The UN Cybercrime Convention: A New Repressive Tool in Disguise?

Credit: CIVICUS

By Inés M. Pousadela
MONTEVIDEO, Uruguay, Oct 4 2024 – The UN Office on Drugs and Crime hailed the recently agreed Cybercrime Convention as a ‘landmark step’ in cooperating to tackle online dangers. But human rights organisations aren’t so sure.

Ominously, the resolution that started the process, passed by the UN General Assembly in December 2019, was sponsored by authoritarian Russia and backed by some of the world’s most repressive states. Some of them already had cybercrime laws they use to stifle legitimate dissent. Many more have passed similar laws since.

When Russia’s resolution was put to a vote, the EU, USA and many other states, alongside human rights and digital rights organisations, urged states to reject it. But once the resolution passed, they had to engage with the process to try to prevent the worst possible outcome: a treaty lacking human rights safeguards that could be used as a repressive tool.

They succeeded in tempering some of the worst aspects of early drafts, but the results still leave much to be desired.

The treaty process

The December 2019 resolution established an ad hoc committee (AHC) to lead negotiations, open to the participation of all UN member states plus others as observers, including civil society.

The pandemic delayed the process, and the AHC’s first meeting, focused on procedural rules, was held in mid-2021. Brazil’s proposal to require a two-thirds majority for decisions when states couldn’t reach consensus prevailed over the simple majority rule favoured by Russia. The AHC approved a list of eligible stakeholders, including civil society organisations (CSOs), academic institutions and private sector representatives.

The first negotiating session in February 2022 took another important decision: consultations would be held between negotiations, including for CSOs, to provide input and feedback. Numerous human rights and digital rights CSOs took part, often working in coalitions. They made written submissions, attended face-to-face and online meetings and made oral interventions.

Damage control

Ahead of the first negotiating session, some 130 organisations and experts signed a letter urging the AHC to ensure the treaty included human rights protections, warning that otherwise it could become ‘a powerful weapon for oppression’. They were up against numerous states that didn’t agree human rights safeguards were needed.

By April 2022, many states initially opposed to the treaty had begun to participate actively, so civil society focused on damage control. By then it was apparent there wasn’t a clear definition of what constitutes a cybercrime and which crimes the treaty should regulate. Several states aggressively pushed for broad and ambiguous provisions they claimed were needed to combat extremism, hate speech and terrorism.

Civil society insisted the treaty shouldn’t be overly broad and should only cover core cybercrimes or cyber-dependent crimes: crimes committed against computer systems, networks and data, including hacking, computing system interference, ransomware and the spreading of malware. And even when dealing with these crimes, civil society warned, treaty provisions shouldn’t apply to security research, the work of whistleblowers and other actions that benefit the public.

Civil society insisted on the exclusion of cyber-enabled crimes: those that can be facilitated by ICTs but can also committed without them, such as arms and drug trafficking, money laundering and the distribution of counterfeit goods. This category could potentially include numerous offences that would repress the online exercise of civic freedoms.

A second major concern was the scope and conditions for international cooperation. Here too civil society urged clear definitions and a narrow scope. It argued that if not clearly defined, cooperation arrangements could mean enhanced surveillance and bulk data sharing, violating privacy and data protection provisions. It warned that in the absence of the principle of dual criminality – which means extradition can only apply to an action that constitutes a crime in both the country making the request and the one receiving it – state authorities could be made to investigate activities that aren’t crimes in their countries on other states’ behalf. They could effectively become enforcers of the repression of others.

Tech companies also shared civil society’s concerns about the potential for expansive electronic surveillance in the name of fighting crime.

Human rights sidelined

Civil society representatives see the final draft as not as bad as it could have been, but it still lacks clear, specific and enforceable human rights protections. Rather than applying them as international standards, the treaty leaves human rights safeguards up to each state’s domestic law.

Civil society advocacy led to improvements on the first drafts, including an expanded article on human rights that references civic freedoms, and the inclusion of the right to an effective remedy in the article on conditions and safeguards. The most blatant attempts to weaponise the treaty to criminalise expression failed, although some cyber-enabled crimes still made it into the text. The activities of journalists, security researchers and whistleblowers aren’t adequately protected.

The convention includes a chapter on crimes against computer systems, networks and data, plus a limited number of cyber-enabled crimes, such as child sexual abuse. But while the list of crimes is narrower than initially proposed, the scope of cooperation in collecting and sharing data became wider, raising real dangers of state overreach in the form of surveillance and invasion of privacy.

Still time

It isn’t game over. The final text will soon be put to a vote by member states at the UN General Assembly and, assuming a majority approves it, states will then need to ratify the convention. At least 40 ratifications will be needed before it enters into force, a process likely to take several years. Two years after the General Assembly vote, negotiations are expected to begin on an additional protocol covering further crimes, which won’t be concluded until 60 states have ratified the convention. Civil society fears this is when the worst proposals to criminalise speech will resurface.

Civil society will encourage governments to reject the convention and instead take a human rights-based approach. Once the UN General Assembly approves the convention, civil society will warn of the dangers it poses to human rights and civil liberties and oppose ratification.

With or without an international convention, civil society will continue to work to ensure cybercrime legislation at all levels meets the highest human rights standards, including respect for civic freedoms, and isn’t used as a means of repression.

Inés M. Pousadela is CIVICUS Senior Research Specialist, co-director and writer for CIVICUS Lens and co-author of the State of Civil Society Report.

A longer version of this article is available here.

For interviews or more information, please contact research@civicus.org.

 


!function(d,s,id){var js,fjs=d.getElementsByTagName(s)[0],p=/^http:/.test(d.location)?’http’:’https’;if(!d.getElementById(id)){js=d.createElement(s);js.id=id;js.src=p+’://platform.twitter.com/widgets.js’;fjs.parentNode.insertBefore(js,fjs);}}(document, ‘script’, ‘twitter-wjs’);