Civil society partners need to coordinate more closely than ever on scope, data protection, & human rights standards.
Updated on January 4, 2023: CDT, along with 10 other civil society organisations including Human Rights Watch and Derechos Digitales that are registered to attend the upcoming fourth session of the treaty negotiations, have signed a letter to the chair highlighting the broad issues below – but also specifying several changes to the first draft of the treaty that was released last month. Link to the letter here.
The UN, through the so-called Ad Hoc Committee on Cybercrime, is currently in the midst of drafting a new Cybercrime Treaty. The third of six planned sessions recently concluded in New York, where CDT was present as a registered multistakeholder contributor, and the substantive work on the treaty has begun.
CDT has been following the development of this cybercrime treaty since its public inception, along with organizations such as Human Rights Watch, the Electronic Frontier Foundation, and Global Partners Digital. Previously, CDT joined more than 120 human rights organizations to urge the UN to include human rights standards in the treaty, as well as to facilitate civil society participation in the deliberations.
At the conclusion of the third session, the substantive issues have all been submitted and discussed by member states in an initial round of feedback based on the Chair’s questions. CDT and our civil society partners need to coordinate more closely than ever on three main issues at stake: 1) scope and general grounds for exemptions; 2) data protection and encryption; and 3) human rights safeguards.
There are several questions related to the scope of international cooperation between the requesting and requested parties under the treaty on cybercrime. Those scoping questions fundamentally rest upon the definition of cybercrime. A cyber-dependent crime is one that depends on the use of technology like the theft of cryptocurrency. A cyber-enabled crime is a crime that can be committed with, or facilitated by the use of, technology, like the theft of intellectual property. One question is whether the treaty should apply to both. Another is whether to limit the convention to only “serious” crimes, the definition of which might come down to a minimum duration of imprisonment as defined by the requesting party. A further question of scope is whether civil and administrative cases should be included in addition to criminal cases, to the extent such cases are technology-dependent or -enabled.
The nature of international cooperation requests and the mechanisms for cooperation are also questions of scope. Some states are proposing expedited cooperation in urgent circumstances along with the means of communication in such circumstances, which has risks including the skirting of due process and judicial review. Some states propose a 24/7 network, which would duplicate existing cooperation mechanisms under G7/20. Yet others have indicated a need for specific provisions on the expedited preservation of stored computer data and electronic information, and expedited disclosure of preserved traffic data, whereby some metadata, or non-content data, might have lower safeguards (see below the proposal for lower safeguards for metadata vs content data). Whether and under what justification states can refuse to comply with a request for mutual legal assistance (MLA) or extradition are also considerations of scope for the treaty, given these mechanisms are elaborated in other treaty and convention documents.
Another central question of scope is the nature of the information that parties can exchange as part of their cooperation under the cybercrime convention. Certainly, there should be purpose limitations for any exchange of information, including the content of communications as well as metadata. However some States are proposing that requests for metadata be treated differently, typically more expeditiously and with fewer guardrails and oversight, than requests for content.
A further scoping question involves the purposes for which international cooperation on cybercrime will be considered. States have collectively claimed the need to share information under the treaty for the purposes of preventing and disrupting crimes that have not yet been committed, which is the broadest possible application that such a treaty should consider. In fact, a less carceral and more cautious approach would reject these purposes as out of scope for the treaty.
Furthermore, the treaty could go on to elaborate on purposes for cooperation such as capacity development, evidence gathering, and joint investigations. Purposes such as asset recovery would extend the reach of the treaty and therefore may be considered out of scope. And lastly, any mass surveillance and pervasive network monitoring should be fully out of scope for any treaty as it contravenes international human rights law and the right to privacy.
Data protection is sure to be a fraught topic for the treaty negotiations. There have been proposals to include an article on conditions and safeguards related to data protection and international cooperation, whereby a requested party might deny full cooperation with a request if the requesting party does not have data protection and privacy safeguards in place. A more standard framework for the treaty generally could be to define a global data protection framework, since none is recognized by all states at this time; however, this would be an enormous task and inappropriate for treaty-level negotiations. An alternative would be to default to the highest standard between parties, either per request or globally.
On the topic of encryption, there may be an opportunity to elaborate strong security protocols for the purposes of how parties will cooperate via authenticated, confidential channels. While this might not be necessary for all forms of international cooperation, in terms of communication of e-evidence, numerous states have referenced the need for encryption, while others have suggested that high bars for security protocol compliance might slow response time.
Human rights safeguards are critical for the success of the treaty. Some states seek to elaborate these safeguards within the substance of the treaty wherever risks to human rights might be introduced. Other states feel it sufficient to include a general preambular text on human rights safeguards.
Importantly, there will be a non-discrimination clause providing grounds for refusal to comply if the receiving party suspects discrimination based upon various factors such as race, religion, nationality, or ethnic origin. These are typical of UN documents, and some states have suggested using International Covenant on Civil and Political Rights language or the de minimis clause/A18 of UN convention against Transnational Organized Crime. Many states would extend these factors to include “political opinion,” such that cybercrime investigations and punishments could not be used to prosecute protected speech, though some states have pushed back on or simply excluded this factor from their positions, notably Russia and the African bloc, respectively. Still, other states have suggested non-discrimination as it relates to political opinion be considered a sovereign matter. It is critical that offenses in the convention not be considered a political offense, and conversely that political offenses not be included in the convention.
The next meeting of the Ad Hoc Committee on Cybercrime is November 3-4 in Vienna.