- and extremism-related offences and even “other illegal acts,” as some of the delegations have been trying to broaden the scope of the treaty again. There is little doubt that this push will continue until the end of negotiations.
Procedural powers and mutual legal assistance
The procedural measures and the mutual legal assistance are another area of concern. From the very start, the negotiations focused on drafting provisions that would give law enforcement a wide range of surveillance tools to use in digital investigations – without enough safeguards requiring necessity, proportionality, independent approval, and oversight. In addition to enabling already known intrusive powers, such as real-time collection of traffic and content data (interception of communication), one of the proposed articles on “special investigative techniques” allowed the use of covert tools without defining what these tools are. This suggestion gave cart-blanche to countries to employ measures such as “electronic or other forms of surveillance, online undercover operations or extended searches” or other tools that might be developed in the future. While the “special investigative techniques” were excluded from the zero draft, the issue of extensive powers combined with the lack of safeguards remained a serious concern before the start of the sixth round of negotiations.
The mutual legal assistance provisions, which enable governments to share data obtained with the use of investigative power, also lack safeguards. The zero draft suggested a broad approach to international cooperation that would enable the exchange of evidence not only in investigating offences covered in the treaty but also “serious crimes.” Theoretically, this approach makes sense: digital evidence is required for many serious crimes and narrowing the scope of such assistance only to cybercrime could significantly limit and diminish the value of this instrument. However, without robust safeguards, the broad scope of cooperation could turn the treaty into a powerful tool for cross-border sharing of covertly collected data with little or no proper oversight.
The convention defines “serious crime” as an offence punishable by a maximum deprivation of liberty of at least four years. Is this enough of a safeguard? Imagine a scenario where some authoritarian regimes criminalise “extremism” or “fake news” in their national law and make it a serious crime by establishing a punishment of 5 or more years in prison. What would prevent these governments from using the cybercrime treaty to legitimise cross-border exchange of evidence, at least among themselves? Furthermore, the zero draft also does not establish strict dual criminality requirements for international cooperation, meaning that for the purpose of exchanging evidence, the act doesn’t have to be a crime in both countries. This is yet another blow to safeguards, potentially enabling the use of mutual legal assistance for human rights abuses.
The sixth round of negotiations displayed a lot of resistance to safeguards in both criminal investigations and mutual legal assistance. Even the inclusion of such fundamental principle as proportionality of criminal procedure measures has been disputed, notably by India and Egypt. Unsurprisingly, the “special investigative techniques” proposal is also back in the redlined document, upon suggestion of the Russian Federation, Eritrea, Viet Nam, and Belarus, even though it is highly unlikely that this provision would enjoy broad support down the road.
What happens next?
With only one last concluding meeting left, if these negotiations actually finish with a convention it will be rushed through. The chair has to put together a revised draft, which likely will exclude some of the most controversial suggestions again. However, the chair has promised to open all the issues at the last session – which might lead to yet another round of attempts to push through some of the most contentious provisions at the eleventh hour.
The Council of Europe’s Budapest Convention already established an international instrument with broad support and proven effectiveness. Ideally, the UN treaty could have been drafted close to the Budapest Convention – with elevated safeguards and strengthened commitment to human rights, with attention to gender mainstreaming and additional focus on capacity building for developing countries. Some delegations claim that the demands for stricter safeguards than those in the Budapest Convention are a double standard. The UN treaty, however, is global in scope and its consequences will be felt for years to come, so it requires more robust safeguards and human rights protections
It is hard to predict all the possible twists and turns in the current state. Undoubtedly, many countries negotiating in good faith will still strive for consensus. However, with so little time left, there is also very little doubt – especially after what happened at the sixth round of negotiations – that some delegations will try to push for their preferred approaches until the very end. If there is no consensus, there will be a vote, and the treaty could still be adopted by a 2/3 majority of the UN member states. The question remains how many concessions could be made in the next few months and whether these concessions would water down human rights and safeguards. The hope for a treaty that champions human rights is fading. However, the hope is still high that most countries will not vote for an instrument that could pave the road for human rights abuses. The “no outcome” scenario might be the best outcome.