On August 8, a contentious saga on drastically divergent views of how to address cybercrime finally came to a close after three years of treaty negotiations at the United Nations (UN). The Ad Hoc Committee set up to draft the convention on cybercrime adopted it by consensus, and the relief in the room was palpable. The member states, the committee, and especially the chair, Algerian Ambassador Faouzia Boumaiza-Mebarki, worked for a long time to come to an agreement. If adopted by the UN General Assembly later this year, as is expected, it will be the first global, legally binding convention on cybercrime. However, this landmark achievement should not be celebrated, as it poses significant risks to human rights, cybersecurity, and national security.

How did this happen? Russia, long opposed to the Council of Europe’s 2001 Budapest Convention on cybercrime, began this process in 2017. Then, in 2019, Russia, along with China, North Korea, Myanmar, Nicaragua, Syria, Cambodia, Venezuela, and Belarus, presented a resolution to develop a global treaty. Despite strong opposition from the United States and European states, the UN General Assembly adopted a resolution in December 2019, by a vote of seventy-nine in favor and sixty against (with thirty abstentions), that officially began the process. Already, it was clear that the member states did not share one vision. Indeed, they could not even agree on a name for the convention until last week. What they ended up with is a mouthful: “Draft United Nations convention against cybercrime: Strengthening international cooperation for combating certain crimes committed by means of information and communications technology systems and for the sharing of evidence in electronic form of serious crimes.”

This exceedingly long name reveals one of the biggest problems with this convention: its scope. At its heart, this convention is intended to allow law enforcement from different countries to cooperate to prevent, investigate, and prosecute cybercrime, which costs trillions of dollars globally each year. However, the convention covers much more than the typical cybercrimes that come to mind, such as ransomware, and includes crimes committed using technology, which reflects the different views as to what constitutes cybercrime. As if that were not broad enough, Russia, China, and other states succeeded in pushing for negotiations on an additional protocol that would expand the list of crimes even further. Additionally, under the convention, states parties are to cooperate on “collecting, obtaining, preserving, and sharing of evidence in electronic form of any serious crime”—which in the text is defined as a crime that is punishable by a maximum of four years or more in prison or a “more serious penalty,” such as the death penalty.

In Russia, for example, association with the “international LGBT movement” can lead to extremism charges, such as the crime of displaying “extremist group symbols,” like the rainbow flag. A first conviction carries a penalty of up to fifteen days in detention, but a repeat offense carries a penalty of up to four years. That means a repeat offense would qualify as a “serious crime” under the cybercrime convention and be eligible for assistance from law enforcement in other jurisdictions that may possess electronic evidence relevant to the investigation—including traffic, subscriber, and even content data. Considering how much of modern life is carried out digitally, there will be some kind of electronic evidence for almost every serious crime under any domestic legislation. Even the UN’s own human rights experts cautioned against this broad definition.

Further, under the convention, states parties are obligated to establish laws in their domestic system to “compel” service providers to “collect or record” real-time traffic or content data. Many of the states behind the original drive to establish this convention have long sought this power over private firms. At the same time, states parties are free to adopt laws that keep requests to compel traffic and content data confidential—cloaking these actions in secrecy. Meanwhile, grounds for a country to refuse a cooperation request are limited to instances such as where it would be against that country’s “sovereignty,” security, or other “essential” interest, or if it would be against that country’s own laws. The convention contains a vague caveat that nothing in it should be interpreted as an obligation to cooperate if a country “has substantial grounds” to believe the request is made to prosecute or punish someone for their “sex, race, language, religion, nationality, ethnic origin, or political opinions.”

Russia claimed that such basic safeguards, which do offer some protection in the example regarding LGBT activity as “extremist,” were merely an opportunity for some countries to “abuse” the opportunity to reject cooperation requests. Those safeguards, conversely, could also be abused by the very same states that opposed them. The Iranian delegation, for its part, proposed a vote to delete that provision, as well as all other human rights safeguards and references to gender, on the day the text was adopted. These provisions had already been weakened significantly throughout the negotiation process and only survived thanks to the firm stance taken by Australia, Canada, Colombia, Iceland, the European Union, Mexico, and others that drew a red line and refused to accept any more changes.

The possible negative consequences of this convention are not limited to human rights but can seriously threaten global cybersecurity and national security. The International Chamber of Commerce, a global business organization representing millions of companies, warned during negotiations that “people who have access to or otherwise possess the knowledge and skills necessary” could be forced “to break or circumvent security systems.” Worse, they could even be compelled to disclose “previously unknown vulnerabilities, private encryption keys, or proprietary information like source code.” Microsoft agreed. Its representative, Nemanja Malisevic, added that this treaty will allow “for unauthorized disclosure of sensitive data and classified information to third states” and for “malicious actors” to use a UN treaty to “force individuals with knowledge of how a system functions to reveal proprietary or sensitive information,” which could “expose the critical infrastructure of a state to cyberattacks or lead to the theft of state secrets. Malisevic concluded that this “should terrify us all.”

Similarly, independent media organizations called for states to reject the convention, which the International Press Institute has called a “surveillance treaty.” Civil society organizations including Electronic Frontier Foundation, Access Now, Human Rights Watch, and many others have also long been ringing the alarm bell. They continue to do so as the final version of the convention adopted by the committee has failed to adequately address their concerns.

Given the extent and cross-border nature of cybercrime, it is evident that a global treaty is both necessary and urgent—on that, the international community is in complete agreement. Unfortunately, this treaty, perhaps a product of sunk-cost fallacy thinking or agreed to under duress for fear of an even worse version, does not solve the problems the international community faces. If the UN General Assembly adopts the text and the required forty member states ratify it so that it comes into force, experts are right to warn that governments intent on engaging in surveillance will have the veneer of UN legitimacy stamped on their actions. Rights-respecting states should not allow themselves to be co-opted into assisting abusive practices under the guise of cooperation. Nor should they willingly open the door to weakening their own national security or global cybersecurity.

Lisandra Novo is a staff lawyer for the Strategic Litigation Project at the Atlantic Council specializing in law and technology.

Further reading

Fri, Jun 14, 2024

Designing a blueprint for open, free and trustworthy digital economies

Fintech Frontlines By Carole House

US digital policy must be aimed at improving national security, defending human freedom, dignity, and economic growth while ensuring necessary accountability for the integrity of the technological bedrock.

Artificial Intelligence Cybersecurity

Wed, May 29, 2024

Who’s a national security risk? The changing transatlantic geopolitics of data transfers

Issue Brief By Kenneth Propp

The geopolitics of data transfers is changing. How will Washington's new focus on data transfers affect Europe and the transatlantic relationship?

Cybersecurity Digital Policy

Tue, May 14, 2024

What to do about ransomware payments

Fintech Frontlines By Carole House

And why payment bans alone aren’t sufficient.

Artificial Intelligence Cybersecurity

Image: NEW YORK, NY - SEPTEMBER 19: U.S. President Joe Biden addresses the General Debate of the 78th session of the United Nations General Assembly at the United Nations headquarters on September 19, 2023 in New York City. (Photo by Liu Guanguan/China News Service/VCG )