The sudden disappearance of REvil, a cybercrime group behind the massive ransomware attack that swept through businesses worldwide in early July, temporarily eased tensions over the barrage of cyberattacks believed to be linked to Russia. But international attention to cybercrime is likely to continue to grow, and not only because the risks are expanding.
A global comprehensive treaty to counter cybercrime first proposed by Russia has gained enough support at the United Nations for negotiations to begin early next year. In addition to the irony of a government that faces criticism for turning a blind eye to cybercriminals operating within its borders pushing a global cybercrime treaty, the proposal is dangerous. A binding international treaty has the potential to expand government regulation of online content and reshape law enforcement access to data in a way that could criminalize free expression and undermine privacy.
Until now, there has been very little scrutiny of this process from a human rights – as opposed to a geopolitical – perspective. A closer look at who is proposing the treaty, the way many states have defined “crime” in the cyber context, how efforts to fight cybercrime have undermined rights, and the shortcomings of multilateral negotiating processes reveals the dangers that this treaty process poses.
In recent years, there has been a surge in cybercrime laws around the world, some of which are overly broad and undermine human rights. Governments often use them to persecute journalists, human rights defenders, technologists, opposition politicians, lawyers, religious reformers, and artists. Many governments, including some that are most supportive of a global treaty, treat forms of free expression such as criticism and dissent as crimes. A cybercrime treaty that normalizes this approach runs counter to human rights obligations.
Governments should protect people from criminal activity carried out through the internet, but that should not come at the expense of people’s rights. Thankfully, there are alternative approaches to the proposed treaty.
The UN Cybercrime Treaty Process
Russia has been promoting a global cybercrime treaty for at least a decade, presumably to replace the Budapest Convention, a treaty developed by the Council of Europe that opened for signatories in 2001 and entered into force in 2004. Since then, 65 countries have ratified it, including governments in other regions. Russia has not joined, even though it is a Council of Europe member. While it is sometimes referred to as the “gold standard” because it is the most comprehensive multilateral cybercrime treaty, human rights experts have long criticized it for not having stronger safeguards for human rights.
Ideally, treaty negotiations would enhance the safeguards of the Budapest Convention. But the dynamics at the U.N. and around this treaty in particular threaten to erode human rights protections, because many of the governments leading the initiative use cybercrime as a cover to crack down on rights and because generally U.N. negotiations need to be more transparent and inclusive of civil society.
In December 2019, the U.N. General Assembly adopted a resolution that set in motion a process to draft a global comprehensive cybercrime treaty. Negotiations will commence in January 2022 and are expected to conclude in 2023. The initiative advanced despite a total of 93 states either voting against or abstaining from the 2019 resolution, compared with 79 votes in favor of it. The U.N., the U.S., the EU, and many States parties to the Budapest Convention made up the opposition. Leading digital rights organizations warned against rushing ahead with the treaty because the proposal’s treatment of cybercrime is extremely vague and open to abuse, it supplants ongoing work elsewhere in the U.N., and the process so far has excluded civil society.
The divisive vote on the treaty exposed more fundamental disagreements – like what constitutes cybercrime, how law enforcement should gain access to data for cross-border investigations, and more broadly the role of governments in regulating the internet. Such questions have significant implications for human rights, such as freedom of expression, association, privacy, and due process.
Russia, which has been the driving force behind the proposed treaty, has significantly expanded its laws and regulations in recent years to tighten control over internet infrastructure, online content, and the privacy of communications. The result has widened surveillance of users, restricted their ability to access content, and threatened them with the prospect of being cut off from the outside world online.
When it first formally submitted the 2019 UNGA resolution, Russia was joined by seven co-sponsors. They include China, which employs technology for coercion, control, and repression, in a model of techno-authoritarianism that is spreading around the world. Cambodia, another initial co-sponsor, has proposed a cybercrime law that threatens increased surveillance of internet users, including whistleblowers, and would restrict free expression online and reduce privacy. This comes on top of several repressive laws, including its recently approved National Internet Gateway, which will enable the government to significantly increase its control over the internet.
My organization, Human Rights Watch, has documented efforts to restrict the use of the internet for the exercise of human rights — sometimes in the name of combatting cybercrime — in each of the other initial co-sponsoring governments — Belarus, Myanmar, Nicaragua, North Korea, and Venezuela.
However, support and opposition to the treaty are not clear cut. Governments with a range of human rights records from several regions have lent their support to the initiative. And understandably, some governments that are not party to the Budapest Convention feel they should be able to provide input for a global treaty rather than sign onto one they had no hand in drafting. To complicate matters further, governments that opposed the treaty, like Australia, the United States, Japan, Estonia, and Poland, are now vice-chairs of the committee that will draft it. Presumably, now that the initiative is moving forward regardless of their opposition, they see value in participating and shaping the outcome. The EU’s position, for example, is that it will promote complementarity between U.N. efforts and existing international instruments, like the Budapest Convention, emphasize the importance of respect for human rights and fundamental freedoms, and promote transparency and inclusion in the process.
Getting International Cooperation Right on Cybercrime
Efforts to improve international cooperation on cybercrime often aim to make it easier for law enforcement to access data, including data held outside of the country of the law enforcement agencies seeking it. While efforts to speed up cross-border access to data for criminal investigations may be important to ensure accountability, they often involve measures that bypass or weaken due process protections or erode the right to privacy (sometimes with the support of major companies).
One example is the 2018 U.S. Clarifying Lawful Overseas Use of Data (CLOUD) Act, which Human Rights Watch and other civil society groups opposed, and which transformed the system for cross-border access to data in criminal investigations. It empowers U.S. authorities to order U.S. service providers to turn over data regardless of storage location, and authorizes law enforcement in one country to directly serve requests for the production of data like email contents, or to issue a wiretap, internationally, without the oversight of the nation where the interference occurs, once an executive agreement between the U.S. and another country is in place. The subsequent U.S.-U.K. CLOUD Act Executive Agreement weakened privacy and due process protections of U.S. and U.K. citizens.
Likewise, the Second Additional Protocol to the Budapest Convention, which outlines new rules on enhanced international cooperation and access to evidence in the cloud, has been criticized by the Electronic Frontier Foundation, an international digital rights group, for lacking strong privacy safeguards and placing few limits on law enforcement data collection. “The Protocol can endanger technology users, journalists, activists, and vulnerable populations in countries with flimsy privacy protections and weaken everyone’s right to privacy and free expression across the globe,” the group said.
Many governments also want to make it easier for law enforcement to access data extraterritorially. For example, Indonesia’s Ministerial Regulation 5 (MR5) requires all private digital service providers and platforms, including foreign companies, to allow law enforcement authorities to access electronic data for criminal investigations into any offense carrying a penalty of at least two years in prison. The regulation also requires companies to provide access to both their “systems” and their “data” for “supervision” purposes whenever requested to do so by the authorities. Giving authorities direct access to massive amounts of information collected and stored by private companies is a clear risk to human rights. Such requirements are particularly prone to abuse, tend to circumvent key procedural safeguards, and can easily exceed the limits of what can be considered necessary and proportionate.
Multilateral negotiations often exclude civil society and others who are rights defenders, especially on issues that are considered the domain of law enforcement, like cybercrime. For example, though it’s customary for Council of Europe committee sessions to invite civil society into drafting plenary meetings, this was not the case in the negotiations over the recent Second Additional Protocol, even after almost 100 organizations called for transparency in the process. The process also did not allow for sufficient time to provide input on key provisions on data-protection safeguards.
The U.N. also has a checkered history on including nongovernmental groups in deliberations, including denying accreditation to human rights organizations and blocking groups from speaking. A recent U.N. process on cybersecurity denied requests from human rights groups, think tanks, companies, and others to participate, based on opaque governmental vetoes. But in May, governments agreed that nongovernmental groups with U.N. accreditation will be able to participate, while other stakeholders can be observers unless governments object. It will be essential for nongovernmental organizations, even those like Human Rights Watch that don’t support the proposed treaty, to get up to speed on the issue before negotiations begin in January 2022 and actively engage in negotiations, opposing any outcome that resembles a race to the bottom on rights.
It is also crucial for rights-respecting governments, including those that don’t see the U.N. as the right venue for a global cybercrime treaty, to ensure that enough governments negotiate and vote in line with their human rights obligations and oppose any treaty that is inconsistent with them. They will certainly have their work cut out for them. Russia has reportedly already submitted a full 69-page draft treaty in late July, which would, among other things, greatly expand the scope of cybercrime, to include expression and online activity that is protected by international human rights standards.
Another Way Forward
Multilateral treaties can take years to negotiate and even longer to come into force. And there’s no guarantee two-thirds of governments will ever reach an agreement for a treaty to be adopted. Instead of pursuing a global treaty, there are a number of measures governments can and should take to address cybercrime. They can, for example, bolster and use mutual legal assistance treaties and other agreements to ensure a higher level of protection for rights when processing requests for cross-border access to data. Investing in rights-respecting capacity building for law enforcement, prosecutors, and judiciary, and improving efficiency, transparency, and rights protections in law enforcement requests for data for investigations, as well as technical assistance to countries struggling with cybercrime could go a long way to support rights while tackling crime.
Devoting more resources to strengthening security and defenses around systems vulnerable to attack, like supply chains, is another key measure. And limiting data collection and retention to what is strictly necessary for a legitimate purpose would limit people’s vulnerability to digital threats.
Addressing the increasing threat of cybercrime while protecting rights is an urgent issue that few governments manage to get right. There’s a real risk that attempting to negotiate a U.N. cybercrime treaty in a polarized environment, absent the political will to take the issue seriously, and at a time when cybercrime is being used as an excuse to crack down on rights, could go very wrong. Investing in rights-protecting alternatives is the right way to go.