Today at the United Nations (UN) in New York the final stage of negotiations on the world’s first global cybercrime treaty begins. The resulting treaty will have far reaching implications for how governments cooperate in combatting cybercrime, a challenge which has been rapidly escalating in recent years. The treaty will also impact companies across the tech sector as well as citizens worldwide. Unfortunately, the current draft treaty still has major issues that will need to be addressed before it is fit for purpose – around things like the sorts of activity that is criminalized in the treaty and important limitations around access to personal data. The Cybersecurity Tech Accord has outlined our specific concerns and proposed edits in a new submission that we are releasing today to the UN committee managing the negotiations, which we hope will be a valuable resource to the member states participating.
As active participants in the negotiations since they began in 2021, our objective as a coalition of companies committed to cybersecurity continues to be helping governments arrive at a treaty that ensures more effective cooperation on cybercrime without undermining legitimate online activities or human rights. There is still a long way to go to achieve that vision and a lot is at stake. We expect this two-week round of negotiations, as well as the final negotiating session in January 2024, will be challenging, as there are a number of elements in the current draft that should be unacceptable to rights-respecting governments committed to delivering a Convention that is future-proof, technology-neutral, and that applies the lessons of the past in addressing real issues in cybercrime cooperation.
Among the key points raised in the Cybersecurity Tech Accord’s submission are:
- All crimes should require criminal intent. Currently the draft only requires simple intent. This could result in beneficial acts being criminalized, such as the work of security researchers who help ensure modern systems don’t have vulnerabilities that criminals can exploit – or whistleblowers and journalists’ sources.
- Wherever governments demand access to personal data they should be bound by principles of proportionality, necessity, and legality. This includes allowing service providers to object to overly broad demands for data, or other situations, such as where an alleged offence intends to criminalize freedom of expression (such as political criticism). Currently there are far too few safeguards in the draft and providers have no ability to object to requests for data on any basis.
- The Convention should address serious “cyber-dependent” crimes, and not everyday criminal offences which just happen to use modern communications technologies. A broad Convention that doesn’t focus on key, internationally understood offences is unlikely to be effective, given that all the governments involved in cooperating on a given criminal offense must recognise the crime in common.
- Individuals have a right to know when governments demand their personal information unless that would prejudice an ongoing investigation or prosecution. The present draft makes all data access secret by default and has no provision for disclosure of requests at any point.
- Provisions in the draft currently allow for real-time access to communications and for interception of communications. These should be removed, as these broad surveillance powers too easily run counter to internationally recognized human rights protections.
When the negotiations began in 2021, we partnered with the CyberPeace Institute to launch the Multistakeholder Manifesto on Cybercrime built around a set of principles to inform the negotiating process for this treaty. The Cybersecurity Tech Accord and its Signatories have participated in the work of the Committee as an accredited nongovernmental contributor in all its sessions and we look forward to working with other industry associations, civil society groups, and the member-state negotiators over the next two weeks. Our statement for the Sixth Session of the Ad Hoc Committee on Cybercrime can be read in full below.
For further information on how to get involved, please contact: firstname.lastname@example.org.