UN Cybercrime AHC Meeting #11
What's in a name?
(I am running the sessions of the 6th and Concluding meeting of the UN Cybercrime Ad Hoc Committee into Otter, for easier comprehension - https://joly.substack.com/p/51969f5d-7820-4672-9bec-0df5dd5cf3ef )
So, after 9 or so meetings hacking the treaty draft text run by Vice Chairs, Monday morning on week two, Chair Mebarki returned for a session on the actual proposed UN Resolution. The main bone of contention, which many weighed in on, was the actual name of the convention, Russia wanted the existing “Countering the Use of Information and Communications Technologies for Criminal Purposes”, while the U.S. favored the simpler “Countering Cybercrime”. Here is how they lined up.
One would think “Cybercrime’ wins.
===
Article 9 of the resolution is a kind of afterthought:
9. Decides that, in order to raise awareness of cybercrime and of the role of
the [name of the Convention] in combating and preventing it, [date] should be
designated International Anti-Cybercrime Day.
The only country to offer support for this was Russia, who referred to it as “International Cybercrime Day” (Anti- possibly lost in translation). One wonders how many zero days would be timed for this!
===
So, after two hours of this, the session was notable as being the first one with multistakeholder input. Access Now and EFF were called earlier last week, but were no shows, as they were also on this day. However several others stepped up to the plate for 30 mins of statements.
Romanian NGO eLiberare emphasized the needs of victims of trafficking and sex abuse, suggesting the treaty contained “the bare minimum when it comes to safeguards… … to avoid retraumatization”, including adult victims.
Specifically, by the suggestion of putting the burden of proving victimhood on those who have faced enormous and significant trauma, the classification of victimization grant someone access to the rights and protections, therefore, the thresholds this convention establishes have to be very well thought out.
also, on sex abuse material:
We express the concern regarding vagueness or a broad scope, as it could allow even for the targeting of mandatory reporters or service providers. A more narrow focus is needed for any such provision to be effective.
Privacy International also expressed scope concerns.
Privacy international welcome the opportunity to intervene at this session. While we recognize the cyber crimes can pose a threat to the enjoyment of human rights, my organization has long documented that human rights violations committed under the guise of combating cybercrime. We have also consistently recommended that the UN cyber crime treaty should be narrow in scope, and should contain robust safeguards to mitigate the risk of these violations. Regrettably, the latest draft fails to address many of our significant concerns. I would like to address three of these concerns.
Firstly, the scope of application of investigative powers is very broad. Indeed, there is a disconnect between the chapter on criminalization and the scope of procedural measures. Under the current tax the powers afforded to law enforcement agencies apply to the investigation of criminal offences committed by means of a computer system, as well as the collection of evidence in electronic form of any criminal offence. Consequently, the scope of application of Article four appears to be expanded well beyond cyber dependent crimes. Arguably, it will make the treaty one of the most far reaching in criminal matters. This over broad scope gives rise to the danger that the convention will be used to justify the prosecution of the legitimate exercise of human rights.
Secondly, we believe that the draft text is unbalanced. It gives a sweeping privacy and basic powers to law enforcement agencies without robust human rights, limitation and safeguards. Article 29 and 30, for example, provide for real time collection of traffic data interception of content data. These are extremely intrusive measures that required a set of stringent limitation and safeguards. Unfortunately, article 24 does not include some key safeguards, well established in international human rights law, such as such as the principles of legality and necessity, prior independent authorization of surveillance measures, farther leaves too much to discretion of State Parties in the scope of application of the human rights safeguards.
Thirdly, the chapter of international cooperation is also very broad in scope of application, and with no detailed human rights safeguards. For example, in relation to sharing of personal data, the wording of article 36 fails to provide effective protection.
Privacy International joined over 100 civil society organizations and experts to recommend that the convention should only move forward if it pursues a specific goal of combating cybercrime. The present draft falls far short of this goal and Privacy International recommends to comprehensively revise…
At which point the mic was cut off at the 3 minute mark.
The Atticus Foundation took up the cudgel:
I would like to once again highlight our particular concerns about the latest draft of the convention, and narrow scope of the whole convention to cyber dependent crimes specifically defined and included in this text as necessary — any broader application gives rise to the danger that the convention will be used to criminalize legitimate online expression, which is likely to create discriminatory impacts and deepen gender inequality.
To include a language or specific provisions against excessive criminalization to ensure that security researchers, whistleblowers, journalists and human rights defenders are not prosecuted for the legitimate activities, and that other public interest activities are protected.
To strengthen data protection and international human rights standards throughout the entire convention is required. This means removing references to domestic standards, and including the principles of non discrimination, legality, legitimate purpose, necessity and proportionality, as well as introducing explicit references to safeguards such as prior traditional authorization for, for accessing or sharing data, as well as for conducting cross border investigations, and cooperation in accordance with the rule of law, a right to notification as soon as investigations allow, and the right to effective remedy.
The two are connected and one makes no sense without the other.
Finally, to mainstream gender across the convention, so as to ensure the convention is not used to undermine people's human rights on the basis of gender. Furthermore, to limit the scope of application of procedural measures and international cooperation to cyber dependent crimes, established in the criminalization chapter of the convention, in order not to undermine trust in secure communications, and infringe on international human rights standards.
And finally, Madam Chair, avoiding endorsing any surveillance provisions that can be abused to undermine cybersecurity and encryption, so as not to allow for excessive information sharing for law enforcement cooperation beyond the scope of specific criminal investigations. Madam Chair, the final outcome of the treaty negotiation process should only be deemed accessible if it effectively incorporates strong and meaningful safeguards to protect human rights ensures legal clarity for fairness and due process and fosters international cooperation under the rule of law,
International Chamber of Commerce had concerns:
We are very worried that the latest drafts and amendments continue to include deficiencies that could end up jeopardizing cybersecurity, compromising data, privacy, and eroding online rights and freedoms,
Let me just highlight one major point of concern for international business across regions and industry sectors, and this is access to data held by the private sector. As it currently stands, the Convention does not sufficiently limit access to data to what is necessary and proportionate to law enforcement needs. The convention should include provisions to ensure clarity and predictability in government access, and embrace transparency. Furthermore, real time collection of traffic data and interception of content data are considered a significant invasion of privacy and references to such practices should be removed from the convention. In addition, provisions are needed to ensure that states cannot demand access to data in third states without the third state's explicit consent.
Cybersecurity Tech Accord was brutal:
First, the treaty would weaken cybersecurity globally by facilitating the compromising of critical security measures and the criminalization of penetration test. testing in cybersecurity research that keeps the digital ecosystem resilient against cyber criminals.
Second, the convention would slow down sharing of electronic evidence without a specific narrow scope and clear a dual criminality provisions. Data custodians will be asked to break the law in one state to comply with data requests from another frustrating cooperation.
Third, as just mentioned, the convention would generate serious conflicts of laws. Just one example is the new italicized language in articles 42, 44, and 45, that would force service providers to hand over data in secret irrespective of where it is located, and without the knowledge of the state that it is in. This violates the law in many countries, Article 4, and the UN Charter.
Fourth, the text would allow any state party to obtain the personal information of other states’ citizens without sufficient safeguards and perpetual secrecy, forcing service providers to hand over data with no ability to notify users or object even when those requests are manifestly unlawful.
Fifth by leaving it completely in the hands of individual states to define the breadth and type of subject matter that comes under its scope. The convention facilitate human rights violation and put lives at risk.
Finally, allowing for secret access to secured systems, extraterritorial exfiltration of data and secret real time surveillance with no transparency safeguards presents grave risks to States national security as well. Abuse of key provisions could result in real time surveillance of an access to the secret data of state officials without the knowledge of the impacted state.
We don't support the adoption of the convention or ratification of it unless all six of these issues are meaningfully addressed, and we can't support the compromise package either. It continues to allow states to decide what crimes the convention would cover if even the most incidental use of ICTs was involved, and e-evidence for all serious crimes. The limitation to serious crimes is not meaningful for all the reasons previously stated in our submissions, and the link to unspecified other instruments creates more ambiguity.
Madam Chair, our concerns are not theoretical. They're based on what is happening right now two firms globally. Regrettably, this negotiation is going in the wrong direction. What we have before us is a bad treaty that has united civil society and industry opposition, in a way I've never seen in decades working in international relations.
Microsoft also pulled no punches:
Having listened carefully to the deliberations last week, and having consulted extensively with member states as well as with other stakeholders, we are even more concerned going into the second week. As currently drafted, neither the zero draft now the seventh session draft, nor the various compromised proposals, adequately addressed the concerns industry and civil society have raised. Each version that we have seen could have profound negative impact on the digital ecosystem, including the severe risk of creating a digital surveillance treaty in the guise of a Cybercrime Convention.
Again, nothing of what I say should come as a surprise to anybody. The position of stakeholders, both from industry and civil society has been remarkably aligned on these concerns. As I've said before, in my now 20 plus years of working in multilateral and multistakeholder negotiations, I've never witnessed industry and civil society to be as aligned in their concerns as I've seen during this process. By and large, we could all swap and read each other's statements, and frankly, that alone should give pause to member states.
Looking at the current state of play, Microsoft is disappointed that our key concerns on the various draft texts, that we and other industry and civil society entities broadly and continuously shared with member states, have not been adequately addressed. And, frankly, looking at the trajectory of the draft text that appears that each compromise practice is becoming more problematic.
Microsoft urges states to use the remainder of this week to clearly and narrowly define the scope of this treaty, improve safeguards throughout the convention, specifically as it pertains to covert surveillance and strengthen protections for cybercrime researchers.
Otherwise this convention could not only gravely harm fundamental rights and create a confusing cooperation landscape for states and providers, but it could allow cybercrime to thrive and make cyberspace considerably less secure, and we could not support its ratification.
As ever, Microsoft associates itself with the substantive concerns expressed by the Tech Accord and the ICC.
Ambivium Institute raised a good point about the GDC possibly conflicting with this Convention.
A world that is striving to become digitally connected will need that it is connected with the landscape of each country. Those who desire to close the gaps lack the capacity to effectively implement most of the item being advocated here. It will be important for government and civil society to clearly push for domestic rule of law that align with existing law that guarantee political right and safety of in the area of privacy. Keeping in mind as member states are advancing these conventions, the Summit of the Future is also drafting language that calls for Digital Compact, that will be different from the language of these conventions.
Digital cooperation is necessary for countries to protect the safety of individual when online, the data infrastructure should not negate the definition of crime in online space. This convention is still the beginning stage for a long negotiation between the global north and global south wherever the exchange of new technology will need and will continue to be the problem. I urge countries that are developed to be open and to share their knowledge, and to also make open technology available for countries and stakeholders that are still lacking money is to fund it.
and, finally, DB Connect advocated capacity building.
Cybercrime knows no boundaries, criminals can orchestrate attacks from anywhere in the world targeting victims across different jurisdictions without international cooperation. Law enforcement agencies are limited in their ability to investigate, collect evidence and apprehend perpetrators operating abroad.
Different countries possess unique strengths and expertise in combating cybercrime, therefore, here today, as multistakeholders, I'm diligently asking member states to understand that sharing knowledge best practices and resources allows for a more comprehensive and effective response. Joint operations and training programs can enhance the capabilities of law enforcement agencies worldwide.