UN cybercrime treaty sparks global concern over privacy rights
UN cybercrime treaty sparks global concern over privacy rights
Critics warn that new surveillance powers could threaten freedom of expression and human rights worldwide.
A special UN committee is expected to present a new treaty this week aimed at combating cybercrime. However, while the treaty seeks to address a worthy goal, it also grants governments extensive surveillance powers that may encroach on human rights and freedom of expression.
The drafters of the UN Cybercrime Treaty are currently holding their final negotiation meeting, having convened seven times since 2022. They hope to present the treaty by the second week of August, a document that could significantly alter global legislation around surveillance. The treaty's stated purpose is to strengthen international cooperation against cybercriminals—those involved in activities like distributing ransomware, stealing data, and breaking into systems. However, the treaty, as it stands, does not address the nuances required to balance security and privacy. The broad language of the treaty could enable states to wield massive surveillance and data collection powers, not just against cybercriminals but potentially against anyone who uses computerized means to commit any crime. In countries with poor human rights records, this could include individuals who criticize the government or advocate for LGBT rights.
1. Vague and broad descriptions
The push for this treaty began in October 2017 when Russia drafted and submitted a proposal for international cooperation in combating cybercrime. By November 2019, a resolution supporting the treaty was passed in the UN, backed by countries including Belarus, Cambodia, China, Iran, Myanmar, Nicaragua, Venezuela, and Syria. This raised concerns among human rights advocates, given the repressive nature of these regimes. Despite these concerns, a special committee was established to draft the treaty. Before the committee's first session in 2022, over 100 human rights organizations and academics from 56 countries called for the treaty to include guarantees for human rights. From the outset, the committee faced widespread disagreement over the treaty's wording, with countries like China pushing to include provisions against "spreading false information" as a cybercrime. Following Russia's invasion of Ukraine, interest in the treaty surged, with a third of UN member states actively participating in its drafting.
The ongoing disagreements led to compromises in the treaty's language, resulting in vague and broad descriptions. The latest draft, agreed upon in May, has been so controversial that a coalition of 22 governmental and civil organizations globally called on governments to reject the treaty in its current form. According to human rights organizations and digital rights activists, the draft allows for extensive surveillance while offering minimal privacy protections. The mandated global cooperation could enable authoritarian regimes to pursue "transnational repression," investigating crimes that may not even be crimes in the first place.
Even the UN is concerned about the treaty. In a letter distributed ahead of the current round of discussions, the Office of the UN High Commissioner for Human Rights (OHCHR) highlighted significant shortcomings in the treaty's text, noting that many provisions fail to meet international human rights standards. They emphasized that these shortcomings are especially concerning given the existing misuse of cybercrime laws in some jurisdictions to excessively limit freedom of expression, target oppositional voices, and arbitrarily interfere with the privacy and anonymity of communications.
2. Eight sections ensuring secrecy of the proceedings
While addressing cybercrime is crucial, as it includes serious offenses such as child exploitation, money laundering, and trafficking, the treaty's approach is problematic. The treaty is intended to enhance cooperation in fighting these crimes, but instead of focusing solely on "core crimes" unique to the cyber realm, such as hacking, the treaty's definition of cybercrime is overly broad. Influenced by the involvement of China and Russia in its drafting, the treaty loosely defines cybercrime as the "use of information and communication technologies for criminal purposes," which could apply to any crime leaving a digital trace.
The treaty's activation is not contingent on the nature or severity of offenses; its language is so lenient that it allows for action based on "justifiable reasons" rather than a "reasonable basis" that a criminal offense has been or will be committed. Human rights and digital rights organizations argue that these weaknesses are intentional, designed to enable governments to exploit the treaty for targeting a wide range of individuals, potentially leading to clear violations of human rights. For example, Russia's inclusion of "any use of a computer system to defraud or abuse trust" in the definition of cybercrime could easily be used to persecute regime opponents or LGBT rights activists.
The treaty also permits states to collect any "electronic data," including biometric data and personal data collected by individuals for private use, such as through smartwatches. Even more troubling, the treaty mandates that states ensure monitoring and data provision, leaving protections to the discretion of the state.
Signatory states will be required to assist each other in fighting cybercrime, which includes obligations to provide user data collected by private companies and to compel companies to install "back doors" in their systems for continuous monitoring of user-generated data. Companies will be required to provide data even if it was collected in other countries. Additionally, the treaty allows states to instruct individuals with knowledge of "the functioning of the system in question, the information and telecommunications network, or its component parts" to provide necessary information to access data. This could involve compelling engineers to reveal confidential or encrypted information about users.
If these provisions are not alarming enough, the draft treaty includes eight clauses aimed at ensuring the secrecy of proceedings. This means that citizens may never know if their personal data has been handed over to foreign governments in the pursuit of "criminals." This duty of confidentiality is not time-limited and is not restricted by conditions such as necessity or proven interest in the investigation.
The drafting of the Cybercrime Treaty, like the European Union's legislation on artificial intelligence regulation, represents a defining moment for the digital age. However, unlike the attention garnered by the European legislation, the Cybercrime Treaty has received little global scrutiny. In the quiet rooms of UN debates in New York, the treaty, driven by Russia, is progressing with minimal public awareness, despite its potential to infringe on the rights and freedoms of people worldwide.