Published by The Lawfare Institute
in Cooperation With
Negotiations for a U.N. cybercrime convention have entered a critical stage. From Jan. 9 to Jan. 20, hundreds of delegates from over 150 states met in Vienna for more than 100 hours of exhausting negotiations during the fourth round of discussions of the U.N. Ad Hoc Committee mandated by the U.N. General Assembly. The negotiations were marked by attempts by authoritarian states to transform this potentially important instrument into a tool for political control. They were also marked by efforts to water down certain human rights and due process safeguards introduced in the draft convention.
Setting the Scene
Cybercrime knows no borders, and enhanced international cooperation is key to combating it. Last year, the U.N. embarked on the very ambitious journey to adopt (over only a period of two years) a global cybercrime treaty. This project was met with skepticism from some states, nongovernmental organizations, and other stakeholders that doubted the necessity of such a treaty. Their main concerns were twofold. First, they argued that the creation of a U.N cybercrime treaty risks fragmentation in the fight against cybercrime due to the existence of other key instruments—and especially the 2001 Council of Europe’s Budapest Convention on Cybercrime—which could ultimately stifle global anti-cybercrime efforts. And, second, they warned of the potential risk that authoritarian countries could try to transform a U.N. cybercrime convention into an information control treaty, with provisions dangerous for internet freedoms and human rights.
Following three sessions in 2022, delegations from U.N. member states arrived in Vienna on Jan. 9 to discuss the first three chapters of the proposed cybercrime convention—General Provisions, Criminalization, and Procedural Measures and Law Enforcement—composed by 55 articles outlined in the Consolidated Negotiation Document.
Since the beginning, these negotiations have been marked by disagreements and controversies about the objectives and the scope of the convention. U.N. member states negotiate a global cybercrime convention, but they disagree strongly about what “cybercrime” means. States are also diverging about the very title of the convention. Some states seek a U.N. convention against cybercrime. Russia—the country that initiated this process at the U.N.—insists that the convention be named a “Comprehensive International Convention on Countering the Use of Information and Communications Technologies for Criminal Purposes,” which is a notably broad title with open-ended terminology, full of risks.
Russia’s Waning Influence?
Russia was initially extremely influential in encouraging the U.N. General Assembly to mandate the negotiation of a cybercrime convention by adopting Resolution 74/247. The country even went so far as to present its own version of a draft treaty. But Russia’s influence in the negotiations began to decline amid the country’s invasion of Ukraine.
The first session of the U.N. Ad Hoc Committee began on Feb. 28, 2022, just four days after Russia invaded Ukraine. Unsurprisingly, the war featured in the debate. Western states and others expressed support for Ukraine and strongly condemned Russia’s aggression as a major violation of the U.N. Charter. These states also highlighted the difficulty of negotiating a cybercrime convention with a state that is violating the fundamental rules of international law and is also launching cyberattacks as part of its aggression.
However, the Russian vision of a U.N. cybercrime convention has not lost all support. Russia’s draft convention was actually presented as a joint draft with China. Additionally, Resolution 74/247 was sponsored by more than 40 states, including several African states and India. If Russia was the leader of this project, its initiative gained the support of other states that still share the Russian perspective on this issue.
One of Russia’s intentions in pushing for a U.N. cybercrime convention was likely an attempt to undermine the Budapest Cybercrime Convention. This convention is the major international instrument in the fight against cybercrime. It was adopted in 2001 by the Council of Europe. Russia, which was until recently a member of the Council of Europe, refused to ratify it. Still the Budapest Convention has been adopted by 68 states, including 23 that are not in the Council of Europe (including the United States). Despite Russia’s efforts, the U.N. negotiations seem to have had a rejuvenating effect on the Budapest Convention. Since 2019, when the U.N. decided to embark on Russia’s project, five more African and South American states, including Nigeria and Brazil, have joined the Budapest Convention, and more are expected to do so soon. These countries also spare no effort in stressing the need for the future U.N. cybercrime convention to be aligned with the Budapest Convention. Indeed, as Alexander Seger, head of cybercrime at the Council of Europe observed, it is likely that, when the dust settles in the negotiations, the vast majority of U.N. states will support a convention on cybercrime that is very similar to the Budapest Convention.
Separating the Bad Seeds From the Good in Vienna
One of the most critical issues discussed in Vienna was the list of criminal offenses that should be included in the convention. There were no less than 28 “crimes” in the initial Consolidated Negotiation Document, and two other offenses were proposed in Vienna. However, numerous states objected to the majority of these proposals.
All states agreed that the U.N. convention should include “cyber-dependent” crimes, which are crimes that would not exist at all without information and communications technology (ICT) systems. An example of such a crime would be illegal access to a computer system.
However, Russia, China, and other states also wish to include in the U.N. convention, in addition to cyber-dependent crimes, a long series of “cyber-enabled” crimes. These are crimes that can be committed without ICT but can also be enabled by ICT. As an example, drug trafficking, arms trafficking, illegal distribution of counterfeit medicines, or money laundering can be committed without ICT, but a computer can be used in order to facilitate them.
It is this second category that created a lot of controversy in Vienna. While all states agree that certain well-established cyber-enabled crimes, especially those related to child sexual abuse material, should be included as criminal offenses in the convention, most of the proposed cyber-enabled crimes raised concerns, either because they are already covered by other instruments or because of their significant negative impact on human rights.
For instance, Western states and others strongly opposed the efforts of Russia, China, and others to introduce into the U.N. convention certain highly controversial “content-related” crimes, such as “incitement to subversive activities,” “extremism-related offenses,” and “terrorism-related offenses.” There are no internationally agreed definitions of these terms, which could easily be abused by authoritarian regimes in order, for instance, to prosecute political opponents. All of these proposals were excluded from the plenary after only a few days of negotiation and were relegated to informal discussion in “facilitator groups” in Vienna.
For the good of free speech and human rights, these proposals will hopefully never make their way into the convention. Still, democratic states must be wary of these proposals creeping back into main discussions about the convention. Even though these proposals are now only discussed informally, some states asked not only to reinstate these content crimes in the convention but also to “strengthen” and “expand” them. In addition, several proposals were put forward to include a provision on the possibility of adding protocols to the U.N. convention after it has been finalized, which means that proposals that concern ill-defined content-related offenses—which could lead to political control and repressive policies against political opponents, journalists, and human rights activists—could make a comeback even after the adoption of the main convention.
China Proposes Criminalizing “Dissemination of False Information”
The skillful maneuvers of Chinese diplomats demonstrate the necessity for states to be vigilant in defending internet freedoms and human rights against repeated attacks.
In 2022, at the beginning of the negotiations, China suggested that the U.N. convention criminalize the use of the internet to “disseminate harmful information.” However, China waited until the end of the first phase of the negotiations in January 2023 in Vienna in order to propose a specific draft article on “dissemination of false information.” This means that this article appeared in the draft at a time when stakeholders were thinking that the controversial content-related crimes had been relegated to the informal facilitator meetings. Fortunately, the U.N. chair organized a second round of discussions six days later on the newly proposed articles, which afforded a dozen states and the EU on behalf of its 27 members the opportunity to oppose the article proposed by China.
By introducing such a “crime” in the draft, China was likely seeking to test how other states would react. Indeed, dissemination of false information, fake news, and disinformation is a problem for all states. But it is a complex problem that requires careful consideration—including important human rights safeguards—before regulation can be accomplished. Such a “fake news” offense could be misused and abused to harm human rights. For instance, governments could require platforms to take down content criticizing governmental policies, arguing that this is “disinformation.”
This issue is extremely sensitive. For example, in June 2022 the EU—with its strong human rights protections—opted to adopt “a code of practice” on disinformation, rather than a binding regulation, in order to mitigate the risks. The EU’s fear was that binding rules for online falsehoods risk platforms removing too much content, which could lead to some “kind of censorship,” as warned by Věra Jourová, the commission’s vice president on values and transparency.
Like China, Russia used similar tactics to test the waters. For instance, as the negotiations in Vienna were drawing to a close, Russia proposed a new article calling on states to “adopt legislative measures” that obligate service providers within their territories to retain all traffic and content data. Russia is undoubtedly aware of the arm wrestling between several EU member countries and the Court of Justice of the European Union on this issue. The country likely proposed this article to observe how other countries intend to deal with it.
Calls to Remove “Protection of Privacy and Personal Data” From Due Process Safeguards
Another risk for human rights came from some countries’ proposals to remove a very important article from the convention. Article 42 (1) of the Consolidated Negotiation Document provides for “conditions and safeguards” for the exercise of the powers recognized in favor of law enforcement authorities in their fight against cybercrime.
More specifically, Article 42 (1) found in Chapter III dedicated to “Procedural Measures and Law Enforcement” powers of states, provides that:
Each State Party shall ensure that the establishment, implementation and application of the powers and procedures provided for in this chapter are subject to conditions and safeguards provided for under its domestic law, which shall provide for the adequate protection of human rights and liberties, including rights and fundamental freedoms arising from its obligations under applicable international human rights law, and which shall incorporate the principles of proportionality, necessity and legality and the protection of privacy and personal data.
Malaysia, Singapore, Pakistan, Russia, and others—according to the list compiled by the U.N. secretariat—proposed that this article be removed. These countries claimed that the article is redundant due to the presence of Article 5 in the draft, which provides that “States Parties shall ensure that the implementation of their obligations under this Convention is in accordance with applicable international human rights law.” Some countries—such as Russia and Iran—went further and suggested that Article 5 be removed from the draft as well. Contrary to the efforts of these states, it is imperative that Article 42 remain in the draft because it protects specific due process safeguards. Article 5 is a clause of a general nature on respect of human rights, which is also essential, but not at all redundant with the introduction of necessary specific safeguards in other parts of the convention.
Other countries were of the opinion that Article 42 should be maintained in the Consolidated Negotiation Document but suggested that references to the “principles of proportionality, necessity and legality” and the “protection of privacy and personal data” be removed from the document. Countries in favor of this option argued that the protection of privacy is covered by the general reference to human rights; that protection of personal data is not a right recognized as such at the U.N. level; that the principles of proportionality, necessity, and legality are sometimes not found as such or do not have the same meaning in different domestic systems; and that these principles did not exist in U.N. human rights or criminal conventions.
With regard to “personal data,” it is surprising that these countries suggest that such a concept does not exist at the global level. As we describe in a recent Cross-Border Data Forum submission to the U.N., this term is included and/or defined in a very similar way in several international instruments from Africa, the Americas, Asia, and Europe. What’s more, the U.N. Convention Against Corruption—which is used as a model for the current negotiations—refers to “the protection of privacy & personal data.” And the Second Additional Protocol to the Budapest Cybercrime Convention refers to “personal data” 38 times—it even has an article on “Protection of Personal Data,” which stresses how important it is to protect personal data in the context of criminal investigations.
As far as the right to privacy is concerned, it is recognized by fundamental international instruments—both at the regional level (for instance, in the European or the Inter-American Conventions of Human Rights) and at the global level with the International Covenant on Civil and Political Rights (ICCPR).
Similarly, the ICCPR—which is ratified by 173 countries—includes the fundamental principles of legality (“provided by law”) and necessity (“necessary in a democratic society”), while the U.N. Human Rights Committee (HRC) constantly refers to the principle of proportionality (see, for instance, the recent HRC general comment on Article 21 of the ICCPR, which refers to proportionality 18 times).
Rather than removing or weakening Article’s 42 safeguards, it could be useful for the U.N. member states to seek inspiration from the recent Organization for Economic Cooperation and Development (OECD) Declaration on Government Access to Personal Data held by Private Sector Entities, which refers to “personal data” 23 times, starts with the principle of legality (“legal basis”), and includes a second, very important principle, according to which:
Government access is carried out in accordance with legal standards of necessity, proportionality, reasonableness and other standards that protect against the risk of misuse and abuse, as set out in and interpreted within the country’s legal framework.
While the context is somewhat different (the OECD declaration focuses on government access to data held by the private sector for national security and law enforcement purposes, while the U.N. convention focuses on the fight against cybercrime), U.N. member states should affirm that they “reject any approach to government access to personal data held by private sector entities that, regardless of the context, is inconsistent with democratic values and the rule of law, and is unconstrained, unreasonable, arbitrary or disproportionate,” as outlined in the OECD declaration.
The Way Forward
The Ad Hoc Committee will meet this April in Vienna to discuss the second half—60 articles—of the convention. They will address fundamental issues including international cooperation, technical assistance, and information/data exchange. Then states will meet in New York in August, for a third reading of the draft convention, in the hopes of finalizing the text so that it can be approved formally in February 2024 during a concluding session in New York.
To meet this extremely demanding timetable, the chair, assisted by the U.N. secretariat, will have some important decisions to make. A U.N. cybercrime convention could, together with the Budapest Convention, become an important tool for international cooperation in the fight against cybercrime. But this kind of cooperation requires that the “crimes” included be commonly understood and recognized by all parties involved. It also requires the introduction of robust human rights safeguards in order to limit the risks of its misuse or abuse, and to create trust among states.