The new UN cybercrime convention left everyone unhappy. But is that necessarily the sign of a good compromise?
They say that a good compromise leaves everyone unhappy. That may very well be the case for the new UN cybercrime convention, which the General Assembly is likely to pass next month. The convention is the output of two years of rocky negotiations—a period marked by fundamental disagreements among the negotiating parties and uncertainty over whether the ad hoc committee handling the treaty would ever present a consensus draft. The purpose of the new convention is to promote and strengthen international cooperation in preventing and combating cybercrime and facilitate technical assistance and capacity building where needed. As we described earlier this year, shortly before the draft was finally adopted, some of the outstanding issues included “the convention’s scope of criminalization, obligations for international cooperation, and the types of safeguards against political abuse and human rights protections that should be included.”
Despite those core disagreements, the ad hoc committee was able to adopt a draft by consensus at the last minute—while the concluding session was held in late January of this year, the consensus draft was only adopted in early August.
The treaty’s wordy title—“United Nations Convention against Cybercrime; Strengthening International Cooperation for Combating Certain Crimes Committed by Means of Information and Communications Technology Systems and for the Sharing of Evidence in Electronic Form of Serious Crimes”—hints at diplomatic maneuvers that were required to reach the final text.
Reaching consensus on combating cybercrime is a boon to multilateralism at a time of tense geopolitics and overall growing dissatisfaction and skepticism about the role that multilateral organizations can play. One could expect that any agreement that satisfies Russia and the U.S. at the same time would be little more than symbolic. However, the cybercrime convention has raised concerns for the private sector, civil society, academia, and experts. The unlikely coalition is concerned that the treaty could be easily misused to target dissidents and security researchers, undermine fundamental freedoms, and facilitate censorship.
A lot of ink has already been spilled detailing the back and forth during the negotiations about the scope of the convention, the type of crimes included, and the human rights protections and safeguards or lack thereof. It is useful to look at this back and forth as a way of understanding what each party was willing to compromise on and what that means for the future of international cooperation against cybercrime. How much of the authoritarian playbook was effectively thwarted during the negotiations? How does the new convention build on preexisting treaties? Will capacity building be more effective now? While everyone seems somewhat unhappy with the final result, a longer-term view of what the convention will allow hints at a victory for authoritarian tendencies.
Increased Participation in the Negotiation Process
Until now, the major international instrument against cybercrime was the Budapest Convention, a mostly European effort. Russia has refused to join the Budapest Convention, alleging that the authorization of cross-border investigations could threaten its sovereignty. This is one of the reasons Russia sponsored the negotiation for a new treaty under the UN. Western countries opposed it, arguing that the Budapest Convention was sufficient to combat cybercrime. The idea of a new cybercrime convention resonated with states that did not have the opportunity to negotiate the European treaty. Even if the Budapest Convention was open for them to sign, the text did not capture the range of concerns about international cooperation against cybercrime.
In our previous article, we divided the negotiating parties into three blocs of interest: a group of states more inclined to focus on broad criminalization of cyber activity—–with China and Russia at the center of it; the “Western countries” looking to tie the convention more closely to the preexisting Budapest Convention; and the middle countries that saw the UN negotiations as a way to ensure that the convention tackled the digital divide, offering them access to cooperation, capacity building, and technical assistance.
That the negotiations included more voices and the draft is able to capture the concerns of more nations is certainly a victory for the middle countries. Russia may boast about the diplomatic win from sponsoring the convention—as Nick Ashton-Hart explained on the Lawfare Daily, “In the UN if you’re the proposer of a thing, and that thing works out whether you get a General Assembly vote for something or you launch a process like this, you get diplomatic credit for the outcome”—but it failed at achieving a squarely authoritarian convention.
But state participation is not the end of the story. It is almost cliche now to talk about cybercrime as a multi-stakeholder problem that requires a multi-stakeholder solution. While, traditionally, the UN is the realm of state actors, the role that the private sector and civil society play in stymying cybercrime meant there was significant interest in including their perspectives. Their participation has become commonplace in many of the cyber discussions that have taken place in the first committee over the past few years. While Russia opposed the participation of many groups, it was thanks to the invitation of the Western countries that a lot of the private-sector and civil-society views were able to be considered in developing the draft—even if there was some criticism of the outreach efforts, which were not perceived as sufficient.
An Uneasy Tension in the Treaty Itself
The scope of offenses included by consensus in the new treaty closely mirrors the scope of crimes already included in the Budapest Convention. These crimes are mostly cyber-dependent crimes—those that can be carried out only through and against computer systems, like illegal access to an information system. This appears to be a win for countries such as the U.K., Japan, and France, which wanted to prevent the inclusion of content crimes (crimes that focus on the content published, like misinformation) and a long list of cyber-enabled crimes (crimes that are enhanced by the use of a computer system, like fraud). If those crimes had been included in the convention, that would have allowed authoritarian countries to criminalize a broader range of activity and leverage the cooperation mechanisms to target dissidents, for example.
While the battle may have been won, the war is ongoing. Those concerning crimes may still find their way into the convention’s scope. Articles 61 and 62 provide that the Conference of the States Parties may supplement the convention with one or more additional protocols. These protocols only need to be submitted by at least 60 states, and while they should preferably be adopted by consensus, a two-thirds majority vote of the states parties present and voting would be enough to adopt them. This means that nothing prevents Russia or China, supported by 60 states, from proposing the adoption of a protocol that includes a provision against extremism-related offenses—opening the door for broad domestic interpretations.
The U.S. lead negotiator, Ambassador Deborah McCarthy, argued that it was a hard-fought victory for the U.S. team and its allies and partners to be able to set a high bar for the negotiation of a protocol, against constant opposition from more authoritarian-leaning states. It is true that Russia and China originally wanted fewer countries to be sufficient to bring about a protocol and to adopt it. It was, indeed, a compromise to raise the number to 60 states. But the option remains for not that many countries to unreasonably expand the scope of the convention and threaten fundamental freedoms. Articles 61 and 62 loom over fundamental freedoms and will require unwavering and continuous vigilance on the part of democratic states and civil society.
The procedural obligations in terms of law enforcement and international cooperation go well beyond the 11 cybercrimes identified and defined by the convention. As its title indicates (again, “United Nations Convention against Cybercrime; Strengthening International Cooperation for Combating Certain Crimes Committed by Means of Information and Communications Technology Systems and for the Sharing of Evidence in Electronic Form of Serious Crimes”), the aim is to strengthen international cooperation not only for the cybercrimes identified by the convention but also for “serious offenses” (that is, those punishable by a maximum deprivation of liberty of at least four years). What’s more, the convention’s procedural obligations apply to the collection of evidence in electronic form for “any criminal offense,” cyber or not, serious or not. The scope of the convention’s offenses is therefore extremely broad, going well beyond the fight against cybercrimes to include any such “serious offense” whose identification relies on each state’s domestic criminal law.
The convention includes certain guarantees for the protection of fundamental freedoms and personal data—crucial given the broad scope and the intrusive nature of the convention’s investigation methods. The convention includes a number of safeguards, which should enable states to refuse requests for mutual legal assistance on the grounds of protecting fundamental freedoms and personal data. The fact that states may invoke the absence of dual criminality to refuse to provide legal assistance under this article constitutes an additional safeguard against freedom-destroying requests.
However, the protections granted by the convention may seem weak in light of the intrusive nature of the procedural measures provided by it. According to Article 24, on conditions and safeguards:
Each State Party shall ensure that the establishment, implementation and application of the powers and procedures provided for in this Chapter are subject to the conditions and guarantees provided for in its domestic law, which must ensure the protection of human rights, in accordance with its obligations under international human rights law, and must incorporate the principle of proportionality.
The reference to the guarantees provided by the “domestic law” of states is not necessarily reassuring, and the reference to each state party’s “obligations under international law” remains vague and relative. The only principle mentioned in this article is the principle of proportionality, which, while certainly fundamental, does not suffice without the principle of necessity. Furthermore, the convention does not establish the obligation of judicial review or another form of independent review, nor a right to an effective remedy. Although desired, the appropriateness of these guarantees is left to the discretion of the states (Article 24§2).
More broadly, Article 6 (which applies to all the treaty’s provisions) prohibits states from using the treaty to violate human rights or fundamental freedoms, including the rights related to the freedoms of expression, conscience, opinion, religion or belief, peaceful assembly, and association. However, the article does not provide for any reinforced or specific measures, especially concerning the protection of security research, which does little to satisfy concerns about the protection of fundamental freedoms and personal data.
Swift Backlash From Everyone Else
After the UN adopted the draft convention by consensus, the backlash from the private sector and civil society was swift. Some groups, including in the U.S., called on states to abstain from adopting the convention, arguing that no convention at all would be better than this one. As Katitza Rodriguez, policy director for global privacy at the Electronic Frontier Foundation, wrote: “States should vote No when the UNGA votes on the UN Cybercrime Treaty.”
Among the main criticisms is the fact that “the e-evidence sharing chapter remains broad in scope, and the rights section unfortunately falls short. Indeed, instead of merely facilitating cooperation on core cybercrime, this convention authorizes open-ended evidence gathering and sharing for any serious crime that a country chooses to punish with a sentence of at least four years or more, without meaningful limitations.”
Western governments acknowledged these concerns but ultimately dismissed them. Representatives from the U.S. and the U.K., for example, argued that their countries needed to continue to support the convention to prevent being left out of the conversation. Even if their governments refrained, the convention would most likely still be adopted, and they would not be in a position to play a role in its interpretation and implementation of protections and safeguards provided within. There’s also, of course, a clear utility. As one U.S. official said, “[T]he treaty would expand the number of countries that would respond to U.S. warrants for arrest involving cybercrimes.”
They also argued that refraining at this stage, after adopting the text by consensus at the ad hoc committee, would break the trust built up during negotiations. Many of these partners are the middle countries, such as the Caribbean or African states that will end up benefiting from an increase in capacity building. In many ways, the convention accomplishes their objective: improved capacity to fight cybercrime. However, these same countries are also the most vulnerable to UN-washed requests from authoritarian governments. As Jason Pielemeier, executive director of the Global Network Initiative argued, the concern is less that the Russian government will misuse the convention against established democracies but, rather, that it will exploit the international acceptance of the language to make demands from third countries with weaker application of the rule of law. Another wrinkle lies in the possibility that authoritarian governments could argue that they are simply applying international law in their domestic context—a pretty straightforward way of covering up abuses.
Can Anyone Claim Success?
At the moment, nobody seems particularly pleased. That may indeed be in the nature of compromise. But the concerning potential that we have highlighted ultimately places victory at the feet of authoritarian governments. Democracies appear to have played into Russia’s trap, reaching a compromise for the sake of compromise and jeopardizing their values throughout. The authoritarian goals may have been delayed, but the paths to reach them still exist.
It is now up to the democracies that vote “yes”to do their utmost to ensure that this convention is not abused and positively contributes to international cooperation in the fight against cybercrime without undermining fundamental freedoms.
– Karine Bannelier, Eugenia Lostri, Published courtesy of Lawfare.
