UN Approves Cybercrime Treaty Despite Major Tech, Privacy Concerns

A United Nations committee has advanced the final draft of a treaty intended to combat cross-border cybercriminal organizations, but opponents warn that it contains few safeguards for human rights and could be used by repressive governments to prosecute journalists, cybersecurity researchers, and protesters.

If adopted by the UN General Assembly, the UN Convention Against Cybercrime would require any nation that signed the treaty to make it a criminal offense to "access ... an information or communications technology (ICT) system without right" or to intercept data or communications. In addition, the treaty would require that signatories have a mechanism to preserve stored data and some components of traffic data, according to the draft.

The treaty, passed on Aug. 8, will require a wide variety of companies — financial services, travel, technology, and telecommunications firms — not only to support domestic law enforcement, but to help with requests from treaty signatories, says Nick Ashton-Hart, head of the Cybersecurity Tech Accord delegation to the negotiations.

"Unfortunately the draft adopted doesn't resolve any of the issues we raised, or that any other part of the private sector or civil society raised," he says. "Security researchers and penetration testers — as well as investigative journalists, whistleblowers, and others — are at risk of criminal prosecution because of the poor and vague wording in the criminalization chapter."

The UN Convention Against Cybercrime is not the first treaty to address the needs of nations who want to collaborate to fight cybercrime. The Council of Europe's Convention on Cybercrime, often called the Budapest Convention, has provided a framework for cooperation since 2001. Most European countries, as well as the United States, Japan, and Brazil, are among the more than 75 signatories.

UN Cybercrime Treaty Will Pass

The UN treaty is not without its supporters. Russia proposed the UN-based cybercrime convention in 2017, and Vietnam is a vocal proponent — but both countries are not part of the Budapest Convention. There is no longer any way to edit the text of the treaty, which will be adopted by the General Assembly in the next session, which starts in September, says Ashton-Hart.

It's unlikely that the US or Europe will adopt the convention's legislation requirements, he says.

"Because the convention allows all cooperation to take place in perpetual secrecy and has no oversight mechanism, the convention invites abusive requests for cooperation that can be used to undermine secure systems relied upon by billions of people and millions of enterprises each day," he says. "Without [cooperation] from the US and EU, there's little value in anyone else joining this. They can join the Budapest Convention, which is working today, and get what they need instead."

Underscoring the situation, the section "Article 24: Conditions and safeguards" is left blank in the latest version of the treaty.

The US State Department stressed that while the fight against cybercrime is extremely important, without protections, the UN treaty could be used by governments to curtail freedom of speech and target journalist and protesters.

"The United States will continue to strongly condemn and work to combat the persistent human rights abuses that we see around the globe by governments who misuse and abuse cybercrime laws and other cyber-related statutes and tools to target human rights defenders, journalists, dissidents, and others," State Department spokesman Matthew Miller said in a statement.

Broad Powers for Repressive Governments

The US and technology companies are not the only opponents of the UN Convention on Cybercrime's language. The Freedom Online Coalition (FOC) — a group of 40 nations supporting human rights — opposed the current draft of the UN Convention Against Cybercrime, citing concerns that it could be used by repressive governments to undermine human rights. The FOC, established in 2011, includes the United States, Australia, the United Kingdom, European Union members states, and other nations, such as Mexico, Tunisia, and Japan.

The UN Convention Against Cybercrime is critical to enhancing collaboration between nations to combat and prevent cybercrime and to enable the collection of electronic evidence, but more safeguards need to be included, the FOC stated in a July 26 statement.

"Ensuring broad and effective cooperation in this treaty requires concrete safeguards and human rights protections must be built into the treaty framework," the group said. "Among these provisions, we particularly emphasize ensuring that the treaty cannot be used domestically or transnationally to facilitate the suppression of conduct protected by international human rights law."

The UN Convention Against Cybercrime moves to the general assembly, where it can be adopted by a "yes" vote of 40 members.