Free speech and digital privacy appear to be key components left out of a United Nations (UN) Cybercrime Treaty being proposed, primarily by Russia. To say the cybersecurity community is skeptical would be an understatement. "The UN Cybercrime Treaty, to the extent it gets adopted, is expected to define global norms for lawful surveillance and legal processes available to investigate and prosecute cybercriminals," reports The Register in a special report. "And what has emerged so far contemplates more than 30 new cybercrime offenses, with few concessions to free speech or human rights."[1]
The current VP of Corporate Privacy and General Counsel at Spirion recently said, "The proposed UN Cybercrime Treaty appears to be a cynical attempt to criminalize free speech under the guise of a coordinated effort to stop transnational cybercrime. The fact that Russia pushed this proposal after its initial invasion of Ukraine only serves to underscore this. Liberal democracies would do well to stop this proposal from ever becoming international law."
The Register further reports: Access Now, a US-based digital rights group, said, “The goal of a cybercrime treaty should be to make people more secure, but the current draft proposal does the opposite by failing to make affordances for good-faith security research. We had hoped that the cybercrime treaty process would seek clear language that protects these researchers by making it obligatory on states to put very heightened requirements for intent to say that it's not just intrusion into a network but that it is specific intrusion with malicious intent or with intent to do harm that should be there. And instead, we've seen states' pushback.[2] We've seen some states say that, no, we want to have as broad a criminal provision as we can.'"
The US and members of the European Union opposed the proposal citing concerns about the lack of human rights protections. In an article by CIVICUS, they discuss the weaponization of technology and progress toward a UN Cybercrime Treaty. "[CIVICUS] is an expert on the use of disruptive technologies such as cyberattacks, disinformation campaigns, and online terrorism and the Chief Executive Officer of the CyberPeace Institute, a civil society organization (CSO) founded in 2019 to help humanitarian CSOs and vulnerable communities limit the harm of cyberattacks and promote responsible behavior in cyberspace.
The main challenge has been defining the new treaty's scope, the list of offenses to be criminalized. Crimes committed using Information and Communication Technologies (ICTs) generally belong to two categories: cyber-dependent and cyber-enabled crimes. States generally agree that the treaty should include cyber-dependent crimes: offenses that can only be committed using computers and ICTs, such as illegally accessing computers, performing denial-of-service attacks, and creating and spreading malware. If these crimes weren't part of the treaty, there would not be a treaty.
The inclusion of cyber-enabled crimes is more controversial. These offenses, such as banking fraud and data theft, are carried out online but could be committed without ICTs. There is no internationally agreed definition of cyber-enabled crimes. Some states consider offenses related to online content, such as disinformation, incitement to extremism, and terrorism, cyber-enabled crimes. These are speech-based offenses, which can lead to online speech or expression criminalization, negatively impacting human rights and fundamental freedoms.
Many states likely to be future signatories to the treaty use this kind of language to strike dissent. There is general support for including limited exceptions on cyber-enabled crimes, such as online child sexual exploitation and abuse and computer-related fraud. We cannot reach a wide definition of cyber-enabled crimes unless very strict human rights safeguards accompany it. Without safeguards, the treaty should encompass a limited scope of crimes. But there is no agreement on defining safeguards and how to implement them, particularly regarding personal data protection."
CIVICUS comments later in the article about the chances of the treaty being finalized and approved. "Considering how the process has been going so far, I'm not very optimistic, especially on the issue of upholding human rights standards, because of the crucial lack of definition of human rights safeguards. We shouldn't forget negotiations are happening in a tense geopolitical confrontation. The CyberPeace Institute has traced the attacks deployed since Russia's full-scale invasion of Ukraine. We've witnessed over 1,500 campaigns of attacks with close to 100 actors involved, many of the state, and impacts on more than 45 countries. This geopolitical reality further complicates the negotiations. By looking at the text on the table right now, it is falling short of its potential to improve the lives of victims in cyberspace. The CyberPeace Institute remains committed to the drafting process to inform and sensitize the discussions toward a more positive outcome." With the treaty likely not going to a vote until August 2024, there will be much more movement with the Russia-Ukraine war and other global events that will impact any final draft and vote.
A Microsoft Senior Government Affairs Manager said at the last RSA Conference in April 2023, who warned that governments might use the UN Cybercrime Treaty to violate human rights, arrest critics, and even target cybersecurity researchers who examine vulnerabilities, stating, "One of the biggest challenges is a conflict of law. With these different legal instruments, every request we get, we need to evaluate that it's a lawful request that respects human rights and things like that. This process was started by countries that seem to be a bit revisionist. There are some concerns that it could cater to authoritarian and undemocratic interests when policing the digital environment. There's good reason to be concerned that this could include jeopardizing political activists and dissidents abroad. And also security researchers and white hat hackers. And people that have been core to the cybersecurity framework for a while."
This article is presented at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
[1] https://www.unodc.org/documents/Cybercrime/AdHocCommittee/4th_Session/Documents/Multi-stakeholders/ARTICLE_19_submission_Negotiating_Document_January_2023.pdf
[2] https://www.secureworld.io/industry-news/united-nations-cybercrime-treaty
Comments