https://unu.edu/cpr/blog-post/understanding-uns-new-international-treaty... In 2022, the Government of Costa Rica declared a national emergency after a ransomware attack brought 27 government bodies offline, disrupting everyday functions for months. In 2023, an employee of a multinational corporation in Hong Kong transferred $25.6 million after being instructed to do so during a Zoom call with colleagues he recognized. The other attendees, however, were deepfakes, and the money was sent to sham accounts. The frequency, sophistication, and costliness of cybercrimes have continued to increase in recent years, and they are becoming notoriously difficult to counter. International consensus and cooperation are becoming more critical to address the rapidly evolving risks these crimes pose to States, businesses, and individuals. In 2021, the Ad Hoc Committee to Elaborate a Comprehensive International Convention on Countering the Use of Information and Communications Technologies for Criminal Purposes held its first organizational session, with the ultimate goal of drafting a convention to address cybercrime ("the Convention"). However, defining the precise purpose and scope of such a convention is fraught with complexities; balancing the need for effective law enforcement with the protection of privacy and human rights remains a significant challenge. After three years of negotiation, this group will hold its reconvened concluding session from 29 July to 9 August 2024. During this session, it is expected to reach an agreement on the final text of the Convention; the most recent draft was released on 23 May 2024. The text of the Convention may change significantly during the upcoming negotiations. This primer addresses some key aspects and debates related to the current text. They can be summarized as follows: There is no international consensus on what constitutes a cybercrime, and the current draft of the Convention does not provide an explicit definition. Cybercrime is used as an umbrella term for a range of online activity with two broad categories: cyber-enabled and cyber-dependent crimes. Much traditional criminal activity is conducted online but doesn’t require the use of a computer. These are called cyber-enabled crimes. Examples include drug and weapons trafficking, identity theft, fraud, and incitement of violence. Cyber-dependent crimes, on the other hand, are crimes that can be committed only through the use of Information and Communication Technology (ICT) devices. You can’t spread malware if there’s no computer or network to infect. Negotiations on Scope Throughout its negotiations, parties have disagreed if this Convention should address crimes that can be committed only through the use of computers or networks, or also cover other crimes if committed through the use of an ICT. In the case of the former, the treaty would define and criminalize a range of cyber-dependent crimes and provide procedural measures through which States would cooperatively investigate and enforce those activities. Some States that align with this vision—including New Zealand, Canada, and the United States—have suggested that specified cyber-enabled crimes may also be within the scope of the treaty if they have exploded in scale through the use of ICTs, such as digital fraud and the dissemination of child sexual abuse material. On the other side of the debate, States including Russia and China expect the Convention to address a wide range of criminal activities conducted using ICTs (cyber-enabled) in addition to cyber-dependent crimes. India, China, and Indonesia were among States that proposed the Convention criminalize the dissemination of disinformation or “harmful information.” Russia’s 2021 submission enumerated 24 unlawful acts to be established under the Convention, including narcotics trafficking, coercion to suicide, and “extremism-related offences.” Human and digital rights organizations have opposed the latter vision, warning of the serious threats to human rights that a broad scope poses, especially without adequate safeguards and protections in place. A wide scope, either through defined cyber-enabled crimes or through vague language, risks criminalizing content and activities, including political dissent, independent journalism, and LGBTQ+ resources. Investigating crimes committed via ICTs can be a highly invasive process and can be used to justify vast surveillance. Digital rights organizations and UN bodies, including the Office of the High Commissioner for Human Rights, have raised concern over how domestic cybercrime laws are often used to justify restricting freedoms of speech, assembly, and association. There are legitimate reasons for capacity development and international cooperation in investigating crimes committed through ICTs. However, human rights advocates emphasize that a narrow scope, clear limitations, and explicit safeguards for human rights are necessary to prevent infringement of privacy, excessive information collection, criminalization of legitimate online speech, and the undermining of transparency and trust in digital communications. However, human rights advocates emphasize that a narrow scope, clear limitations and explicit safeguards for human rights are necessary to prevent infringement of privacy, excessive information collection, criminalization of legitimate online speech, and the undermining of transparency and trust in digital communications. Scope of the Current Draft: Criminalization, Enforcement, and Cooperation Article 3 of the most recent draft defines the Convention’s scope in two parts. First, the text addresses “the prevention, investigation and prosecution” of activities criminalized in the Convention (Articles 7–17), which are: Illegal access to an ICT system; Illegal interception of electronic data; Interference with electronic data or an ICT system; Misuse of devices for the above purposes; Forgery, theft, or fraud related to an ICT system; Solicitation, production, distribution, or possession of child sexual abuse material through ICTs; Dissemination of intimate images without consent of the subject through ICTs; and Laundering of proceeds of any of the above crimes. Article 3(b) broadens the scope to include the collection and preservation of a range of electronic data related to “other criminal offenses”—including domestic crimes—committed through an ICT (Article 23), and wide international cooperation in collecting and sharing evidence (Article 35). This means that the robust investigative powers States are obligated to develop under the Convention may be exercised for almost any reason, so long as the targeted activity is illegal under a State’s domestic law. Procedural measures and enforcement to which this scope applies include empowering State authorities to order, collect, or obtain: The preservation of traffic data, content data, and subscriber information; Specified electronic data stored within its territory; The assistance of service providers or other entities in control of the data in search and seizure; Collection of real-time traffic data; and Interception of content data. This means that the robust investigative powers States are obligated to develop under the Convention may be exercised for almost any reason, so long as the targeted activity is illegal under a State’s domestic law. Provisions in the procedural scope obligate States to compel service providers to keep their mandatory involvement with the preservation or collection of data confidential. In theory, this means that the Convention empowers and legitimizes States to conduct vast levels of potentially invasive surveillance for any activity deemed illegal under their domestic law, including through forced assistance of service providers in procedures that evade transparency or oversight. The definition of “electronic data”—which is subject to preservation, production, and search and seizure—includes all data, whether or not it has been communicated. Documents and notes saved on personal devices are therefore subject to production and seizure from authorities. That this collection applies to domestic laws means that digital surveillance could be conducted to investigate activity protected throughout much of the world. For example, LGBTQ+ people could be targeted in the 64 UN Member States in which homosexuality is illegal (this number is based on 2023 data). It’s important to remember that States could conduct similar digital investigations in their territory without this Convention; the treaty requires States to pass legislation in their respective countries that could come into effect without international obligation. The Convention would, however, require the global development of these systems. Furthermore, the Convention would obligate international cooperation on a range of digital investigations and prosecutions. There are practical benefits to this. States have legitimate authority to collect evidence related to criminal investigations and prosecutions, but many lack the infrastructure and procedural systems to do so with digital data. This Convention would motivate them to develop infrastructure and procedures, and provisions in the text provide for technological assistance to be made available for developing States. Article 35 defines the scope of international cooperation on the “collection, obtaining, preserving and sharing of evidence in electronic form.” Related provisions in the current draft require “the widest measure of mutual legal assistance” for investigations and prosecutions of crimes established in the Convention, as well as for “serious crimes” committed using an ICT. Requiring that these investigations be motivated by serious crimes (or an activity criminalized in the Convention) is also a limitation applied to the collection of content data. A serious crime is defined in the text as a crime for which the applicable domestic penalty carries a maximum sentence of four years imprisonment or more. Therefore, a State could reasonably increase the sentence for any crime it wants covered by the Convention, thereby making the offense “serious.” Safeguards and Limitations Parallel with debates over scope, States have had wide disagreements over the extent to which the Convention should articulate safeguards for human rights. While the draft text contains human rights provisions, many organizations argue they are insufficient to meaningfully prevent human rights violations. Article 6 provides safeguards that apply to the entirety of the Convention, and Article 24 describes those that apply to domestic surveillance powers. Neither provision specifically references existing human rights treaties; they require States’ implementation of the treaty to be “consistent with their obligations” under international human rights law. Article 6 also includes an additional safeguard, adopted from a proposal from Canada, which asserts that States cannot interpret anything in the Convention as “permitting suppression of human rights or fundamental freedoms.” Article 24 upholds that the implementation of surveillance powers is subject to safeguards provided for under each State’s domestic law. Unfortunately, the limitations that are necessary to ensure human rights are absent in many domestic legal systems. The Article also maintains that these powers incorporate the principle of proportionality. It does not, however, require accordance with other key principles, including legality, non-discrimination, legitimate purpose, and necessity.
What is a "Cybercrime?"
Understanding the UN’s New International Treaty To Fight Cybercrime
Full Text Sharing
Date Published
30 Jul 2024
Author
Charlie Plumb