In Defense of the UN Cybercrime Convention

In October, Lawfare published an article by Mailyn Fidler entitled “Procedure as Substance in the UN Cybercrime Convention.” The piece argued that although the UN Cybercrime Convention is substantively parallel to the Budapest Convention, the UN treaty functionally establishes a global mutual legal assistance treaty (MLAT) that would reshape criminal cooperation “writ large”—demanding attention by the U.S. and the international community. As a senior member of the U.S. delegation that negotiated the UN Cybercrime Convention, I read Fidler’s analysis of the convention with great interest. While she correctly characterized some parallels between the Budapest and UN instruments, several of her assertions require a response. 

First, Fidler points out that the jurisdictional article allows a state party to assert jurisdiction over crimes committed against a national of that party, and characterizes it as a dramatic expansion of authority. However, states routinely assert jurisdiction over criminals who victimize or defraud persons in their states even if the criminal never set foot in the victim’s state. They do so by treating acts of fraud or theft against a victim, or intrusions into a victim’s personal devices, as having occurred “in their territory.”

In addition, this discretionary exercise of jurisdiction is permitted by another provision in Article 22—common to long-standing UN treaties and the Budapest Convention—that authorizes states to exercise any criminal jurisdiction established by a state party in accord with its domestic law. Perhaps most importantly, paragraph 1 of the jurisdictional article makes it clear that it applies only to the 11 offenses established by the convention in Articles 7 to 17, such as illegal access, illegal interception, online child sexual abuse, and online fraud, rather than to any offense involving electronic evidence.

A second questionable point is Fidler’s assertion that the convention constitutes a “global MLAT” that reshapes international criminal cooperation “writ large.” This argument misstates the impact of the convention on cooperation under existing laws and treaties, and fails to acknowledge many of the unprecedented safeguards that are required by the convention.

First, the convention applies the full array of international cooperation measures only to the 11 offenses established by the convention. Critically, no state party is required to provide assistance unless the conduct is criminalized in both the requesting and requested parties. For assistance concerning other crimes not established by the convention—beyond obtaining or sharing electronic evidence, such as witness interviews or obtaining bank records—the requesting state must rely on other bilateral or multilateral treaties or domestic law of the requested state. Second, many countries, including the United States, can cooperate under domestic law without the existence of a treaty. Although Fidler maintains that the United States is “relatively stingy” with its MLATs, the United States has over 70 mutual legal assistance treaty or agreement relationships with foreign partners, including with Russia and China.

Significantly, Articles 40 and 60 of the UN Cybercrime Convention preserve the right of states parties to continue to apply their bilateral and multilateral treaties that cover subjects such as mutual legal assistance and cybercrime. Also, by virtue of the UN treaties on narcotics, organized crime, and corruption, the United States currently has approximately 190 treaty relationships for mutual legal assistance with respect to those crimes. Such is the nature of UN crime treaties that address global crime problems—they are open to all UN member states. Those treaties will continue to be used as a legal basis for cooperation regardless of how many parties join the UN Cybercrime Convention.

Fidler is correct that the negotiations could have limited mutual legal assistance to the 11 crimes established by the convention. That was the original position of several delegations, but most delegations insisted on a broader mandate to authorize sharing of electronic evidence for serious offenses. Because electronic evidence of a crime can be located anywhere, the convention would have been considerably weakened as a mechanism for protecting and achieving justice for victims if there were no way to request and obtain electronic evidence. As some delegates stated during the negotiations, it would be difficult to explain to prosecutors who need digital evidence in a murder case why relevant texts or emails stored in the territory of another state party to the convention are not available. There was simply no way to reach consensus while excluding international cooperation to obtain digital evidence for serious crimes.

I also note that the Budapest Convention, often referred to as the “gold standard,” authorizes sharing of electronic evidence for any “criminal offense,” and not simply serious offenses. Many states that are not parties to Budapest raised this fact repeatedly when arguing for broader international cooperation, which ultimately led to agreement on the sharing of electronic evidence for serious crimes.

Finally, Fidler points to the opposition to the convention by some civil society groups, which have argued that some countries might use the treaty to violate human rights, noting the increasing influence of illiberal countries such as Russia and China on global governance. The negotiators were well aware of these concerns. As a result, the convention contains numerous human rights protections unprecedented in other UN crime conventions:

• Expressly prohibiting parties from using the convention to suppress human rights or fundamental freedoms—including the rights related to freedoms of expression, conscience, opinion, religion or belief, peaceful assembly, and association; thus, requests for evidence that would lead to such suppression must be denied.    
• Requiring states to apply the procedural powers set forth in the convention proportionately and subject to safeguards, including judicial or other independent review, grounds justifying application of the power or procedure, the right to an effective remedy, and limitation of the scope and the duration of such power or procedure. Significantly, all of these safeguards apply when the procedural powers are used for international cooperation.
• Establishing that states asked to provide assistance under the convention can deny assistance if the state has substantial grounds for believing the request has been made for the purpose of prosecuting or punishing a person on account of that person’s sex, race, language, religion, nationality, ethnic origin, or political opinions, or if compliance with the request would cause prejudice to that person’s position for any one of these reasons. 
  

Moreover, as noted above, states can decline requests for assistance if no dual criminality exists, as with other UN crime conventions, as well as other customary grounds for refusal, including prejudice to sovereignty, security, ordre public, or other essential interests.

***

No treaty can guarantee that states will abide by treaty provisions and protect human rights, just as there is no guarantee that states will fulfill their domestic legal obligations to their citizens and residents. The UN Cybercrime Convention, however, provides for a body—a Conference of the States Parties—to oversee implementation, including to criticize abuse of the treaty’s provisions when necessary. Accountability hinges on states that care about the rule of law and human rights taking a leadership role in the implementation of the treaty, the Conference of the States Parties, and its subsidiary bodies. Those states should also lead the effort to provide technical assistance, so that capacity-building efforts emphasize the human rights provisions. It is only by this approach that like-minded states can join together to hold accountable those who might try to abuse the powers authorized by the treaty.