author photo
By Cam Sivesind
Wed | Jun 7, 2023 | 5:00 AM PDT

Free speech and digital privacy appear to be key components left out of a United Nations (UN) Cybercrime Treaty being proposed, primarily, by Russia. To say the cybersecurity community is skeptical would be an understatement.

"The UN Cybercrime Treaty, to the extent it gets adopted, is expected to define global norms for lawful surveillance and legal processes available to investigate and prosecute cybercriminals," reports The Register in a special report. "And what has emerged so far contemplates [PDF] more than 30 new cybercrime offenses, with few concessions to free speech or human rights."

Says Scott Giordano, VP, Corporate Privacy, and General Counsel at Spirion: 

"The proposed UN Cybercrime Treaty appears to be a cynical attempt to criminalize free speech under the guise of a coordinated effort to stop transnational cybercrime. The fact that this proposal was pushed by Russia after their initial invasion of the Ukraine only serves to underscore this. Liberal democracies would do well to stop this proposal from ever becoming international law."

The Register further reports:

"Raman Jit Singh Chima, senior international counsel and global cybersecurity lead for Access Now, a U.S.-based digital rights group, said that the goal of a cybercrime treaty should be to make people more secure, but the current draft proposal does the opposite by failing to make affordances for good-faith security security research.

'We had hoped that the cybercrime treaty process would seek clear language that protects these researchers by making it obligatory on states to put very heightened requirements for intent to say that it's not just intrusion into a network, but that it is specific intrusion with malicious intent or with intent to do harm that should be there," he said.

'And instead, we've seen states pushback. We've seen some states say that, no, we want to have as broad a criminal provision as we can.'"

The U.S. and members of the European Union opposed the proposal citing concerns about lack of human rights protections. 

In an article by CIVICUS, Stéphane Duguin is interviewed about the weaponization of technology and progress being made towards a UN Cybercrime Treaty.

"Duguin is an expert on the use of disruptive technologies such as cyberattacks, disinformation campaigns, and online terrorism and the Chief Executive Officer of the CyberPeace Institute, a civil society organisation (CSO) founded in 2019 to help humanitarian CSOs and vulnerable communities limit the harm of cyberattacks and promote responsible behaviour in cyberspace.

The main challenge has been to define the scope of the new treaty, that is, the list of offences to be criminalised. Crimes committed with the use of information and communication technologies (ICTs) generally belong to two distinct categories: cyber-dependent crimes and cyber-enabled crimes. States generally agree that the treaty should include cyber-dependent crimes: offences that can only be committed using computers and ICTs, such as illegally accessing computers, performing denial-of-service attacks and creating and spreading malware. If these crimes weren't part of the treaty, there wouldn't be a treaty to speak of.

The inclusion of cyber-enabled crimes, however, is more controversial. These are offences that are carried out online but could be committed without ICTs, such as banking fraud and data theft. There’s no internationally agreed definition of cyber-enabled crimes. Some states consider offences related to online content, such as disinformation, incitement to extremism and terrorism, as cyber-enabled crimes. These are speech-based offences, the criminalisation of which can lead to the criminalisation of online speech or expression, with negative impacts on human rights and fundamental freedoms.

Many states that are likely to be future signatories to the treaty use this kind of language to strike down dissent. However, there is general support for the inclusion of limited exceptions on cyber-enabled crimes, such as online child sexual exploitation and abuse, and computer-related fraud.

There is no way we can reach a wide definition of cyber-enabled crimes unless it's accompanied with very strict human rights safeguards. In the absence of safeguards, the treaty should encompass a limited scope of crimes. But there's no agreement on a definition of safeguards and how to put them in place, particularly when it comes to personal data protection."

Duguin comments later in the article about the chances of the treaty being finalized and approved:

"Considering how the process has been going so far, I'm not very optimistic, especially on the issue of upholding human rights standards, because of the crucial lack of definition of human rights safeguards. We shouldn't forget negotiations are happening in a context of tense geopolitical confrontation. The CyberPeace Institute has been tracing the attacks deployed since the start of Russia's full-scale invasion of Ukraine. We've witnessed over 1,500 campaigns of attacks with close to 100 actors involved, many of them states, and impacts on more than 45 countries. This geopolitical reality further complicates the negotiations.

By looking at the text that's on the table right now, it is falling short of its potential to improve the lives of victims in cyberspace. This is why the CyberPeace Institute remains committed to the drafting process—to inform and sensitise the discussions toward a more positive outcome."

With the treaty likely not going to a vote until August 2024, there will be much more movement with the Russia-Ukraine war and other global events that will have an impact on any final draft and vote.

Microsoft Senior Government Affairs Manager John Hering, at a panel at the RSA Conference in April 2023, warned that governments may use the UN Cybercrime Treaty to violate human rights, arrest critics, and even target cybersecurity researchers who examine vulnerabilities.

"One of the biggest challenges is conflict of law. With these different legal instruments, every request we get, we need to evaluate that it's a lawful request that respects human rights and things like that," he said.

"This is a process that was kicked off by countries that seem to be a bit revisionist, and I think there are some concerns that it could cater to authoritarian and undemocratic interests when it comes to policing the digital environment. I think there's good reason to be concerned that this could include jeopardizing political activists, dissidents abroad. And also security researchers and white hat hackers. And people that have been kind of core to the cybersecurity framework for a while."