Combating Cybercrime: UN Global Treaty on the Anvil

Introduction

The Member States of the United Nations have adopted the draft text of the United Nations Convention against Cybercrime (‘Design convention‘) by consensus, in August 2024, after five years of deliberations. It is the first consolidated attempt by the UN to regulate internet crimes. The move has drawn considerable controversy, with tech companies and human rights groups protesting the lack of safeguards.

The draft text of the Convention is expected to be adopted by the General Assembly later this year. It could then become the main multilateral legal instrument regulating cybercrime.(1) The draft Convention focuses mainly on the following aspects: (i) combating cybercrime enabled by information and communications technologies (‘ICT(ii) strengthening international cooperation to tackle cybercrime by creating effective frameworks at national, regional and international levels, and (iii) improving coordination among States by providing technical assistance and capacity building.

In this article, we discuss the key provisions of the UN Draft Convention and analyse its implications for India.

First UN Convention on Cybercrime

The UN’s core concern in this regard is enshrined in the Preamble. It recognises that the proliferation of ICT systems can have a significant impact on the “scale, speed and scope of crime”. While ICT has enormous potential to develop societies, it can also create new opportunities for perpetrators. The diversity of crimes in the ICT era, as well as the increasing frequency of such crimes, can have a negative impact on states, corporations and individuals.

It lists crimes related to terrorism and transnational organized crime. The latter includes trafficking in persons, smuggling of migrants, illicit manufacture of firearms, drug trafficking and trafficking in cultural heritage. The draft treaty is part of a global trend, whereby governments have sought to address crimes committed or facilitated via the internet. This has prompted the UN to pursue the formulation of a global criminal law policy aimed at tackling cybercrime, by adopting appropriate legislation, defining common crimes and ensuring international cooperation.

Key Definitions

‘ICT systems‘ are defined in the draft treaty as ‘any device or group of interconnected or related devices, one or more of which, in accordance with a program, collects, stores and carries out automated processing of electronic data’ (Article 2(a)). Furthermore, ‘electronic data‘ is defined as ‘any representation of facts, information or concepts in a form suitable for processing in an information and communications technology system, including a program suitable for causing an information and communications technology system to perform a function’ (Article 2(b)). A ‘serious crime‘is defined as “conduct constituting an offence punishable by a maximum term of imprisonment of at least four years or a more severe penalty” (Article 2(h)).

What is cybercrime?

The term ‘cybercrime’ is not defined in the Draft Convention. Instead, Chapter II of the Convention contains a list of activities that should be criminalised. They are:

Illegal access to an ICT system (Article 7)

States Parties shall take appropriate legislative and other measures to criminalise, in whole or in part, intentional illegal access to an ICT system. A State Party may limit the scope of the offence by requiring that the offence be committed by breaching security measures, with dishonest or criminal intent to obtain electronic data.

Unlawful interception of non-public transmissions of electronic data (Article 8)

The intentional and illegal interception of non-public transmission of electronic data to, from or within an ICT system, including electromagnetic emissions, shall be punishable. A State Party may limit the scope of the offence by requiring that the offence be committed with dishonest or criminal intent to obtain electronic data.

Interference with electronic data or ICT (Articles 9 and 10)

The intentional and illegal interference with electronic data, by means of damaging, removing, deteriorating, altering or suppressing it, is a criminal offence. A State Party may limit the scope of the criminal offence by requiring that the above-mentioned conduct results in serious harm. Accordingly, the intentional and illegal interference with an ICT system, resulting in serious impediment to its operation, by means of inputting, transmitting, damaging, removing, deteriorating, altering or suppressing electronic data, is a criminal offence.

Misuse of devices (Article 11)

Intentionally and unlawfully making available a device or data with the aim of committing a crime is punishable. A device may contain a program primarily designed or adapted to commit a crime.

Counterfeiting of ICT systems (Article 12)

Tampering with electronic data, by means of input, modification, deletion or suppression, when done intentionally and illegally, is a criminal offence. Such falsification must result in inauthentic data, with the intention that it be regarded or used for legal purposes as if it were authentic. A state party may limit the scope of the offence by requiring a criminal intent to defraud.

Theft or fraud relating to ICT systems (Article 13)

Loss of property to another person, when done intentionally and unjustly, is a criminal offence. Such loss may occur by:

Entry, modification, deletion or suppression of electronic data,
Interference with the operation of the ICT system,
Deception via ICT system regarding actual circumstances.

Online material of child sexual abuse or child sexual exploitation (Article 14)

The following acts in relation to online material containing child sexual abuse or exploitation (CSAM) are punishable:

Making CSAM available through an ICT system,
Applying for, obtaining or acquiring CSAM through an ICT system,
Owning or managing CSAM stored in an ICT system,
Financing of the above-mentioned crimes.

Solicitation or enticement to commit a sexual offence against a child (Article 15)

Intentionally communicating, recruiting, enticing or arranging through an information and communication technology system to commit a sexual offence against a child, as defined by national law, including the commission of any of the offences established in accordance with Article 14 of the Convention, is a criminal offence. States Parties may exclude the criminalisation of such conduct when committed by children themselves.

Non-consensual distribution of intimate images (Article 16)

Making available intimate images of a person via an ICT system, without the consent of the person depicted, when this is done intentionally and unlawfully, is a criminal offence. This provision applies to persons over the age of eighteen.

Money laundering of proceeds of crime (Article 17)

Conversion or transfer of property, knowing that such property is derived from the proceeds of crime, for the purpose of concealing or disguising the illicit origin of the property or for the purpose of assisting in the commission of a crime, is an offence. Acquisition, possession or use of property, knowing that such property is derived from the proceeds of crime, is an offence.

In addition to the above provisions establishing cybercrime, States are required to enact laws regulating the liability of both natural and legal persons, criminalizing the above crimes and the limitation period. Furthermore, Chapter V establishes the principles for achieving international cooperation, the general principles of which include investigation and prosecution of criminal offenses, and sharing of electronic evidence, established in accordance with the Convention. In addition, requirements have been established regarding the protection of personal data (Article 36), extradition (Article 37), transfer of proceedings (Article 39) and mutual legal assistance (Articles 40, 44, 45, 46).

Implications for India

The adoption of the UN Draft Convention will have important implications for India’s legal framework governing cybercrime and cybersecurity. India has been an active participant in the negotiations surrounding the Convention. Since India is not a member state of the Budapest Convention on Cybercrime (2001), the entry into force of the UN Draft Convention would mean that it will be assessed against international cybercrime standards for the first time.

Provisions relevant to tackling cybercrime are currently spread across various laws such as the Information Technology Act, 2000, the CERT-IN Framework, Digital Personal Data Protection Act, 2023, Criminal Law and sectoral laws and regulations. However, the absence of an updated national cybersecurity strategy has led to reliance on the National Cyber Security Policy, 2013. The adoption of the Draft Convention can expedite the formulation of an updated national cybersecurity strategy in India, aligned with international standards.

After ratification of the treaty, India can go ahead with amending existing laws, such as the Information Technology Act, 2000, or bring in new legislation, targeting cybercrime in areas not yet covered by existing law. This may prove to be a complex exercise, requiring a comprehensive inventory of obligations under the draft treaty. opposite each other To what extent such violations are covered by the current Indian legal framework. An assessment of the gaps between the two would reveal the appropriate legal and policy strategies.

Furthermore, differences in state capacity and bandwidth have been recognized in the Draft Treaty. As a Global South nation, India may need to leverage technical assistance programs and capacity building initiatives to effectively engage with the content of the Treaty. Achieving some degree of geographical balance in the implementation of the Draft Treaty would be paramount, setting it apart from the broken path of the Budapest Treaty.

Conclusion

The UN Draft is an indication of the urgency felt by world leaders in addressing cybercrime, through appropriate international and domestic legal instruments. While final approval by the General Assembly is awaited, as well as subsequent ratification by India, the importance of the Draft cannot be understated. The success of the Draft in addressing cybercrime would depend on how well global asymmetries in state capabilities are addressed and the degree of harmonization achieved in defining cybercrime within domestic laws. Furthermore, as advocated in the Draft, a whole-ecosystem approach, involving inputs from NGOs, civil society, academic institutions and private sector entities, would be valuable. Such efforts could lead to the maintenance of an open, trustworthy and secure digital infrastructure.

(1) United Nations General Assembly, Draft United Nations Convention against Cybercrime, available at https://www.unodc.org/unodc/frontpage/2024/August/united-nations_-member-states-finalize-a-new-cybercrime-convention.html (last accessed 29 August 2024).