The Cybersecurity Tech Accord is gravely concerned by the direction of UN cybercrime treaty negotiations, including the contents of the latest draft of the convention, which was published by the United Nations on 28th November ahead of the final negotiating round.
The draft fails to address the many significant shortcomings we identified in previous drafts and makes them worse. If adopted, such a treaty would significantly weaken cybersecurity, erode data privacy, and undermine online rights and freedoms across the world.
“Without significant changes, this Convention will facilitate, rather than reduce, crime online,” said Nick Ashton-Hart, the Tech Accord’s head of delegation to the negotiations. “Among its many flaws are that it allows legitimate cybersecurity research and penetration testing to be criminalized. These activities are fundamental to securing online systems from criminal abuse. Creating legal hazard for these professionals will make systems globally more vulnerable to cybercrime, exactly the opposite of the Convention’s stated purpose” Ashton-Hart added.
During the last negotiating session in August 2023, the Tech Accord provided detailed comments and text suggestions to help negotiators better facilitate – rather than hinder – global efforts to counter the growing scourge of cybercrime. Notably, industry comments were closely aligned with those of the Office of UN High Commissioner for Human Rights and a host of major civil society organizations.
Unfortunately the latest draft ignores the concerns previously expressed by civil society and the private sector and includes troubling new elements that make the problems that already exist – and about which the negotiators have been warned repeatedly – much worse. These include:
● Any crime which involves the use of ICTs is covered by the convention: Removal of provisions limiting the treaty’s powers to a few precisely defined cyber-dependent crimes means that the already intrusive digital surveillance and data access powers provided by this treaty will be applied to any activity considered criminal that leverages technology in its commission.
● Extraterritorial surveillance without safeguards and in total secrecy: The added phrase “service provider established or located” in each territory will allow any two states to jointly compel a service provider with a representative office in either country to secretly surveil individuals located in third states. Under the existing provisions, neither the third state nor the targeted individual would have any knowledge of surveillance being ordered or have any right to appeal against it.
● Weakened protections for cybercrime victims and witnesses: The already weak provisions on witness and victim protection have now been made optional. Victims and witnesses will have to rely solely on domestic legislation in each country, which may not adequately protect them.
● ‘Online fraud’ to include a wide range of legitimate online activities: A new addition to the fraud article, which criminalizes any “deception” that causes a person to act differently than that person would otherwise act, is dangerously broad. It will almost certainly subject many legitimate online activities to criminal prosecution, given the draft leaves each state free to determine what “deception” means.
● Teenagers at risk of criminal prosecution for sexting: The provisions covering child sexual abuse now criminalize written materials as well as self-generated content. Such broad provisions risk criminal prosecutions of children for a host of hitherto legal online activities, such as consensus “sexting” or sharing of graphic materials regardless of whether such activity among minors caused harm, or whether the minors realized they were acting unlawfully.
Those new problems in the current draft only add to the long list of concerns the industry had with the previous draft, including its lack of safeguards when accessing personal data. “It should not be acceptable to any UN member state in the year 2024 to create a UN convention that allows every government in the world to transfer the personal information of citizens between themselves in secret in perpetuity, and to force the service providers who are responsible for that data to hand it over without any ability to object or refuse on any grounds” Ashton-Hart added. “It is particularly disappointing that virtually all democratic states have not objected to this glaring lack of transparency and due process given it isn’t congruent with their own legal systems – or with democratic values,” Ashton-Hart concluded.
“In today’s digital world, respecting privacy and human rights is paramount. While international alignment on the investigation and prosecution of cybercrime is needed, this alignment should not be at the expense of the rights to freedom of expression and privacy” said Dev Stahlkopf, Chief Legal Officer at Cisco. “Cisco fully supports the Tech Accord’s request to address the concerns previously shared by both civil society and the private sector.”
These concerns are widely shared across the multistakeholder community involved in the negotiations, which span cybersecurity professionals, human rights defenders, service providers and the private sector, data protection advocates, and cybercrime experts. Just one example is the recent statement of the Electronic Frontier Foundation on 1st December 2023, available here.
Call to Governments
What started as an effort to elaborate a targeted instrument to counter the growing threat of cybercrime is currently at risk of producing a broad UN surveillance treaty that would undermine both privacy and security in the digital environment. However, there is still time for governments to change course by elaborating a targeted cybercrime instrument with the following principles at its core:
- Criminalization of cyber-dependent offences only, such as unauthorized access to any part of a computer system with criminal intent.
- Narrow definition of cybercrime to prevent adverse impact on human rights, such as preventive content take-downs and limitations on freedom of expression.
- Robust human rights safeguards, such as independent oversight and effective redress mechanisms to ensure individuals are protected from potential abuse of executive authority.
- Exemption for cybersecurity researchers, white hackers, and penetration testers, who perform essential work in improving the security of the digital ecosystem, from the convention’s scope.
- Limiting government access to personal data to what is necessary and proportionate to meet specific public safety and law enforcement needs to fight cybercrime across borders.