A planned UN treaty is aimed at improving global action to fight cybercrime — but there are concerns from rights groups about overreach.
The UN has hit the halfway mark in the negotiating process for its cybercrime treaty, with a fourth negotiating session scheduled for later this month.
The catchily-named Ad Hoc Committee to Elaborate a Comprehensive International Convention on Countering the Use of Information and Communications Technologies for Criminal Purposes first met last February and aims to finalize its text by early next year.
It's likely to cover international cooperation, access to potential digital evidence by law enforcement authorities — including across borders — along with human rights and procedural safeguards.
And it will build on the existing Budapest Convention, adopted by 67 countries, which aimed to deal with cybercrimes such as illegal access to a computer system, fraud and forgery, and illegal data interception by harmonizing national law and enabling international cooperation. However, there are significant concerns.
What is cybercrime?
For a start, there's no clear consensus on what actually constitutes cybercrime. While there's agreement that activities such as illegally gaining access to, intercepting, or interfering with computer data and systems are covered, many states wish to go further by including 'cyber-enabled' crimes.
This would cover instances where information and communication technologies played a significant role in facilitating crimes such as fraud, forgery, or child sexual abuse — not exactly a rare occurrence.
Meanwhile, many proposed elements of the treaty fail to include intent, meaning that even non-malicious behavior could be criminalized.
"We’ve maintained that cybercrimes should be understood as those that specifically target computer systems, and that the treaty should require fraudulent intent on the part of the accused person," say Katitza Rodruiguez and Karen Gullo of the Electronic Frontier Foundation (EFF).
Otherwise, they say, "Such laws can potentially be used against anyone who did something with a computer that someone else didn’t like, even with no intent to cause any harm, and are often abused to punish security researchers or journalists."
Next, there have been efforts from some states to introduce content-related offenses. These include ‘incitement to subversive activities and extremism,’ ‘incitement and justification of terrorism,’ ‘engagement of or coercion to suicide,’ ‘sexual extortion and non-consensual sharing of intimate images,’ and even copyright violation.
Provisions against incitement to terrorism are supported by, amongst others, China, Russia, India, Turkey, and Syria; against disinformation by China, Indonesia, and India; and against hate speech by Pakistan, Kuwait, and China.
And, points out Human Rights Watch, "Vaguely worded cybercrime laws purporting to combat misinformation and online support for or glorification of terrorism and violent extremism have been misused to violate freedom of expression, target dissenters, and put them in danger."
Similarly, there are concerns that proposed investigative powers could permit dangerous police surveillance practices across participating states.
"The concern is that, in order to address law enforcement’s jurisdictional problems, the substantive law will become weakened, giving law enforcement too-quick access with too-little due process," notes the US Security Council’s Counter-Terrorism Committee Executive Directorate in a research paper.
"The trend towards universalization, in other words, could lead to a lowest common denominator in terms of due process."
Rights organizations call for safeguards
Privacy and human rights organizations are calling on states to address all these areas, establishing the need for intent and making sure that laws don’t lead to prosecuting whistleblowers, activists, and journalists.
New investigative powers should only be available for bona fide investigations of crimes covered by the treaty and, by default, people should be able to learn if their data was handed over. Gag orders should be imposed only when disclosure would pose a demonstrable threat to an ongoing investigation.
Where interception and real-time collection of data are authorized, it should be made clear that this doesn't mean hacking into networks and end devices; and indiscriminate or indefinite retention of metadata should not be permitted.
"All new powers should come with matching human rights safeguards — with teeth," the EFF says.
More from Cybernews:
Subscribe to our newsletter