Global Cybercrime and Government Access to User Data Across Borders: 2022 in Review

Since the new UN cybercrime treaty began to take shape in 2022, EFF has been fighting on behalf of users to make sure robust human rights safeguards and rule of law standards are the basis of any final product.

There’s a lot at stake—the proposed UN cybercrime treaty has the potential to rewrite criminal laws around the world, adding new offenses and creating new police powers for both domestic and international investigations, and implicating the rights of billions of people worldwide.

Our push for human rights safeguards in the UN treaty follows a campaign since 2013 to strengthen human rights protections in government investigative powers. In 2017 that effort led us to advocate for changes (through submissions and testimony) in the now-approved Council of Europe’s Second Additional Protocol to the Budapest Cybercrime Convention. The Protocol is another instrument, approved on May 2022, expanding cross-border access to potential evidence in criminal investigations.

We raised concerns that the Protocol not only fails to require adequate oversight, but even creates government powers that bypass existing accountability mechanisms. Unfortunately, our core concerns about weak privacy standards in the Protocol were not addressed, and it was approved by Member States at the Council of Europe without robust safeguards. Existing signatories of the Budapest Convention have been invited since May 2022 to sign the new Protocol; the United States and 29 other countries have already done so. Next, countries will have to implement its provisions, and many of those countries may require reforms in their domestic criminal law. The treaty will finally enter into force once five countries have ratified it.

But we haven’t retreated. As the battle moves to the implementation phase, we released a comprehensive overview and guide about the new Protocol for countries in Latin America, as well as a handy outline of key issues Latin American civil society organizations can raise in urging the government to carefully consider the implications of acceding to the treaty.

2022-2023: The UN Cybercrime Battle Continues

And now a new debate has begun at the United Nations. While the Council of Europe mostly excluded civil society and even privacy regulators from timely participation in negotiations and drafting of the Protocol, EFF, and other human and digital rights organizations have had a seat at the table as meetings convened by the UN to begin work on its cybercrime treaty. Civil society successfully persuaded the UN Ad-Hoc Committee overseeing the process to approve the participation of EFF and other nongovernmental organizations and has advocated for the process to be broadened even further.

While we don’t think the UN Cybercrime Treaty is necessary, we have nevertheless been closely scrutinizing the process and providing constructive analysis, which will continue in 2023. We’ve made clear that human rights must be baked into the treaty so that it doesn’t become a tool to stifle freedom of expression, infringe on privacy and data protection, or endanger vulnerable  people and communities. Since January 2022, in presentations at four meetings in New York and Vienna, we’ve asked Member States to better protect human rights in the treaty.

Even before UN negotiators held their first meeting in February, EFF and over 134 organizations and academics from around the world urged members of the Ad-Hoc Committee to include human rights considerations at every step of the drafting process. We told the committee

The goal should be to combat the use of information and communications technologies for criminal purposes without endangering the fundamental rights of those it seeks to protect.

Because privacy and human rights standards vary dramatically among the member states, we made a statement in the Ad-Hoc Committee at its March meeting expressing concern that investigative powers adopted in the treaty will seek to accommodate the worst police surveillance practices across participating states. EFF Policy Director for Global Privacy, Katitza Rodriguez told the committee:

“There is a real risk that, in an attempt to entice all States to sign a proposed UN cybercrime convention, bad human rights practices will be accommodated, resulting in a race to the bottom.”

Many countries’ early proposals alarmed us; some of the most concerning suggestions can now be found in the first draft text of the treaty, formally entitled the consolidated negotiating document” (CND), which the Committee published in November. (The CND hasn’t been the subject of negotiations yet, but those negotiations will begin at the next Ad-Hoc Committee session on January 9th.) It includes a range of scary ideas, both for crimes and criminal procedure (that is, both for new offenses and for new law enforcement powers). We’ve told Member States that the draft includes:

“a long list of offences that are not core cybercrimes, offences that interfere with protected speech and fail to comply with permissible restrictions under international freedom of expression standards, or offences drafted with vague or overbroad language.”

Some proposals present in the draft would essentially call for states to criminalize “using a computer in a crime,” for actions that are already illegal. We’ve maintained that cybercrimes should be understood as those that specifically target computer systems, and t the treaty should require fraudulent intent on the part of the accused person. EFF’s long experience with computer crime laws in the U.S. has shown, again and again, how dangerous it can be to have a broadly-written law with no malicious/fraudulent intent and harm requirement. Such laws can potentially be used against anyone who did something with a computer that someone else didn’t like, even with no intent to cause any harm, and are often abused to punish security researchers or journalists.

Other proposals call for states to treat various kinds of speech (many of which would be fully protected under international human rights law) as a cybercrime. We’ve supported the Office of the High Commissioner for Human Rights’s key messages recommending that any “future agreement on cybercrime should avoid including offences based on the content of online expression (“content offences”).”

Some police powers proposed in the CND are also concerning. Our most recent letter on the CND says, in short:

  • New investigative powers should only be available for bona fide investigations of crimes covered by the treaty.
  • By default, people should be able to learn if their data was handed over. Authorities should be able to impose gag orders only when disclosure would pose a demonstrable threat to an ongoing investigation.
  • All new powers should come with matching human rights safeguards—with teeth.
  • General provisions authorizing interception and real-time collection of data should be amended to clarify that they do not authorize hacking into networks and end devices. 
  • The text should not authorize any indiscriminate or indefinite retention of metadata.

Unfortunately, the CND  fell short of many of these recommendations. It is overbroad in its scope and not restricted to core cybercrimes. It includes provisions that are not sufficiently clear and precise and would criminalize activity in a manner that is not consistent with international human rights standards and principles.

Meanwhile, the CND’s criminal procedural and law enforcement chapter lacks robust human rights safeguards, while its substantive provisions expand the scope of criminal intent and conduct, threatening to criminalize legitimate activities of journalists, whistleblowers, security researchers, and others. We are particularly concerned about the inclusion of content crimes such as “extremism-related offences” and “terrorism-related offences.”

The CND includes one Article on respect for human rights and the inclusion of gender perspectives. But this does not go far enough to ensure the respect of human rights is included in other provisions of the proposed Convention.

While disappointing, the text will go through more revisions in 2023, and we will continue to push for changes. EFF and Human Rights Watch submitted comments to the Committee in December, voicing strong concerns about the CND’s shortcomings and making recommendations to the Committee to tighten its focus, excluding a number of troubling provisions, and strengthen human rights safeguards.

A fourth ad hoc session—the halfway mark in the negotiating process, which aims to conclude sometime in 2024 with the finalization and approval of a draft text of the convention—is scheduled for mid-January 2023. EFF and its allies will be there to ensure that human rights are at the center of the discussions and the next draft is aligned with the principles and standards that are crucial to protect the fundamental rights of those who will be subject to the treaty for decades to come.

This article is part of our Year in Review series. Read other articles about the fight for digital rights in 2022.

Source: Global Cybercrime and Government Access to User Data Across Borders: 2022 in Review

%d bloggers like this: