The Russian backed UN Cybercrime treaty has been approved by UN delegates. Digital rights advocates are worried.
One of the developments I’ve been witnessing over the last several years was the general adoption of the vague term “cybercrime”. It was always a bizarre term to me because it sounds more like a term designed for marketing reasons rather than an attempt to define a particular activity. It’s generally quite vague and the meaning seems to be rather, well, flexible.
The thing is, if a term can be quite vague, it can be used to mean any number of things, muddying the waters of any legitimate debate to be had. Indeed, when you ask a number of people what they think of as “cybercrime”, the answers usually end up being something along the lines of creating a botnet for malicious purposes, hacking into an account or web service, stealing someone’s identity online, infecting people’s computers with malware or ransomware, and a number of other examples I could think of. So, who wouldn’t want to stop that sort of thing.
The thing is, because “cybercrime” is such a squishy and vague term, it can be used for other reasons. Indeed, over the years, political leaders in third world countries and non-democratic states have used the term as well for much more nefarious purposes. These countries have been known to implement so-called “cybercrime” laws to crack down on dissidents and increase oppression in their respective countries. In international circles, this is a widely known problem and one that has recently cropped up as well.
Russia has been pushing a so-called “Cybercrime” treaty through the United Nations. You might recall a writeup I did last year on this very thing. The concerns, at the time, were that the treaty focuses on content rather than criminal cases. This includes insulting people using a computer. When you think of what would happen when a third world country gets their hands on such a law, it’s pretty obvious that such a law would be used to silence criticisms and crack down on speech.
Other’s have certainly raised the alarms about this. For instance, Human Rights Watch has a detailed post on why this Cybercrime treaty is so problematic:
The treaty has three main problems: its broad scope, its lack of human-rights safeguards, and the risks it poses to children’s rights.
Instead of limiting the treaty to address crimes committed against computer systems, networks, and data—think hacking or ransomware—the treaty’s title defines cybercrime to include any crime committed by using Information and Communications Technology systems. The negotiators are also poised to agree to the immediate drafting of a protocol to the treaty to address “additional criminal offenses as appropriate.” As a result, when governments pass domestic laws that criminalize any activity that uses the Internet in any way to plan, commit, or carry out a crime, they can point to this treaty’s title and potentially its protocol to justify the enforcement of repressive laws.
In addition to the treaty’s broad definition of cybercrime, it essentially requires governments to surveil people and turn over their data to foreign law enforcement upon request if the requesting government claims they’ve committed any “serious crime” under national law, defined as a crime with a sentence of four years or more. This would include behavior that is protected under international human rights law but that some countries abusively criminalize, like same-sex conduct, criticizing one’s government, investigative reporting, participating in a protest, or being a whistleblower.
In the last year, a Saudi court sentenced a man to death and a second man to 20 years in prison, both for their peaceful expression online, in an escalation of the country’s ever-worsening crackdown on freedom of expression and other basic rights.
This treaty would compel other governments to assist in and become complicit in the prosecution of such “crimes.”
Moreover, the lack of human rights safeguards is disturbing and should worry us all.
With greater surveillance powers should come more robust rules to protect people against abuse. Instead, the current draft treaty defers to domestic law to provide for human-rights safeguards. That means that people are subject to the laws of individual countries, instead of benefitting from key human rights standards under international law—like the principles of necessity and legality, and the need to notify people when they’ve been subject to surveillance so that they can challenge it. Even the standards that could provide some protections are left optional, like requiring an independent court to review and authorize any request for surveillance.
Governments may argue that the treaty leaves room to refuse requests for mutual legal assistance where there are substantial grounds to believe that the request has been made to prosecute or punish a person based on their sex, race, language, religion, nationality, ethnic origin, or political opinions. But the grounds for refusal are entirely discretionary and so become the exception rather than the rule.
Earlier this month, the Electronic Frontier Foundation (EFF) has published their own article on this matter:
The draft UN Cybercrime Convention was supposed to help tackle serious online threats like ransomware attacks, which cost billions of dollars in damages every year.
But, after two and a half years of negotiations among UN Member States, the draft treaty’s broad rules for collecting evidence across borders may turn it into a tool for spying on people. In other words, an extensive surveillance pact.
It permits countries to collect evidence on individuals for actions classified as serious crimes—defined as offenses punishable by four years or more. This could include protected speech activities, like criticizing a government or posting a rainbow flag, if these actions are considered serious crimes under local laws.
Today, we learned that the treaty in question was approved by United Nations (UN) delegates unanimously. From TechDirt:
For years now, the UN has been trying to strike a deal on a “Cybercrime Treaty.” As with nearly every attempt by the UN to craft treaties around internet regulation, it’s been a total mess. The concept, enabling countries to have agreed upon standards to fight cybercrime, may seem laudable. But when it’s driven by countries that have extremely different definitions of “crime,” it becomes problematic. Especially if part of the treaty is enabling one country to demand another reveal private information about someone they accuse of engaging in a very, very broadly defined “cybercrime.”
The UN structure means that the final decision-makers are nation-states, and other stakeholders have way less say in the process.
And, on Thursday, those nation-states unanimously approved it, ignoring the concerns of many stakeholders.
And so, of course, the UN passed it on Thursday in a unanimous vote. Because governments love it for all the concerns discussed above, and human rights groups and other stakeholders don’t get a vote. Which seems like a problem.
The passage of the treaty is significant and establishes for the first time a global-level cybercrime and data access-enabling legal framework.
The treaty was adopted late Thursday by the body’s Ad Hoc Committee on Cybercrime and will next go to the General Assembly for a vote in the fall. It is expected to sail through the General Assembly since the same states will be voting on it there.
The agreement follows three years of negotiations capped by the final two-week session that has been underway.
And then they gave themselves a standing ovation. Because it’s not them who will get screwed over by this treaty. It’s everyone else.
TechDirt notes that for the treaty to enter into force, 40 nations have to ratify it. Hopefully, that never happens. Even if it does, the hope is that western nations refuse to ratify the treaty. This might be easier said than done given how hard western countries have pushed for increased internet censorship in the first place. The only thing stopping these efforts to censor the internet is squabbles over what form this internet censorship will take and what content to censor. It’s a sad state of affairs, but governments from around the world have become increasingly anti free speech these days.
So, the thing to look out for now is whether or not your country will soon begin plans to ratify this awful treaty. We’ll keep an eye out here in Canada to see if Canada does something this stupid as well as try to keep an eye out for developments elsewhere as well. While things have been bad here in Canada with the passage of the Online Streaming Act, the Online News Act, and the nearly passed Age Verification law, it would be foolish to believe things can’t get any worse because the Canadian government is more than capable of screwing things up even further.
