Quo Vadis – Cybercrime Convention?
After six rounds of negotiations, we are now approaching the seventh, which is scheduled for the end of January. If the Chair of the Ad Hoc Committee responsible for drafting the Convention has her way, this will be the last round of negotiations and will result in a final text. Together with numerous international NGOs, we have been actively involved in the negotiations of the UN member states on site in Vienna and New York and have repeatedly pointed out the inadequacies of the planned treaty text and the resulting dangers from a human rights perspective.
What happened recently
During the last round of negotiations in New York last summer, the intention was to agree on as many parts of the treaty as possible in order to reach a conclusion as quickly as possible. However, the exact opposite happened: the text that the Chair felt could garner consensus ("zero draft") was not far-reaching enough for many states - they wanted even more than the already problematic draft would have provided for.
Together with other representatives from civil society, we criticised this text for its glaring shortcomings from a human rights perspective. Nevertheless, during those two weeks in New York, it was once again inflated by state representatives and expanded to include all those points that we had already considered or hoped to exclude. These included various content-related offences (such as terrorism, extremism, blasphemy, etc.). It was clear that these would not be acceptable to a majority and so an important opportunity was missed to deal with the many gaps in the text instead. In short: instead of progress, serious steps backwards were taken.
What does the revised "Zero Draft" bring us?
The eagerly awaited revised zero draft was presented at the end of November. This is the text that will serve as the basis for the upcoming round of negotiations and which is once again assumed (at least by the Chair) to be capable of achieving a majority or even consensus and to be close to the future final treaty text.
After an initial analysis, however, we must conclude that this draft is also highly unsatisfactory from a human rights perspective. Neither the numerous, persistent and well-founded concerns of civil society have been taken into account - in some points, further steps backwards have even been taken. The scope of application is still too broad and the necessary safeguards are not uniformly included throughout the text and are far too weak - with potentially serious consequences for rights such as freedom of expression and privacy.
Initial comments from partner organisations have been consistently critical and we also reiterate that the intended treaty text in its current form poses major risks to democracy and human rights. Below we explain a selection of critical points in the current draft that urgently need to be improved.
Catalogue of offences
The catalogue of criminal offences is still vague and imprecise in parts. The number of punishable offences has now been reduced and the most problematic proposals of the states have not made it into the new draft. These include, for example, offences relating to terrorism or extremism, as they would open the door to abuse due to their vagueness and lack of an internationally recognised legal definition. However, it cannot be ruled out that they will be included again through the back door, so to speak, due to the imprecise wording of a collective provision.1
The draft is also not limited to so-called "cyber-dependent crimes",2 i.e. offences that are directed at a computer system or that could not be committed without one. On the contrary: it even contains other offences. In particular, a newly added clause in connection with computer-related theft or fraud is risky due to its broad and extremely vague definition.3 Despite all the cultural differences between the UN member states, it is also important to ensure that the CSAM provisions do not penalise young people who send each other intimate images or videos, for example, on a consensual basis.
However, even the offences relating to so-called "cyber-dependent crimes" urgently need to be improved. For example, when it comes to the wording of the intent required to commit such offences. Intent alone would go way too far, because ethical hackers, for example, also act intentionally when they examine a computer system for vulnerabilities, which they then report in the sense of "responsible disclosure". Here, both malice ("criminal/malicious intent") and an intent to cause harm must be inserted consistently and mandatorily. Otherwise, it would allow states to take measures that would undermine the protection of human rights, especially since so-called "ethical hackers", journalists, activists, etc. would also fall under the criminal provisions. If no changes are made to the scope of the offences, there is a risk that the Convention will become an instrument that justifies human rights violations by states.
Surveillance measures...
We already reported on the very far-reaching surveillance measures provided for in the treaty in our blogpost from mid-January and we also publicly explained the inadequate conditions and safeguards at a press conference. Some of the measures from earlier versions - such as data retention - are no longer included in the draft. However, the text has still not been completely toned down and some of the surveillance measures, which are extremely invasive of privacy, are still included in the draft. The planned collection and disclosure of traffic data in real time (e.g. who is communicating with whom, when and where) - i.e. the transfer of data to the requesting state to provide information - and the legalisation of the interception of content data (e.g. content of digital communication) in real time pose a particularly great danger.4
A provision relating to the search and seizure of stored computer data is also a cause for great concern. The current draft may lead to states imposing obligations on third parties (e.g. communications service providers) to either disclose vulnerabilities in certain software (e.g. the software used by communications service providers) or to grant the authorities access to encrypted communications.5
... with a broad scope of application...
The risks of such far-reaching surveillance measures and their questionable compatibility with international human rights standards are obvious. In addition, all surveillance measures can be applied not only to the offences contained in the draft, but also to all offences committed using a computer system - regardless of the severety of the sanction - including, for example, petty offences.
This massive extension poses a serious risk of undermining fundamental rights, above all the right to privacy and the right to a fair trial.
... lack of security measures...
The safeguards against these intrusions are seriously flawed and in no way ensure that the measures are applied in accordance with international human rights obligations. For example, essential safeguards that protect against the arbitrary exercise of state surveillance powers and ensure that the proportionality and necessity of interference with rights such as freedom of expression or the right to privacy are fully considered have not been included in the draft. There is also still a lack of mandatory, independent (judicial) ex ante authorisation of surveillance measures. However, this means that the necessary degree of independence and objectivity for the use of surveillance measures is not guaranteed.
... and without an effective legal remedy
Nor has the right to an effective legal remedy against surveillance measures been included in the draft. On the contrary: not even a provision that ensures that persons under surveillance are at least adequately notified has been included. However, such notification would not only inform the person that their rights are being infringed: It would also be an indispensable prerequisite for being able to exercise the equally lacking right to an effective legal remedy in the first place. After all, how can one defend oneself against measures that one does not even know are being used?
Against this background, it is hardly surprising that there is no obligation to regularly disclose statistical data on the use of surveillance powers and that neither transparency nor accountability are increased as a result.
All these gaps in the draft are highly alarming and require an urgent revision of the text in order to bring it into line with internationally recognised human rights standards.
International cooperation (mutual legal assistance)
International cooperation should also go far beyond the prosecution of offences explicitly mentioned in the treaty.6 However, a limitation to the treaty only (and at best only to so-called "cyber-dependent crimes") would be urgently needed in order to create a clear framework for international cooperation and to minimise the risk of possible misuse of the convention to justify violations of the right to privacy, freedom of expression and freedom of association, for example.
Furthermore, the existence of dual criminality is not a mandatory requirement in all cases of international cooperation.7 The principle of dual criminality means that an act must be considered a criminal offence in both the requesting and the requested state in order for a request for international cooperation to be valid. This provides a certain degree of protection for individuals, particularly in the case of a treaty text as broadly applicable as the current one: It restricts the possibility that states can request cooperation for offences that are not generally considered punishable. In the context of states that have excessive legislation in areas such as extremism or blasphemy and thus persecute journalists, members of the opposition, minorities or other vulnerable groups, this is sometimes vital protection.
In addition, mandatory dual criminality also ensures greater clarity and predictability for the contracting states themselves with regard to their legal obligations and also promotes the effectiveness of the treaty itself.
Data protection
The provision on data protection in the chapter on international cooperation is also very rudimentary and urgently needs to be improved.8 This is particularly necessary in view of the extremely broad scope of application of the chapter on mutual legal assistance.
Above all, clear, unambiguous and effective standards for the protection of personal data must be included in the text in order to prevent data from being processed and passed on to other states in a way that violates the fundamental right to privacy. This includes a reference to internationally recognised data protection principles and international human rights standards in the text - none of this is currently included in the draft.
In particular, instead of a mere reference to "effective and appropriate safeguards ",9 it should be explicitly included in the treaty that
- the personal data is processed for compatible purposes
- be limited to what is relevant for the purposes of the processing
- retained only for as long as necessary for those purposes;
- the processing is subject to appropriate measures to ensure its accuracy and security;
- general information about the data processing is provided by public notice;
- and that effective supervision and legal remedies are available.
What happens next?
The current draft gives sufficient cause for concern. But all is not lost.
Informal talks between the state representatives will take place in Vienna in the week before Christmas and at the beginning of January. Civil society representatives will not have access to these. At the end of January, they will then return to New York for what is expected to be the final round of negotiations, which we will also be attending again. The aim is to finalise the text of the treaty and prepare a resolution for the UN General Assembly. At its meeting at the end of February, this body will vote on officially recognising the outcome of the negotiations as a United Nations treaty. Only then can the states officially sign the treaty and ratify it in accordance with national laws, i.e. actually commit themselves to the treaty. (By approval of the respective legislative body and confirmation by the head of state).
The number of ratifications required to bring the treaty into legal force is also still to be decided in New York. With 40 ratifications, the current draft is at the lower end of the member states' proposals, which would mean that it would enter into force more quickly.10
If there is still no agreement at the beginning of next year, there are two possibilities: either the existing rifts cannot yet be overcome and the negotiations are extended by a few months, or: the states cannot reach an agreement and the process fails.
In any case, we will continue to be actively involved and, together with a broad coalition of NGOs from the field of network policy, we will raise awareness of the dangers of the treaty in its current form at plenary sessions and other events.
After all, one thing must not be forgotten: Human rights also apply in the digital space. With the current status of the Cybercrime Convention, however, we run the risk of an international treaty being adopted under the flag of the United Nations that tramples on precisely these human rights and results in a pure "data collection treaty". This scenario would be a blatant contradiction of the founding principles of the United Nations and its Charter, which the states negotiating in Vienna and New York have also committed to upholding. It is high time they remember this and live up to their obligations.
Footnotes
1 Article 17 of the revised zero draft [Offences related to other international treaties]: „States Parties shall adopt such legislative and other measures as may be necessary to ensure that offences established in accordance with applicable international conventions and protocols also apply when committed through the use of [a computer system] [an information and communications technology device].“
2 Articles 6-10 of the revised Zero Draft: Unlawful access (to a computer system); Unlawful interception (unauthorised interception of non-public computer data transmissions to, from or within a computer system); Interference with computer data (unauthorised damaging, deleting, impairing, altering or suppressing of computer data); Interference with a computer system (unauthorised serious interference with the operation of a computer system by inputting, transmitting, damaging, deleting, interfering with, altering or suppressing computer data); misuse of devices.
3 Article 12 (c) of the revised zero draft: „Any deception as to factual circumstances made using [a computer system] [an information and communications technology device] that causes a person to do or omit to do anything which that person would not otherwise do or omit to do; […].“
4 Article 29 and 30 of the revised zero draft.
5 Article 28 (4) of the revised zero draft.
6 Article 35 of the revised zero draft.
7 Article 35 (2) of the revised zero draft.
8 Article 36 of the revised zero draft.
9 Article 36 (2) of the revised zero draft.
10 Article 64 of the revised zero draft.
Since you're here
… we have a small favour to ask. For articles like this, we analyse legal texts, assess official documents and read T&Cs (really!). We make sure that as many people as possible concern themselves with complicated legal and technical content and understand the enormous effects it has on their lives. We do this with the firm conviction that together we are stronger than all lobbyists, powerful decision makers and corporations. For all of this we need your support. Help us be a strong voice for civil society!
Become a supporter now!