The Cybersecurity Tech Accord, the private sector as a whole, global human rights organizations and the UN’s High Commissioner for Human Rights are today united in expressing grave concerns on the current draft Convention on law enforcement cooperation against cybercrime.
Originally intended to deliver a targeted instrument to counter the growing threat of cybercrime, the negotiations are in danger of producing a broad UN surveillance treaty that would undermine both privacy and security in the digital environment.
“As presently drafted, the Convention presents grave risks to human rights and legitimate commerce. It risks undermining global cybersecurity, making it easier, not harder, for criminals to engage in cybercrime,” said Nick Ashton-Hart, head of the Cybersecurity Tech Accord delegation to the negotiations. “It will facilitate governments around the world sharing data of individual citizens in perpetual secrecy, which we think is simply inappropriate in a UN treaty. According to the UN High Commissioner for Human Rights and many NGOs, it will erode internationally protected human rights, including by facilitating the prosecution of children for taking naked or partially clothed selfies.”
The latest draft ignores concerns expressed consistently throughout the negotiations by the Cybersecurity Tech Accord, civil society and the private sector. It also includes measures that could have huge negative impacts on national security, industry and internationally-recognized human rights. Problems with the draft include:
- It facilitates sharing of individuals’ personal information by governments worldwide with no requirement that they allow legal challenges to problematic requests and without any transparency or accountability mechanisms.
- It fails to protect cybersecurity researchers and penetration testers from criminal liability for protecting the world’s critical online systems. The criminalization articles would also allow whistleblowers and journalists and their sources to be prosecuted since the articles have no requirement that offences include malicious or criminal intent. The global security research community sent negotiators a letter earlier this year calling for changes, calls which so far have been ignored.
- Far from covering only cyber-dependent, recognizable cybercrimes the draft allows states to cooperate on almost any criminal act they choose. Even the title does not make objective sense as it conflates the term cybercrime with any “crime[s] committed through the use of an information and communications technology system.” This would allow states to define as cybercrime two people texting using modern mobile phones to plan the robbery of a physical store or, more ominously, almost any speech-related criticism of a government by a private citizen online.
- It facilitates the criminalization of children in articles which are supposed to protect them from harm particularly in Article 14.4. The current wording of the article allows for the criminalization of children for taking naked or sexually suggestive selfies, which is not in line with the UN Convention on the Rights of the Child. The adoption of provisions that facilitate the criminalization of children in articles which are supposed to protect them from harm should be unacceptable to everyone.
- It contains provisions that could be used to harm the national security of states and creates serious risks to corporate IT systems relied upon by billions of people every day. Article 28.4 allows law enforcement to force individuals to provide access to secure systems, turn over access credentials and otherwise compromise corporate or even government systems and networks and provide the details to law enforcement, even if they are simply travelling on holiday in a third country. The entire stakeholder community have consistently called for it to be deleted.
“For a UN Convention to facilitate the criminalization of children in articles which are supposed to protect them from harm should be unacceptable to everyone,” Ashton-Hart said. “We call on all member-states to reflect on the advice provided by the UN’s High Commissioner for Human Rights in its submission to the negotiations to ensure that the Convention does not negatively impact international human rights.”
These concerns are widely shared across the multistakeholder community involved in the negotiations, including but not limited to the Electronic Frontiers Foundation and the Global Initiative Against Transnational Organized Crime, as well as cybersecurity professionals, human rights defenders, service providers and the private sector, data protection advocates and cybercrime experts.
There is still time for governments to change course by agreeing a targeted cybercrime instrument with the following principles at its core:
- Narrow the scope of the Treaty to address only the specified crimes it contains and ensure its title solely references “cybercrime.”
- Limit government access to personal data to what is necessary and proportionate to meet specific public safety and law enforcement needs to fight cybercrime and ensure service providers can object to overly broad or potentially unlawful requests.
- Strengthen the language on protection of cybersecurity researchers and penetration testers, protecting these individuals from criminal liability and, in doing so, also protect journalists and whistleblowers.
- Agree to include effective, broader safeguards, as well as data and human right protections, by limiting the use of language that allows states to defer to domestic law.
- Ensure that individuals can know their data has been sent to foreign governments when that knowledge would no longer endanger an ongoing investigation or prosecution.
- Protect children by ensuring that no provision to facilitate the criminalization of children is included in the final text, as the current state of the articles on child sexual abuse material are not consistent with the UN Convention on the Rights of the Child, and ensure provisions are fit for purpose for protecting them.
For more information contact Nick Ashton-Hart [email protected] and Edoardo Ravaioli [email protected]