New UN Convention on Cybercrime Could Threaten Human Rights

New UN Convention on Cybercrime Could Threaten Human Rights

By Kate Graham-Shaw

NEW YORK CITY —The United Nations yesterday adopted its first international cybercrime treaty, a move that succeeded despite opposition from tech companies and human rights groups, who warn the agreement will allow countries to expand invasive electronic surveillance in the name of criminal investigations. Experts at those groups say the treaty undermines the global human rights of freedom of speech and expression because it includes clauses that countries can interpret to prosecute internationally each observed crime occurring on a computer system.

The UN committee room erupted in applause after the treaty was adopted, as many members and delegates celebrated the culmination of three years of difficult discussions. In praising the adoption, delegates such as South Africa cited the treaty’s support for countries with relatively smaller cyber infrastructures.

But among the watchdog groups closely watching the meeting, the tone was grim. “The U.N. cybercrime convention is a blank check for surveillance abuses,” said Katitza Rodriguez, policy director for global privacy at the Electronic Frontier Foundation (EFF). “It can and will be used as a tool for systematic rights violations.”

About supporting science journalism

If you like this article, please consider supporting our award-winning journalism by Subscribe. By purchasing a subscription, you help secure a future of impactful stories about the discoveries and ideas shaping our world today.

In the coming weeks, the treaty will be put to a vote by the 193 member states of the General Assembly. If it is accepted by a majority there, the treaty will go to the ratification process, where the governments of individual countries must sign.

The treaty, called the Comprehensive International Convention on Countering the Use of Information and Communications Technologies for Criminal Purposes, was first drafted in 2019, with debates to determine its content beginning in 2021. It is intended to provide a global legal framework for preventing and responding to cybercrime. In a July statement before the treaty’s adoption, the U.S. and other members of the Freedom Online Coalition described it as an opportunity “to enhance cooperation in combating and preventing cybercrime and collecting and sharing electronic evidence of serious crimes,” but noted that the agreement could be abused as a tool for human rights violations and called for its scope to be more narrowly defined. (The U.S. State Department did not immediately respond to a request for comment from Scientific American.)

The agreement comes in response to major technological advances in recent decades that have allowed cyber threats to evolve at a rapid pace. In 2023 alone, more than 340 million people worldwide will be affected by cybercrime, according to data from the Identity Theft Resource Center.

The years of deliberations over the long and complex treaty culminated in this week’s final negotiating session. Critics including the EFF and Human Rights Watch (HRW) argue that the text is too broad in scope, allowing countries to apply it to crimes that have traditionally been considered cybercrime. The Budapest Convention on Cybercrime, which entered into force in 2004, is the only other major international treaty addressing cybercrime. It sought to criminalize a range of crimes, including cybercrime (such as online banking fraud or identity theft) and cyber-dependent crimes (such as hacking and malware), while still seeking to safeguard human rights and freedoms.

But experts have said the recently adopted treaty lacks such safeguards for a free internet. One major concern is that the treaty could apply to any crimes, as long as they involve information and communications technology (ICT) systems. HRW has documented the prosecution of LGBTQ+ people and others who expressed themselves online. This treaty could oblige governments of countries to cooperate with other countries that have banned LGBTQ+ behavior or digital forms of political protest, for example.

“This broad definition essentially means that when governments adopt domestic laws that criminalize a wide range of conduct, and that conduct is committed through an ICT system, they can refer to this convention to justify maintaining repressive laws,” HRW Director Tirana Hassan said at a press conference late last month.

This treaty opens the door to violations of human rights and freedom of expression, Hassan added. The adopted text refers to domestic law for human rights guarantees, “which means that people are subject to the whims of the laws of individual countries,” she said. Countries with poor records on those guarantees — which have also been strong supporters of the treaty — include Belarus, China, Nicaragua, Cuba and Russia (a particularly vocal supporter).

The agreement could also potentially create transnational danger. “The treaty allows for cross-border surveillance and cooperation to gather evidence of serious crimes, effectively turning it into a global surveillance network,” Rodriguez said. “This creates a significant risk of transnational human rights violations and transnational repression.”

Industry representatives from the Cybersecurity Tech Accord, a coalition that includes Microsoft, Meta and more than 150 other global technology companies, have raised concerns about the private sector’s ability to comply with the treaty. In January, the coalition warned that the agreement could force internet service providers to share data between jurisdictions, potentially violating local laws. Nick Ashton-Hart, head of the Cybersecurity Tech Accord delegation to the treaty negotiations, said it was unfortunate that the UN committee had adopted it despite its serious flaws. “If implemented, the treaty will be detrimental to the digital environment in general and to human rights in particular,” Ashton-Hart said. The treaty “will make the online world less safe and more vulnerable to cybercrime by undermining cybersecurity.”