The rapid speed at which digital technologies are becoming increasingly connected and penetrate all areas of life also requires constant adaptation of legal regulations. This development also extends to the fighting of crime. Despite existing regulations at the regional level (for example, the Budapest Convention of the Council of Europe), negotiations have been underway for a year at the UN level on a new, globally applicable convention to combat cybercrime (UN Cybercrime Treaty). According to the current schedule, these negotiations are to be concluded in January 2024. The treaty is being negotiated in Vienna and New York. epicenter.works is represented at the current negotiations in Vienna on behalf of the Eticas Foundation. The negotiations are taking place according to the usual procedure in Vienna. This means that the provisions are attempted to be adopted by consensus rather than by a majority decision. If consensus cannot be reached, a two-thirds majority of all UN states is needed to reach agreement. By signing and ratifying this convention, the states commit themselves to implementing it into national law.
What Is the Threat of This Global Treaty?
The UN Cybercrime Treaty creates a global standard for cybercrime and its prosecution. Particularly with regard to investigation methods, however, some states have proposed and included in the first draft of the negotiating document highly invasive instruments, which have been found unconstitutional and contrary to human rights in many supreme court decisions. In this respect, it is good that the current catalogue of offences will likely still be strongly modified and hopefully shortened. Many states and NGOs are also speaking out against such far-reaching provisions in the negotiations. However, there are already calls to separate the investigative provisions from these offences in their application. Such a step would also open them up to far-reaching other offence categories and not only to those explicitly mentioned in the future final text of the treaty.
The biggest change, however, is the radically simplified cross-border prosecution. Until now, law enforcement authorities of one state had to resort to bilateral treaties between states (so-called MLATs, mutual legal assistance treaties) to access computer systems of another state. These, however, are considered slow and cumbersome, as it has to be checked in each individual case whether another state may access the data. In the EU, we have therefore seen questionable moves such as the e-Evidence Act, which could, for example, allow the Hungarian police to access data from servers in Austria on an expedited basis.
A similar agreement is the US CLOUD Act, which grants the USA far-reaching access rights. It allows them to access the data of US companies, even if their servers are located abroad. In return, states can sign bilateral agreements with the US, giving them the right to directly request data from US companies. There is also the aforementioned Budapest Convention of the Council of Europe, whose Second Additional Protocol has just passed the European Parliament. However, both the US CLOUD Act and the Budapest Convention, with their problematic access rights, are largely and foremost rejected by countries of the Global South.
With the UN Cybercrime Treaty, despite the existing agreements, a global regime is to be created that massively expands the possibilities of law enforcement authorities' access to data through worldwide interoperability. According to the current status of the consolidated negotiation document, the proposed offences no longer require a detailed examination of whether a crime committed in one state is also illegal in another state (“dual criminality standard”). However, this requirement is also being discussed and has already been mentioned by state representatives in their statements. Without such a check, investigations based on a recognised crime in a certain country could be extended to other states, even if it is not a criminal offence in that state. If a person is affected by such an investigative measure, there are currently no sufficient conditions and safeguards to ensure that human rights as well as the rule of law and the protection of personal data be sufficiently observed. However, strengthening protection measures is also currently being discussed and their importance has been emphasised by many states.
The draft treaty further provides that a state can claim jurisdiction over a specific crime. In the current draft, this shall be possible if a citizen, a resident, a government agency or a computer system attributable to one of these persons is affected. Such provisions are the cornerstone of a very broad regime for the extra-territorial application of very invasive surveillance methods up to and including state hacking anywhere in the world. State representatives, however, have in their statements largely opposed the inclusion of this provision in the consolidated negotiating document – hence amendments are likely to be made here as well.
The current consolidated negotiating document proposes far-reaching investigative instruments that each state that becomes a party to this treaty under negotiation is to adopt into national law, some of which endanger the fundamental rights of all citizens. Data obtained through these procedures is also to be admissible as evidence in court if national law does not conflict with it. This not only concerns traffic data but also the monitoring of the content of the communication. It includes possible quick-freeze and the retention of data on an IT system as well as metadata, traffic and content data. And it also provides for the search and seizure of master data, location data, metadata, traffic and content data. In addition, the current draft provides for the collection and retrieval traffic data in real time, i.e. the transmission of data to the requesting state for the purpose of providing information. The draft could even legalise the interception of content data in real time in all states party to the future Convention.
This last point also includes a so-called “gag order” for the operators of an IT system, making it very difficult to defend against excessive surveillance orders with legal remedies and thus potentially undermine the rule of law. Even if a state’s legal system and constitution protect against such surveillance methods, it is potentially circumvented by a provision in the draft: If adopted in its current wording, the states party to the future Convention would be supposed to take unspecified “technical measures” for the real-time collection or recording of content data or traffic data. This provision could thus amount to state hacking of internet service providers, hosters or targeted individuals. We have already made it clear in our first intervention in the plenary that state hacking must not be allowed under any circumstances.
Catalogue of Criminal Offences
The consolidated negotiating document further provides for a large number of offences that are to be criminalised in each state party to the future Convention. Some of these provisions are very vaguely formulated and contain references to concepts that are not internationally defined, such as „terrorism“, „extremism“ or „subversion“, and thus carry an enormous risk of being misused for state repression. At its core, however, the draft defines „classic cybercrime offences“, such as illegal access to computer systems, illegal interception of data, unlawful access to a computer system, disruption of computer systems or data resulting in serious damage, or misuse of devices and programmes. In short: cyber-dependent crimes.
In addition, however, the consolidated negotiating document – at the instigation of some UN member states – also includes criminal offences that in themselves are not considered cybercrimes but in the negotiating text are to be carried out with the help of a computer („cyber-enabled crimes“). These include, for example, computer-related theft, fraud and forgery or the unauthorised use of electronic means of payment.
Data protection violations are also to become criminalised on the basis of this UN treaty. However, there are no detailed provisions on this which means that there are actually no changes to existing national or European data protection law. In addition, the unauthorised use of passwords, biometric or other unique features or electronic signatures is to be prohibited.
Other offences include copyright infringement, arms and drug smuggling, sexual assault, the illegal distribution of counterfeit medicines and medical products, money laundering and more.
However, including all the offences in their current wording which lacks any specification of the intention with which they be committed (criminal or fraudulent intention) would also risk criminalising legitimate security researchers and responsible disclosure. We explicitly warned against this danger in our second intervention in plenary.
The protection of children (i.e. persons under the age of 18) from (sexual) abuse also plays a major role in the current draft and is supported by many states from all regions of the world. More specifically, it deals with the offences of electronic dissemination, possession and production of documentation of child sexual abuse (Child Sexual Abuse Material, “CSAM”) and also other acts related to CSAM as well as child grooming and cyberstalking of children.
However, there is already a UN treaty on the protection of children. The UN Convention on the Rights of the Child is not only one of the most ratified treaties in the world, but according to child rights NGOs, it also provides exactly the right guidelines in this area. Its main problem is rather the lacking and incomplete implementation of its Additional Protocol, which is directed against such crimes against children. A separate agreement with divergent wording carries the risk of creating legal uncertainty and is therefore more likely to have a negative impact on child protection.
Parallel attempts to combat sexualised violence against children by means of an extensive chat control take place at EU level. This already shows how such surveillance measures fail in child protection and instead increase the risk for children and teenagers even more. Moreover, documenting child abuse is already a criminal offence in almost every country in the world. Only when it comes to the exact definition the situation is less clear – the current draft of the Cybercrime Convention currently stipulates 18 years as the age limit to be covered by the provisions, or for some offences it is also sufficient if the person looks as if he or she is under 18 years old.
Current State of Negotiations – Global Surveillance Standard
Modern law enforcement in response to new developments in the field of cybercrime is of course important and necessary. However, the present draft goes far beyond this simple goal. The first three chapters of the consolidated negotiating document were published in November 2022 and subsequently the second part with further chapters of the draft treaty on cooperation between states. In addition to general provisions, the first part focuses on the offences that all ratifying states are to include in their criminal codes and on criminal procedure and prosecution provisions.
The raft is strongly oriented towards already existing treaties, such as the Budapest Convention of the Council of Europe. In addition, however, it reflects further demands of various UN states, which have introduced their respective concerns and wishes and significantly expanded the consolidated negotiating document – thus there is no consensus draft yet. Work on such a consensus draft is underway in the current and upcoming sessions. Much of the future treaty’s text will therefore still change. In particular, the deletion of proposed provisions is to be expected and the concrete formulations are still being fine-tuned – hopefully not in the interests of invasive surveillance states but with strong safeguards for human rights. Fortunately, not only numerous NGOs are advocating for this. There is also strong support from many UN member states for stronger safeguards for fundamental and human rights in the future Convention.
The current fourth round of negotiations ended on 20 January 2023 in Vienna. Throughout 2023, there will be further sessions of negotiations in Vienna and New York and, as a result, new versions of the draft treaty will be presented. In the course of the negotiations, these versions will come closer and closer to the final text. The composition of the Austrian delegation for the negotiations was decided in the Council of Ministers.
The UN Cybercrime Treaty potentially poses a high risk through globally expanded state surveillance and highly invasive investigative tools. For this reason, a broad coalition of civil society organisations follows the negotiations and strives to achieve the greatest possible changes to the current draft in plenary and in many individual discussions with representatives of the state delegations.
In advance of the fourth round of negotiations, we supported a joint open letter from 89 NGOs from 45 states with concrete proposals for improving the treaty text. We referred to this throughout the negotiations, such as in our second intervention (see below), and also the UN has also already shown interest in it.