Cybersecurity & Tech Foreign Relations & International Law

Lawfare Daily: Nick Ashton-Hart on the UN Cybercrime Convention

Eugenia Lostri, Nick Ashton-Hart, Jen Patja
Wednesday, September 11, 2024, 8:00 AM
Discussing the criticism facing the first UN cybercrime treaty.

Published by The Lawfare Institute
in Cooperation With
Brookings

On Aug. 8, the international community concluded its final negotiations at the United Nations over an international cybercrime treaty. The negotiation—a Russian proposal—was intended to harmonize global efforts to combat transnational cybercrime. However, the treaty has come under intense criticism from civil society, human rights advocates, and industry. 

Lawfare Fellow in Technology Policy and Law Eugenia Lostri sits down with Nick Ashton-Hart, Senior Director for Digital Economy Policy for APCO Worldwide. Ashton-Hart is the former head of delegation to the UN cybercrime treaty negotiations for the Cybersecurity Tech Accord. They discuss the different concerns the treaty raises, how it compares to alternatives for law enforcement cooperation, and what comes next, as the treaty goes to a vote before the UN General Assembly.

To receive ad-free podcasts, become a Lawfare Material Supporter at www.patreon.com/lawfare. You can also support Lawfare by making a one-time donation at https://givebutter.com/c/trumptrials.

Click the button below to view a transcript of this podcast. Please note that the transcript was auto-generated and may contain errors.

 

Transcript

[Intro]

Nick Ashton-Hart: We said, quite naturally, all of the data you need is in private sector hands. And if you adopt something that the private sector is telling you is actively harmful, how much cooperation should you really expect will happen if they're telling you in detail that the convention will actually make things worse?

Eugenia Lostri: It's the Lawfare Podcast. I'm Eugenia Lostri, Lawfare's Fellow in Technology Policy and Law, with Nick Ashton-Hart, Senior Director for Digital Economy Policy for APCO Worldwide, and former Cybersecurity Tech Accord Head of Delegation to the cybercrime negotiations in the UN.

Nick Ashton-Hart: It's really a secret data access system in 2024 under the banner of the United Nations, which we just felt was an outrageous, outrageously inappropriate thing for the UN to be agreeing to.

Eugenia Lostri: Today, we're talking about the recently concluded negotiations for the controversial UN Cybercrime Convention.

[Main Podcast]

Nick, could you maybe get us started with a brief history of the negotiations? And I think it would also interesting if you could describe how you've been involved so we can understand through what lens you've been following and assessing them.

Nick Ashton-Hart: Sure. So the short story of this is the Russian Federation in the months before the, like literally two months before the invasion of Ukraine, persuaded the UN General Assembly to adopt the starting gun for the negotiation by, not by consensus of a convention on cybercrime. And it won that vote by only 10 votes, so it was a bare majority that agreed to do this. No one believes it would have passed if it had been done two months later or three months later. With the argument that the Budapest Convention on Cybercrime, despite having parties that were not European from all world regions, wasn't representative of the UN member states interests. They needed their own convention. And so they adopted a unique procedure, that this would not be done in Geneva, it would be done between New York and Vienna. Normally, crime conventions are always negotiated by consensus and in Vienna, because that's where the expertise in criminal justice matters actually exists.

But this was a deliberate choice. The Russians actually wanted the entire thing negotiated in New York, which is a far more political environment, subject to all kinds of horse trading between delegations across unrelated issues. But they couldn't get that through, so it became, it went between the two. And it's, it bears emphasizing this non-consensus element. They agreed these rules of procedure that they would do everything they could by consensus, but if they had to vote, they could vote with any measure requiring 60 percent of the states to be successful. And in the end, just before the adoption by consensus, there were several votes by the Iranian delegation. So, that's a real departure. International law is not, with one exception, is always done by consensus, and so this is a very big deal that this precedent not only was agreed to but produced an outcome. And the timeline that they adopted was also very short because it was supposed to be finished in six sessions of two weeks each, three in 2022 and 2023. And of course, in the end it took seven. One, with the seventh session being actually two two-week sessions. split in two because they couldn't agree in the session that ended this February.

Eugenia Lostri: So that actually, for someone who might not be deeply familiar with negotiations, that doesn't sound like a short period of time, right? But what is, how does that compare to other treaty negotiations? What is the kind of average timeline that, that you handle?

Nick Ashton-Hart: It's difficult to say because there are few crime conventions. International crime conventions are a rare thing. There's the UN Transboundary Organized Crime Convention; that took quite a few years to negotiate. The Convention on Corruption, I think, took more time than this one did, even though that's a very specific narrow tailored instrument that everybody agreed on. Like there wasn't, the cybercrime convention, they never really agreed on what they were covering. Corruption, they knew. Like, everyone knew we are covering this specific thing, and so, that took longer even than this convention is. And UNTOC took longer still, I think was sort of six years of negotiating time - something like that, I'm not sure. So yeah, I know the idea that you take an agreement takes years to negotiate sounds weird to anyone who doesn't negotiate UN agreements. Getting 194 countries to have the same view on a thing is hard, especially when they're going to agree to be legally bound by it. So it's difficult to get to that level of agreement in a short period of time. Because you have to do other things in international relations. You can't just do this.

Eugenia Lostri: Right. Now, you were the head of delegation to the negotiations for the Cybersecurity Tech Accord. What does that mean? What is, kind of, the perspective that you were bringing to the table?

Nick Ashton-Hart: The Tech Accord is 158 signatory companies now, and its purpose is really to focus on increasing actual cybersecurity at the international level. So we work a lot with the processes in the UN's first committee on cybersecurity. And so we come at this from a specific angle, which is the convention should not do anything that actually makes the internet less secure because, aside from other negative impacts of that, it actually makes it easier for cyber criminals to break into systems. So we started from the premise of that the convention should make the internet more secure through not undermining legitimate cyber security functions, but also obviously in resulting in more people who break into systems with ill intent being caught and prosecuted for it.

And so that, that was the sort of center of our argumentation throughout the negotiations. And of course, we were a part of a coalition of industry working collaboratively with the International Chamber of Commerce. Microsoft was there in its individual capacity, but also a Tech Accord member and the U.S. Council for International Business. But it was a small, it was a small group, broadly, very broadly representative. We were 100, almost 160 members and the International Chamber of Commerce is millions of companies. So yeah, your job is basically to go there and make the case for provisions that produce the positive benefits that your members are looking for, which this convention did not produce. Produced the opposite of that.

Eugenia Lostri: Yeah, and we're gonna get to that. But before it, just in terms of the process as well, you mentioned before, but I want to go a little bit deeper on that; the negotiations concluded early August, I think, August 8th.

Nick Ashton-Hart: They adopted the thing on the 8th.

Eugenia Lostri: Okay. But as you mentioned, that was not really intended to be the final date. The official, let's call it official, concluding session was supposed to be late January, early February, right?

Nick Ashton-Hart: Well, yeah, and ideally they wanted to be finished with the sixth session. That was the original intention.

 

Eugenia Lostri: Okay.

Nick Ashton-Hart: To be finished at the end, you know, in 2023. Yeah. There was always this, okay, but we could hold an extra meeting if we needed to.

Eugenia Lostri: And instead we get two extra meetings. We get the concluding session and then the additional, or if  reconvened-

Nick Ashton-Hart: The resumed concluding session.

Eugenia Lostri: Yes, the resumed concluding session.

Nick Ashton-Hart: It's this thing the UN does when you can't agree, you stop the clock and say, well, we're just going to stop the clock and we're going to come back and restart the clock later.

Eugenia Lostri: Months later. So, so tell us a little bit about what happened in that kind of concluding session that made the UN have to stop the clock and, what is different now in August that allowed them to adopt the text

Nick Ashton-Hart: I think part of it was, candidly, the fact that all of civil society and industry was saying to all of them, across the board, this is not fit for purpose, and you should not adopt it in this state. This was, even for countries who thought it was good enough, they were concerned by that because we said, quite naturally, all of the data you need is in private sector hands. And if you adopt something that the private sector is telling you is actively harmful, how much cooperation should you really expect? What’ll happen if they're telling you in detail that the convention will actually make things worse? I think that combination of voices really made a difference.

Also, in capitals, there was increasing criticism from legislators. I know in Europe, MEPs were contacting the Commission. And a number of quite small developing countries all sent this text to capitals, and they said, well, this is just bad. This is just not a good agreement. It's not even necessarily internally consistent in every place. And so the legal advisors to a lot of mission, a lot of the delegations told their delegates, look, you don't adopt this now. We need a lot more time to actually evaluate how this will apply in our national legal system. So it was a combination of those things and some of the major, and it was clear there were major issues with the text in several key articles that were not going to be resolved in the amount of time that they had left. So they said, well, we'll just stop the clock and come back later.

Eugenia Lostri: So was there a massive, alteration of the text between February and August that explains?

Nick Ashton-Hart: Not a massive one, but the chair basically decided I'm going to pick, I'm going to pick what I think what the member states will bear, I'm going to put in these key safeguards that developed economies have said are absolutely essential, and I think most member states are more in that camp than they are in the other camp. And she was right. As it turned out she was right. In fact, the voting at the end made clear what we had said to the like minded democratic states and friends all along is that there was actually a super majority for much stronger protections than they all agreed to in the end, so the treaty could have been much less of something that, well, what it is now, which is actively harmful, but, you know, what can you do?

Eugenia Lostri: So as we dive into the actual text, maybe you could outline what were the main areas of concern throughout the negotiations, and maybe what are the sticking points that remain at the end?

Nick Ashton-Hart: The main issues are, and always were, that the objective was supposed to be the addressing of cybercrime, which is specific acts in relation to computer systems, cyber-dependent offenses is what they were called. But there were many states who wanted to cover every crime, and there were states who even wanted misdemeanors to be covered. And we literally had to explain, well, you can't cover misdemeanors and civil actions, and things that are unlawful but not criminal, because the state has no role in, in applying those laws. That's you hire a lawyer and you go to court for those acts. So there's no international cooperation available to you. Like no one's going to do that. So you can't include that stuff. It was actually quite difficult to persuade countries of this. And so, there was a long, long, long list of crimes related to content online, which there was no majority for that. They got rid of those things.

But the interesting thing is the proponents of a very broad convention basically got what they wanted in the end because of this provision, which says, well, you can cooperate on any serious crime, which is defined as more than four years of incarceration, which is in some countries that is, criticizing the government, being part of a minority group. All kinds of things which are not illegal, in fact, are protected in other parts of the world. And the other issue we came up against was that states didn't really understand that the Budapest Convention is not just the text of the convention itself. But it's also the explanatory report, which explains how in a rule of law-based environment, those obligations should be understood. And in just one key example, I'll give you this, is this concept that the treaty is concerned with acts which are done without right, with intent, of any kind of intent, you can be intending things that are not harmful and that you don't have a right to do them. And even at the time Budapest was agreed, the explanatory report made clear things like journalists receiving information that was extracted from a secure system to report on current events by a whistleblower was in the public interest and it should not be prosecuted. Journalists should not be prosecuted because they were doing something that was otherwise infringing.

And security research is the same thing. There are security researchers who simply try to break into systems because they want to see if they can do it, and then they turn over any defects they find in that system to the vendor. They're not interested in, they're not trying to do anything malicious. But the convention as it's written would criminalize all those things because the member states of Budapest didn't propose any of that limiting language for inclusion in this convention or in any explanatory report to it, and they had took this view that it doesn't matter, we know what we mean, and no one is going to, we can't change anyone's legal system, countries are going to do whatever they're going to do, and we don't need a criminal intent standard for the criminalization chapter which, when you think about it, is fairly bizarre, that you have a chapter listing a whole set of crimes, and none of them require an intent, a malicious intent.

Eugenia Lostri: It does sound a little bit counterintuitive.

Nick Ashton-Hart: We said to delegations, I think in 2024, this will be a little hard for, to be swallowed by the public, really. Like that will be a little hard for people to understand. Yes. It was a little odd in 2020, in 2001, frankly when Budapest was agreed, but it's even more odd now. And that, the concept, the days when you can share the personal information of people, most of whom are never, are not guilty of a crime. Many people who are part of a criminal investigation are witnesses or are believed to be witnesses or people of interest because they may know something about a crime that happened in a given place. Those people who are never charged with a crime have a right to know that their personal information is being passed to law enforcement officials in other countries. That they're the subject of an investigation by a foreign power. And this treaty is blind to that. And we said, all of us, from early on, you can't sell this in 2024. The idea that sharing a person's data across the world in permanent secrecy is legitimate cannot be born. It's just not, that's just not true anymore. I don't know that was ever very true, but it's not true now. And the attitude of countries was, well, Budapest doesn't require transparency, so why should we? And we said, because it's 2024. It's not 2001. And if you negotiated this convention now, you would not be doing this in Europe. If you negotiate a European convention, and we know this to be true because the second additional protocol to Budapest actually deals with this lack in requiring all kinds of safeguards on the use of personal information in judicial cooperation.

And so we know, since that was only recently finished, we know, even in the Budapest environment, all the secrecy is not the case anymore. But there's a lot of states who don't really want, they don't want to tell anyone what they're doing, their police forces are doing. They don't even allow providers to object to a request. You simply must provide it. India is an interesting example of this where, in India, a judge does not need to sign off on a request by a detective for personal information, a detective can simply write to a provider and say, you have to give me X, Y, and Z information. And, if you don't, individual people can be arrested and charged with being an accessory to the crime that's being investigated because they failed to turn over information when in much of the world, that would be, there's no way. You couldn't even, a policeman who tried to get information from a provider directly would be told, go get a warrant. Like, are you crazy? You can't come here with that. There's no way, but there's a lot of the world which doesn't work that way.

And unfortunately, too many of the negotiators from developed country, high rule of law countries, took the view that because they wouldn't abuse the convention this way, safeguards weren't really needed. There was no way for them to impose that upon the countries who want to behave differently, despite the fact that those very same countries will tell you, there's many countries in the room we don't ever share data with because they don't have a rule of law-based approach to individual rights and we're not going to provide information on our citizens up to a legal system, which we don't believe will treat it with it in a way that is compatible with their home jurisdiction. So it was a very strange, not logical sort of mindset that we were confronted with. And then, as I said this very great difference of view where some states wanted only these very cyber-dependent crimes and other states wanted any crime of any kind, like my, one of my interventions actually said the scope of this is such that two people talking on a mobile phone about committing a robbery of a shop, a physical shop, would be considered a cybercrime under this convention because they used a modern mobile device that has integrated circuits, right? Which is, that's not cybercrime.

Eugenia Lostri: That’s not what I would call cybercrime, yes

Nick Ashton-Hart: Yeah, that's a ridiculous definition. But if you look at the title of the treaty you can see this problem because the title is probably wins a world record for the longest title of any convention or the international legal instrument ever adopted. And it's because they literally couldn't agree! The only that they could agree on a title was to say all of this, long.

Eugenia Lostri: Can you read the title for our listeners just to get a sense of what we're talking about?

Nick Ashton-Hart: Yes, it is: United Nations Convention Against Cybercrime, Strengthening International Cooperation for Combating Certain Crimes Committed by Means of Information and Communications Technology System, and for the Sharing of Evidence in Electronic Form of Serious Crimes. Like, everyone is now asleep.

Eugenia Lostri: That’s a record.

Nick Ashton-Hart: Like halfway through that you fell asleep.

Eugenia Lostri: I have to admit, I dozed off. I could not follow all of that. But I want to go back to the example that you mentioned just now about the risk of, you know, law enforcement requests not being signed off by a judge at the risk of imprisonment to employees of a company, because this is something that we've heard about. And I'm interested in your perspective between the difference on the, you know, the actual text of the law, the application of it. We've heard, for example, in one of Microsoft's committee hearings, Congress hearings that, when they get such requests, they might just ignore them and they have a certain kind of soft power that comes with, you can't really force us, and it's worse for you if, you try to compel us to do these things. Is that accurate in your, from your perspective, or is this risk more serious than maybe we're led to believe?

Nick Ashton-Hart: I think that the risk is more serious because of the other provisions of the convention. The most famous provision that people look at has been Article 28.4, which basically says that every state who joins this convention should create in their national law the power for them to compel individual people who have knowledge of how to access secure systems to be able to pick them up and force them to open those systems to law enforcement persons. So if you're like a holidaying IT person for a cloud service provider, say, or that, that's like a private sector person, or even if you are a IT person for a defense ministry or a foreign ministry, this allows a country that wants the, wants access to the systems that you have access to, to invent a crime that they say you were part of the commission of, and which your personal devices have data in relation to, and ask a country you're holidaying in to pick you up, and force you to open these secure systems. And again, this can all be done in permanent secrecy.

Now, at some point they have to let you out and you would then tell your employer, by the way, I was literally forced, perhaps quite literally at gunpoint. But I was forced to open our systems, we now have a security breach and there's some gap of time between when you were, when your access was forced and when it was closed. And then the system owner has to try and find out if any malicious code was inserted, if trade secrets were extracted, all kinds of negative effects and there's no recourse here. The system owner does not need to be notified. The request doesn't have to go to the system owner in the first place. And we continually said to countries, this is a bigger danger to yours, your national security as it is to corporate systems, because not only can they do this to government employees on holiday, for example, but other provisions of the treaty allow for the real time interception of people's traffic data, the data that they're receiving over networks and of their location information.

So traveling officials can be surveilled without their knowledge, because you can make a request about an identifier, like, somebody's IMEI number in their mobile device, the unique number that every mobile has. You can say, okay, well, I know this, I don't know who it is, but this IMEI number, I know this phone was involved in the commission of a crime in my country, and so I need to know if it's on your network, where is this person at? And I want access to the data that's being shared by that phone. Again, this could happen to government officials or it can happen to IT people or anyone without anyone ever being wiser. That one, you would not necessarily ever know, that your data was intercepted. How would you know? And so if you're a company, imagine you're a mobile service operator and you come to know, well, this IMEI number is roaming because IMEI numbers are in a single data, is in a database that all providers have access to, that’s the way you can, that's how you roam on foreign networks. So it's not hard to find out who, okay, well, this is an Italian mobile and it's this guy. But even if you'll provide it becomes aware of the fact that something’s wrong with this request. This person seems to be a government official traveling, for example, or a very famous CEO of a firm or something. The convention doesn't allow any provider to raise an objection. So if the company, if the country who wants access that they shouldn't have, they want to abuse the convention, they just have to pick a jurisdiction which has weak enough rule of law safeguards. And they just have to be big enough that the country will, even if they may have some doubts about it, will say yes, because it's not worth irritating the requesting state.

And that's, there's a lot of countries where that could be the case. We can all imagine who the requesting states could be and who the requested states could be in that picture in the developing world, for example. And so, there was just no willingness to even consider any transparency here, any ability of providers to raise an issue, even if they were being asked to break the law in another jurisdiction. Say it's a European national who they know, come to know is traveling, and that request should really not go to the place they're traveling. It should go to the jurisdiction where they live. Even in those situations, there's no ability for providers to even raise a question. And so it's really a secret data access system, in 2024, under the banner of the United Nations, which we just felt was an outrageous, outrageously inappropriate thing for the UN to be agreeing to.

Eugenia Lostri: So another criticism that was leveraged against the convention is the lack of sufficiently strong human rights protections, right? We have Article 6, I believe, that is about ensuring the implementation of obligations. Under this convention is consistent with international human rights law, but I believe what I've read is the main criticism is, it doesn't require the adoption of a particular instrument in order to consider that you will be sufficiently protective of human rights. Is that accurate?

Nick Ashton-Hart: Yes, yes. And it's interesting. So this is another thing that happened with this being so rushed. So if you read, reading that Article 6 and Article 6.2 in particular, so there's, in 1, in 6.1 as you say, there is no specific reference to the universal, to any of the universal agreements or basically universal agreements. And so in 2, it says nothing in this convention shall be interpreted as permitting suppression of human rights or fundamental freedoms. This is an example of how, when you're rushed, you don't consider things enough. So, what is suppression? In English, that term means completely removed, basically. It doesn't mean impaired in some way. And so we went to delegates and said, okay, so this is a nice thing, no suppression of fundamental human rights or freedoms and these various rights. However, what if it's just impairing one of those rights? Is that covered? And some of them said, well, yes, that should be covered too. And others said, well, we don't think it is, but maybe it's fine.

Well, maybe it's not good, really. We don't really, maybe it's not the standard that we should be aiming for here. But the attitude was, well, we can't ask for any more than this because the other side already wants to get rid of this altogether. And the other thing that's particularly interesting about this is the safeguards article was a huge fight, Article 24. There's a huge fight about this. And it's largely copied from Budapest. Except then it's weakened, and it only applies to that chapter, not to the convention as a whole. And so, it's not really a safeguard for the convention. It’s a safeguard-

Eugenia Lostri: Which chapter is that?

Nick Ashton-Hart: To the procedural measures chapter. But it is not applicable to the international cooperation chapter, where the states are actually doing the cooperating. And we said repeatedly no, no, no, no, no, the safeguards have to apply to the whole convention, not just to a piece of it. Well, they wouldn't agree to that. So, not only do you not have safeguards on the International Cooperation Chapter, which is astounding, and Budapest is not like this. Article 24.2 is what presides for procedural law safeguards, which are the fund are fundamentally important in a criminal justice context, because this is where you get, you know, the right of review, the right of a remedy, you have to justify the application of the law in that circumstance, to a third party like a judge and so forth.

Well, that is entirely subject to the domestic law of each state party. So a state party can make all of this pretty much as optional as they would like, and being in congruence, and the treaty applies properly, quote unquote. And we said repeatedly that this is wrong. It should not be optional. It should not be just a chapter and it should not be optional. And we heard even from developed member states who should know better, like major democracies, well, but things normally in treaties are subject to domestic law. You have to implement things in domestic law. And I had to literally explain to people who are lawyers, I'm like, no guys, there's a difference between implementing something in domestic law and making an obligation subject to domestic law. That's the opposite. This is not the same concept. And disturbingly, even large democratic states did not get that until I repeatedly drew attention to it and then wouldn't do anything to fix it. They said, well, the other side won't agree.

Eugenia Lostri: So this is something that you've mentioned a couple of times now, that in the context of the negotiations, when you bring up some of the concerns, the response is, well, the other side wouldn't agree to this, or this is as far as we can go. So, I think I've written this and I've heard of others who have written this. It's like, well, then maybe no convention is better than this convention. Right? If we are not going to get the sufficient protections because the other side doesn't agree, then what really is the case for compromising and reaching that point? So I guess what I'm asking is what is the positive case for the convention? Right? Like why even get something that doesn't have those minimum standards? You can't just say, well, we're hoping that no one will abuse it and hope that sticks.

Nick Ashton-Hart: Yeah, we repeatedly said the idea that you can have permanently secret data transfers and that countries who engage in that are going to apply any safeguards of any kind is not serious. It's not credible. It's not believable, by anyone. The attitude was, well, there's a lot of developing countries who genuinely want to cooperate on cybercrime, which is a true statement. There are many countries who are not part of the Budapest Convention who don't get the cooperation they would like on bona fide criminal acts.

And so the, there was this pressure, on Western states in particular, to go along with this because so many developing countries wanted it. Those who have the data should be sensitive to being good multilateralists, quote unquote, many times we have to be good multilateralists. And we repeatedly pushed back and said, but this is the countries who want this convention don't want it for its own sake. They want it because they want to be cooperated with. So, yes, they want this convention, but it's for that reason. So, you all can easily go back to these people and say, look, we can't agree to this. It's not actually going to be the basis which we're going to be willing to cooperate under anyway, because it doesn't have enough safeguards. We suggest to you that we increase the capacity building and technical assistance available to you, so you can train your judiciary, train your prosecutors, your judges, detectives on e-evidence collecting and e-evidence requesting. It's a huge undertaking to actually cooperate on cybercrime or crime across borders. And the vast majority of countries in the world could join the Budapest Convention. The countries that, that wouldn't be allowed in are some of the states who are on the other side of all these arguments, you know the Irans, Russia, other Middle Eastern states, not all of them, but many of them and so forth. Totalitarian states would not be invited to join Budapest, but everybody else with a good rule of law would be entitled.

I said that cause this is actually working now. And so if countries really want to cooperate soon. That's actually the fastest way by far than waiting for this thing to enter into force, especially in the states where the data is held. Because the vast majority of states told us very clearly it was data held in the U.S. jurisdiction and then EU jurisdiction that they were most interested in gaining access to. And we were pretty clear in saying, well, when is the U.S. going to really ratify this over the objections of the private sector and all of civil society? You're going to get 60 votes in the U.S. Senate for that? Even if everybody was in favor of a new treaty, you might not get 60 votes in the Senate for it. So, with everyone opposing it, like, that's not going to happen. So then what do you have? You don't have what you need. But Budapest, the U.S. is already a party to. So I think it was, this was a really strategic mistake. I think that we have to accept the premise that we need to adopt a bad agreement because other people want to cooperate on something when there's another way to give them what they want.

Eugenia Lostri: So for these states that are not part of Budapest, the Budapest Convention, but, you know that maybe felt that the benefit of negotiating a new convention was that they could bring that their domestic perspective and that maybe they didn't have to sign up to something that was only negotiated by the global North, or that it was just a representation of EU or American interests and positions. Would you say that, actually, this finalized text includes those perspectives? Is it, in any way, more inclusive? Or is it you know, mainly a positive for those authoritarian states.

Nick Ashton-Hart: Oh it's definitely the authoritarian states who got what they wanted. Even in areas like we haven't mentioned, there's so many problems in this convention. You can't even, it's like a novel. You could write a book. Even in the liability provisions, you're liable in this convention for any act that is participating or attempting another act that is unlawful. In many cases, this would be legitimate business operations. Yes I participated in allowing a payment to be made between two people, which happens to be the proceeds of crime. I didn't know that was the proceeds of crime, but I intended to allow these people to use my payment service. And so now as a company, I have contributory liability because I run a payment service. And we said, this is all wrong. This is not a reasonable standard. Oh, no, sorry. And we said, you should put an intents standard in here. People should intend to do something unlawful if they run a payment service, like they should be deliberately not knowing how it's used. They should be ignoring know your customer requirements, this kind of thing. No, we can't get the other side to agree to it. Even an intents standard, even just intending, not even criminal intent, but just intending. Couldn't even get that.

And so, so yeah, in the sense that it will make it very easy for any country, anywhere, to adopt this convention, irrespective of whether they have safeguard provisions that would be reasonable or anything else. Yeah, it's reflective of those interests. But is that a standard that many countries are willing to exchange evidence under? Well, no, you know, isn't. So then what's the point? Okay, you've agreed something, but how useful is it? And how bad a precedent does it set as this is what the UN stands for, which no one seemed to want to really care about that.

Eugenia Lostri: Even from a politics perspective, you can imagine that kind of UN-washing these types of provisions sounds problematic because how can you stand against authoritarian laws, how can you call out other countries when, you've signed on and you've accepted that this is, sufficiently good for the UN?

Nick Ashton-Hart: Well, this was the point that we made is it's very hypocritical. It's very hypocritical for the U.S. and the EU to say, we're going to stand up against authoritarian states, abridging of individual freedoms. But, on the other hand, we're going to agree on international law, allowing people to do exactly the same abuses. We're going to, we're going to endorse that. It's just hypocritical. And we also couldn't get states to really take on board that this is a Russian idea and in the UN if you're the proposer of a thing, and that thing works out whether you get a General Assembly vote for something or you launch a process like this, you get diplomatic credit for the outcome. Even if this was the best agreement in the world, Russia gets diplomatic credit for this. And it's not the best agreement in the world, it's very poor. So Russia, like you, you gave them a victory, over your own values. And like, in what country is it actually the policy of major Western states to give Russia a victory of any kind, no matter what it is? But yet here, that was just a secondary consideration and that's somebody else's problem.

Eugenia Lostri: Right. Along those lines I'm going to be. quite cynical with this hypothesis, but I want to see if it has any bearing or if you observe this, you've mentioned the challenges that probably the U.S. and the EU are going to face to actually, you know, adopt this domestically in a way that then, so that they can ratify it. Do you think this is because maybe there's no expectation that this will become something that holds them, like that they actually have to act upon, but allows them to maybe present themselves as, we've negotiated, we're part of the multilateral process, and then it's out of our hands, but we really did want to collaborate with you.

Nick Ashton-Hart: Oh, I think there's a lot of that going on. In most cases, the people who negotiated this are not the people who are responsible for ratification through parliaments. It's other people. We actually asked that question. Like, aren't you gonna have to deal with this? And the answer most of the time is, well, no, no. I'm in the part of the Justice Ministry that, I don't deal with national legislation. I only deal with international cooperation. So it's my colleagues who will have to get this through parliament and say it's somebody else's problem. And then they can be the bad guy, you know.

Eugenia Lostri: Yeah. So speaking of whose problem it’s going to become walk us a little bit through, you know, what happens next. Right,

Nick Ashton-Hart: Yes.

Eugenia Lostri: We have this text, there's a lot of criticism from both the private sector, from NGOs, advocacy organizations. What happens?

Nick Ashton-Hart: I mean, I think what happens next is, well, we know what happens next is the member states adopted at the committee level, the text of the convention. They also adopted the text of the General Assembly resolution, which would be the vehicle for adopting the convention and opening it for signature as a new legal instrument. So at some point after the opening, the high level segment opening the General Assembly, this will be scheduled for debate and for voting. And so that's really the last point where this could be prevented from becoming a treaty open for signature is if member states change their minds, enough of them, change their minds. And that's very difficult to do because there's a strong incentive in the multilateral system that you should not change your vote between a committee stage and the final adoption of the same matter, because otherwise no one can depend on other states doing what they say and saying what they mean.

So, if you're going to change your vote, you have to have a pretty good reason to avoid lots of diplomatic fallout for it. We are still hoping that the U.S. and some other countries will abstain from the vote. We don't expect people to vote no because we understand the value of that precedent I just mentioned, but that would not stop them from abstaining on the very reasonable basis that they could say if it's clear, post adoption, there is so much criticism of this. We don't believe that we would be able to ratify it. And we don't as a country want to ratify, want to endorse an agreement that we won't be able to adopt. And so that, that remains our hope and that as people become more aware of this convention in legislatures and in other parts of governments, that they will take a look at this and say, this is not good enough. We really can't stand behind this.

So that's, that, that is the current hope. And I know there are some conversations going on in governments about what do we do when this comes up for a vote. We don't know when that will be, it is not yet calendared. My guess is it will be, I don't think they will bring this up for a vote during the high-level segment because it will be controversial and it would just be asking for lots of negative news attention. I think it would be sometime after, like say November, December, January, something like this. Because the other thing that's interesting is with all this flaws and all of its broad scope, that of course, wasn't enough for many countries. And the other thing the committee adopted was that there are going to be negotiations of a protocol to expand the scope of the convention.

Eugenia Lostri: Wait, wait, wait, furthers? Further expand the scope of the convention? To what?

Nick Ashton-Hart: Yeah, that's the same committee under the same rules will meet again in two, two week sessions. The first one to be within a year of the adoption of the convention by the General Assembly and the next one, not more than a year after the first one to negotiate a protocol to expand the scope further.

Eugenia Lostri: I don't know what's left out of it, though.

Nick Ashton-Hart: Well, yeah, I mean, all the things that got rejected will get rerun, all the, lèse-majesté and fake news. Yeah, there was a Chinese proposal to criminalize fake news. Yeah, there'll be all that stuff will come out of the woodwork again, I'm sure.

Eugenia Lostri: Yeah. So Nick, before we wrap up, I know that there's a lot to talk about the text, about how the process went, so if there's one last thing that you want to leave us with, the floor is yours.

Nick Ashton-Hart: I would say, I think now is a time for the legal community to look at this, and ask, is this something that should become part of the international legal framework? Does it represent the right balance of interests? And if it doesn't, this is the time to tell your legislators, but especially your executive, in the U.S. would be the executive branch officials that this is not, we understand you, you allow this to go through by consensus at the committee stage, but this is simply not good enough. And we won't, you will not get support for adoption of it, the only responsible thing is to abstain when it's adopted, to send a signal that this is not something that is going anywhere.

And, and also to make the point that the requests for more cooperation is a real one. Cybercrime is a really big problem and it's growing rapidly. And, and that should be the focus. The focus should be how do we help all of these developing countries who need to train their entire judicial, investigative, criminal justice systems in cooperating, and how do we give them the levers to cooperate in a way that we actually would cooperate with? And the obvious opportunity there is Budapest. But irrespective of whether people join Budapest or not, whether countries join Budapest, you still have to implement it, and it still requires all this capacity building and technical assistance.

So, I think that that is the lesson that, that everyone should take from this is, those states who genuinely want to cooperate on cybercrime should have what they need to do that. It would be in the social interest and the national interest of all states if that problem was solved. And that's really the important problem here. And the only way that you really do address this problem, because without that, whether this treaty or Budapest, whether countries join them or not, that doesn't mean that they're going to actually be able to cooperate, that just means they'll have the legal ability, yes, but the practical ability, no. Because we have seen in countries who are new to this, that what you get is providers receiving a request to someone's entire inbox, because they don't know how to ask for, no, no, you can't ask for the inbox, you can only ask for emails between specific people or between specific dates. You have to limit it. Without training, that's, you don't get that. You get a lot of requests that are far too broad. And so that really should be the lesson that the international community takes out of this. That is the problem. That is the big problem to solve. Big unmet need.

Eugenia Lostri: Nick, thank you so much for joining me.

Nick Ashton-Hart: My pleasure. Thanks for having me.

Eugenia Lostri: The Lawfare Podcast is produced in cooperation with the Brookings Institution. You can get ad free versions of this and other Lawfare podcasts by becoming a Lawfare material supporter through our website lawfaremedia.org/support. You'll also get access to special events and other content available only to our supporters. Please rate and review us wherever you get your podcasts. Look out for our other podcasts, including Rational Security, Chatter, Allies, and The Aftermath, our latest Lawfare Presents podcast series on the government's response to January 6th. Check out our written work at lawfaremedia.org. The podcast is edited by Jen Patja. Our theme song is from Alibi Music. As always, thank you for listening.


Eugenia Lostri is Lawfare's Fellow in Technology Policy and Law. Prior to joining Lawfare, she was an Associate Fellow at the Center for Strategic and International Studies (CSIS). She also worked for the Argentinian Secretariat for Strategic Affairs, and the City of Buenos Aires’ Undersecretary for International and Institutional Relations. She holds a law degree from the Universidad Católica Argentina, and an LLM in International Law from The Fletcher School of Law and Diplomacy.
Nick Ashton-Hart, Senior Director for Digital Economy Policy for APCO Worldwide. He previously served as the head of delegation to the UN cybercrime treaty negotiations for the Cybersecurity Tech Accord.
Jen Patja is the editor and producer of the Lawfare Podcast and Rational Security. She currently serves as the Co-Executive Director of Virginia Civics, a nonprofit organization that empowers the next generation of leaders in Virginia by promoting constitutional literacy, critical thinking, and civic engagement. She is the former Deputy Director of the Robert H. Smith Center for the Constitution at James Madison's Montpelier and has been a freelance editor for over 20 years.

Subscribe to Lawfare