Twenty years ago today, the Council of Europe Convention on Cybercrime, commonly known as the “Budapest Convention,” became the first ever international treaty on cybercrime. In the years since, it has been the leading international instrument supporting cooperation between nations working to combat cybercrime. The Cybersecurity Tech Accord and its signatories want to express our support and appreciation for the Convention and its objectives and join governments, industry and civil society organizations worldwide in celebrating the Convention’s anniversary by reflecting on the key role it plays in helping protect our society against cybercrime.
Building an instrument for protecting victims and rights
In 2001, crimes committed via the internet and other computer networks were hardly a new phenomenon. However, the rapid digitalization at the turn of the century made clear that this burgeoning challenge required a new instrument, and one that spanned borders, as domestic legal protections were quickly proving insufficient. The inherently borderless nature of cyberspace means that cybercrimes often take place across multiple jurisdictions at once, making alignment and coordination of law enforcement efforts between nations essential.
While established by the Council of Europe, the Convention has become a truly global instrument over the past 20 years, ratified by 66 governments from across different regions and used by many more as a guideline for domestic cybercrime legislation. Just as important as enabling this international cooperation, however, is the treaty’s focus on protecting human rights. The Convention balances the vision of a free and open internet, where information can be accessed and shared easily, alongside the need for an effective criminal justice system to prevent abuse and protect victims from attack.
The Convention has also proven able to stand the test of time and adapt as needed. It has been successfully amended to address evolving challenges brought about by innovation in both technology and criminal activity online. The Convention originally covered a broad range of offenses, including computer-related fraud and child pornography. In 2003, an Additional Protocol was added which criminalized racist and xenophobic crimes committed through computer systems (CETS 189). Since then, the widespread adoption of cloud computing has raised new questions about how the Convention should be adapted further to effectively gather electronic evidence stored across multiple jurisdictions and promote greater cooperation between public and private sectors. The second Additional Protocol, which addresses enhanced international cooperation and access to evidence in the cloud, effectively addresses these concerns.
In fact, the second Additional Protocol will improve law enforcement efforts by clearing bureaucratic hurdles to cross-border data access requests and introduce a comprehensive set of instruments to facilitate judicial cooperation in criminal matters. Most importantly, it will uphold procedural rights standards, as well as data protection and privacy safeguards. The new Protocol will also reduce the number of conflicting laws and ensure that companies deliver on commitments to their customers.
The road ahead
Earlier this year, negotiations began at the United Nations around a potential new cybercrime treaty, leaving open questions surrounding how such a treaty might eventually complement or conflict with the Budapest Convention. Many of us in industry and civil society are concerned a new treaty might fail to focus on the needs of victims and protecting rights, as the Budapest Convention has, and instead focus more on protecting state sovereignty online. To highlight these concerns, last month we released the Multistakeholder Manifesto on Cybercrime, in partnership with the CyberPeace Institute.
Fundamentally though, what is needed now is not a new international instrument that will take years to negotiate, but rather for more countries to leverage existing ones to combat cybercrime. Amid growing international concerns about the threat of cybercrime, we encourage more states to join onto the Budapest Convention in order to keep building more robust and harmonized expectations across borders, while protecting a free and open internet for all. Over the past 20 years, the Budapest Convention has set an important precedent as not only the world’s only cybercrime treaty, but as an example of how to balance law enforcement with human rights protections online, and how to prioritize the needs of victims. These are the kinds of qualities that should guide all efforts to advance the rule of law online.