In January 2024, before the concluding session of the Ad Hoc Committee negotiating a UN Cybercrime treaty, the FOC Advisory Network provided proactive advice to FOC Member States. The negotiations, which started on 29 January, entered their decisive phase with many issues still unresolved. Given the significance of possible consequences for human rights and digital criminal justice, the FOC Advisory Network decided to make this proactive advice public to reinforce its call for strong safeguards and human rights protection in the new convention.
Table of Contents:
Introduction
The Freedom Online Coalition Advisory Network (FOC-AN) is an independent multistakeholder group composed of civil society, academia and private sector representatives who provide advice on aims, objectives and activities of the Freedom Online Coalition, as well as support its mission of advancing Internet freedom and human rights online. The Freedom Online Coalition (FOC) is an intergovernmental coalition of 38 Member States committed to ensuring that the Internet and digital technologies reinforce human rights, democracy, and the rule of law.
The FOC-AN has been following the negotiations of the Comprehensive International Convention on Countering the Use of Information and Communications Technologies for Criminal Purposes (UN Cybercrime Treaty). Building upon the FOC-AN reactive advice on the “Zero Draft” of the Convention provided in July 2023, and prior to the last round of negotiations, which will take place in New York on 29 January – 9 February 2024, the FOC-AN would like to raise a number of serious concerns related to the revised draft text of the treaty, published in November 2023.
Concerns
During the UN cybercrime treaty negotiations, many governments and civil society stakeholders highlighted the need to build human rights into the proposed convention. Yet, after six substantive rounds and shortly before the conclusion of negotiations, the level of safeguards and human rights protection is far below what is needed for a treaty that would set standards for global criminal justice in cyberspace.
Currently, the proposed convention has a far wider effect beyond addressing cybercrime. Its provisions on procedural powers and international cooperation would apply to collecting evidence in potentially any criminal investigations. However, neither substantive law provisions nor investigative powers meet the standards under international human rights law.
The Revised Draft contains provisions that are vague and overbroad, with inadequate human rights safeguards to prevent abuse. It opens the door to criminalising online speech that is protected under international human rights law. It grants states expansive surveillance and investigatory powers, which include real-time surveillance of communications and also requires other states to cooperate in these investigations by making these highly intrusive surveillance powers available for cross-border investigations through a powerful multilateral tool. In its current form, the treaty has the potential to become a powerful tool for repressive governments to surveil, target and punish journalists, security researchers, civil society, and other public watchdogs, both domestically and abroad.
In its reactive advice in July 2023, the FOC-AN expressed concerns about vague substantive law provisions, sweeping surveillance powers without adequate safeguards and lack of protections in the cross-border data exchange in criminal investigations. None of these concerns have been addressed in the Revised Draft of the treaty. Every problematic provision is marked in the Revised Draft as still being under negotiation, and several newly added proposals deepen previous concerns.
Specifically, the FOC-AN would like to draw attention to the following provisions.
Substantive law and criminalisation:
- There is still a lack of protection for legitimate activities of security researchers and other actors pursuing public interest, such as human rights defenders and journalists. These concerns are explicit to Art. 6-10 of the proposed treaty.
- The scope of the treaty remains vague, and the range of criminal offences covered under the convention is not clear. Some of the provisions can potentially extend the scope of criminalisation beyond core cybercrimes and may include content-related offences. This particularly concerns Art. 17, which refers to “Offences relating to other international treaties”, represents a ‘catch-all’ provision and broadens the scope of the convention and possible criminalisation, opening the door for misinterpretations and overreach in criminalisation in the future. Furthermore, the preamble mentions offences ‘related to terrorism’ and a range of other crimes, providing possibilities for wider interpretations of the scope and goals of the treaty.
- The new subsection (c) added to Art. 12 (“Fraud”) is overly broad and open for arbitrary interpretations. It suggests criminalising “any deception as to factual circumstances made using [a computer system] [an information and communications technology device] that causes a person to do or omit to do anything which that person would not otherwise do or omit to do”. The notions of ‘deception’ and ‘omission to do anything’ are extremely vague and could potentially be used to criminalise and prosecute legitimate activities.
- The new suggested language in Art. 13 section 4 replaces the obligation of State Parties not to criminalise children for self-generated material with a suggestion that they “may” exclude such criminalisation. The previous wording “shall” is now replaced with “may”. By changing the wording, the Revised Draft fails to protect the legitimate experience and expression of sexuality of adolescents. The suggested revisions contradict the recommendation of the Committee on the Rights of the Child to “avoid criminalising adolescents of similar ages for factually consensual and non-exploitative sexual activity”.
- We are still concerned about possible efforts to add more ambiguous provisions on criminalisation at the concluding meeting. The sixth round of substantive negotiations displayed relentless attempts to re-add criminalisation of speech to the previous Zero Draft. These efforts in the concluding round could include a push for ‘catch-all’ provisions such as Art. 17 in its current form or adding vague clauses to existing draft provisions – e.g., how it has been done with Art. 12 on Fraud.
Investigative powers:
- Nothing in the new draft addressed the previous concerns (Reactive Advice of July 2023) about sweeping surveillance powers combined with the lack of safeguards. Art. 24 is still marked as being under negotiations.
- The language related to real-time collection of traffic data remains very problematic. We would like to reiterate our concerns that Art. 29 provides lower safeguards for the real-time collection of traffic data compared to restricting the interception of content data to serious offences. Traffic data and communication content should enjoy the same protection against real-time collection/interception. Thus, at a minimum, if Art. 29 is retained, it should contain elevated safeguards.
International cooperation:
- Provisions on international cooperation lack safeguards and have the potential to legitimise the use of criminal law and criminal investigations as a powerful instrument for oppression due to a combination of flaws in the Revised Draft. Each of these flaws – as explained below – represents a big loophole for future abuses; therefore, all of them require attention and must be fixed before any consensus is reached.
- Firstly, there is still a lack of dual criminality requirements. We reiterate that the requirements for dual criminality should not be a choice but a mandatory obligation. States must refuse to provide legal assistance to another country in cases where the crime does not exist in their jurisdiction.
- Secondly, the current limitation of the scope of international cooperation to “serious crimes” has the potential to encourage overreach in criminalisation and legitimise abuse of cross-border data sharing in violation of international human rights standards. The draft uses the definition of “serious crime” provided in the UNTOC: “conduct constituting an offence punishable by a maximum deprivation of liberty of at least four years”. This definition is simply transposed to the draft of the Cybercrime Treaty. However, it is essential to understand that the UNTOC definition of serious crime exists only within the context of organised crime groups. The proposed draft of the UN Cybercrime treaty takes this definition outside of that context without limiting it to anything that would prevent broad interpretations and abuses. Many criminalisations in authoritarian states that restrict freedom of speech under the provisions of “extremism” or “fake news” would easily meet the definition of “serious crime” in the current draft. Without any qualifiers and limitations to human rights obligations, the scope of international cooperation opens the way for data sharing between the states that criminalise legitimate activities in violation of human rights. We note that in this case, even the requirement for dual criminality would not stop abusive practices, as for such data exchanges between oppressive regimes, this requirement would be met.
Recommendations
If adopted, the prospective UN Cybercrime treaty will set standards broader than criminalising certain ‘cybercrimes’. It would be a powerful instrument for electronic evidence collection and cross-border data sharing in criminal investigations. In its essence, as of now, the Revised Draft suggests a far-reaching criminal justice instrument, which gives states an overarching power to decide what is criminal and what is not, decide on the intrusiveness of investigations and share evidence across borders with very few limits and safeguards.
The FOC-AN suggests that the representatives of FOC Member States coordinate with their representatives on the Ad-Hoc Committee to ensure that the treaty is in line with the FOC commitments and international human rights standards.
The FOC-AN strongly urges to ensure that all the concerns outlined in this Proactive Advice and in the previous Reactive Advice of July 2023 are addressed before reaching any consensus. We advise not to agree on a treaty that offers vague criminalisation, contains catch-all provisions, and does not meet the highest level of safeguards and human rights protections concerning investigative powers and international cooperation.
Even if this convention could, to some extent, improve international cooperation in investigating crimes that leave digital traces, the benefits do not – and never will – outweigh the sacrifices to human rights protection. The safeguards should not be subject to compromise for the sake of having a treaty. Such consensus would only play in the hands of authoritarian regimes and would set a huge precedent for their successes in eroding international human rights obligations.
Resources
UN: Draft Cybercrime Convention remains seriously flawed. Article 19. https://www.article19.org/wp-content/uploads/2023/12/Cybercrime-Convention-Draft-Text-Analysis.pdf
Latest Draft of UN Cybercrime Treaty Is A Big Step Backward. Katitza Rodriguez, EFF. https://www.eff.org/deeplinks/2023/12/latest-draft-un-cybercrime-treaty-big-step-backward
Press Release: Cybersecurity Tech Accord expresses continued concern over latest draft of UN Cybercrime Treaty, calls for extensive changes. Tech Accord. https://cybertechaccord.org/cybersecurity-tech-accord-expresses-continued-concern-over-latest-draft-of-un-cybercrime-treaty-calls-for-extensive-changes/
When protection becomes an excuse for criminalisation: Gender considerations on cybercrime frameworks. Derechos Digitales and Association for Progressive Communications (APC). https://www.apc.org/en/pubs/when-protection-becomes-excuse-criminalisation-gender-considerations-cybercrime-frameworks