UN Delegates Cheer As They Vote To Approve Increased Surveillance Via Russia-Backed Cybercrime Treaty
For years now, the UN has been trying to strike a deal on a Cybercrime Treaty." As with nearly every attempt by the UN to craft treaties around internet regulation, it's been a total mess. The concept, enabling countries to have agreed upon standards to fight cybercrime, may seem laudable. But when it's driven by countries that have extremely different definitions of crime," it becomes problematic. Especially if part of the treaty is enabling one country to demand another reveal private information about someone they accuse of engaging in a very, very broadly defined cybercrime."
The UN structure means that the final decision-makers are nation-states, and other stakeholders have way less say in the process.
And, on Thursday, those nation-states unanimously approved it, ignoring the concerns of many stakeholders.
Some history: two years ago, we warned about how the proposed treaty appeared to be perfect for widespread censorship, as it included considering hate speech" as a form of cybercrime it sought to regulate. Last year, we checked in again and found that, while updated, the proposed treaty was still a total mess and would lead to both the stifling of free expression and increased surveillance.
No wonder certain governments (Russia, China) loved it.
While the final treaty made some changes from earlier versions that definitely made it better, the end product is still incredibly dangerous in many ways. Human Rights Watch put out a detailed warning regarding the problems of the treaty, noting that Russia is the main backer of the treaty - which should already cause you to distrust it.
The treaty has three main problems: its broad scope, its lack of human-rights safeguards, and the risks it poses to children's rights.
Instead of limiting the treaty to address crimes committed against computer systems, networks, and data-think hacking or ransomware-the treaty's title defines cybercrime to include any crime committed by using Information and Communications Technology systems. The negotiators are also poised to agree to the immediate drafting of a protocol to the treaty to address additional criminal offenses as appropriate." As a result, when governments pass domestic laws that criminalize any activity that uses the Internet in any way to plan, commit, or carry out a crime, they can point to this treaty's title and potentially its protocol to justify the enforcement of repressive laws.
In addition to the treaty's broad definition of cybercrime, it essentially requires governments to surveil people and turn over their data to foreign law enforcement upon request if the requesting government claims they've committed any serious crime" under national law, defined as a crime with a sentence of four years or more. This would include behavior that is protected under international human rights law but that some countries abusively criminalize, like same-sex conduct, criticizing one's government, investigative reporting, participating in a protest, or being a whistleblower.
In the last year, a Saudi court sentenced a man to death and a second man to 20 years in prison, both for their peaceful expression online, in an escalation of the country's ever-worsening crackdown on freedom of expression and other basic rights.
This treaty would compel other governments to assist in and become complicit in the prosecution of such crimes."
EFF also warned of how the treaty would be used for greater governmental surveillance:
If you're an activist in Country A tweeting about human rights atrocities in Country B, and criticizing government officials or the king is considered a serious crime in both countries under vague cybercrime laws, the UN Cybercrime Treaty could allow Country A to spy on you for Country B. This means Country A could access your email or track your location without prior judicial authorization and keep this information secret, even when it no longer impacts the investigation.
Criticizing the government is a far cry from launching a phishing attack or causing a data breach. But since it involves using a computer and is a serious crime as defined by national law, it falls within the scope of the treaty's cross-border spying powers, as currently written.
This isn't hyperbole. In countries like Russia and China, serious cybercrime" has become a catchall term for any activity the government disapproves of if it involves a computer. This broad and vague definition of serious crimes allows these governments to target political dissidents and suppress free speech under the guise of cybercrime enforcement.
Posting a rainbow flag on social media could be considered a serious cybercrime in countries outlawing LGBTQ+ rights. Journalists publishing articles based on leaked data about human rights atrocities and digital activists organizing protests through social media could be accused of committing cybercrimes under the draft convention.
The text's broad scope could allow governments to misuse the convention's cross border spying powers to gather evidence" on political dissidents and suppress free speech and privacy under the pretext of enforcing cybercrime laws.
That seems bad!
EFF also warned how the Cybercrime Treaty could be used against journalists and security researchers. It creates a sort of international (but even more poorly worded) version of the CFAA, a law we've criticized many times in the past for how it is abused by law enforcement to go after anyone doing anything they dislike on a computer."
Instead, the draft text includes weak wording that criminalizes accessing a computer without right." This could allow authorities to prosecute security researchers and investigative journalists who, for example, independently find and publish information about holes in computer networks.
These vulnerabilities could be exploited to spread malware, cause data breaches, and get access to sensitive information of millions of people. This would undermine the very purpose of the draft treaty: to protect individuals and our institutions from cybercrime.
What's more, the draft treaty's overbroad scope, extensive secret surveillance provisions, and weak safeguards risk making the convention a tool for state abuse. Journalists reporting on government corruption, protests, public dissent, and other issues states don't like can and do become targets for surveillance, location tracking, and private data collection.
And so, of course, the UN passed it on Thursday in a unanimous vote. Because governments love it for all the concerns discussed above, and human rights groups and other stakeholders don't get a vote. Which seems like a problem.
The passage of the treaty is significant and establishes for the first time a global-level cybercrime and data access-enabling legal framework.
The treaty was adopted late Thursday by the body's Ad Hoc Committee on Cybercrime and will next go to the General Assembly for a vote in the fall. It is expected to sail through the General Assembly since the same states will be voting on it there.
The agreement follows three years of negotiations capped by the final two-week session that has been underway.
And then they gave themselves a standing ovation. Because it's not them who will get screwed over by this treaty. It's everyone else.
cybercrime treaty adopted. diplomats give a standing ovation.adopted over objections of most human rights orgs. little good will come out of this. all risk. russians get their dream treaty.democracies will regret their spinelessness when countries demand new crimes of 'extremism' &tc.
- David Kaye (@davidkaye.bsky.social) 2024-08-08T21:07:36.751Z
For the treaty to go into force, 40 nations have to ratify it. Hopefully the US refuses to, and also pushes for other non-authoritarian countries to reject this treaty as well. It's a really dangerous agreement, and these kinds of international agreements can cause serious problems once countries agree to them and they enter into force. Terrible treaties, once ratified, are nearly impossible to fix.