Last week the UN’s Ad Hoc Committee on Cybercrime (AHC) concluded its third substantive session, where member states finished giving their views on what should be included in some of the main chapters of the proposed convention.
The stakes of this process are high for human rights in the digital environment. Cybercrime legislation—including the scope of offences, procedural powers, mechanisms for international cooperation and relevant safeguards—can impact human rights in positive or negative ways, particularly the rights to freedom of expression, privacy and due process.
The previous AHC session in June had covered the scope of criminalisation, general provisions and the provisions on procedural measures and law enforcement; this time, discussion focused on international cooperation, technical assistance, preventive measures and the implementation mechanism. Below, we look at each of these areas in detail, distil the main areas of agreement and disagreement, and consider what’s next.
International cooperation is at the crux of discussions on a UN cybercrime convention. Most countries are engaging in these discussions because they want to strengthen international cooperation on cybercrime.
In essence, international cooperation mainly refers to two main things: ‘moving people across borders’ (achieved through the mechanism of extradition) and obtaining evidence (achieved through the mechanism of mutual legal assistance).
As with many elements of this convention, the main areas of discussion came from how expansive international cooperation should be, what safeguards should be in place (and, how stringent those safeguards should be), and its relationship to national legislation (what should be included in the convention itself/or how specific the convention itself should be and what should be left up to domestic legislation).
Before the meeting, states provided their views in response to guiding questions from the Chair. In the meeting, there were notable disagreements among states, including on whether the scope of international cooperation should be limited to serious crimes (and how such crimes should be defined) or should cover a wider range of crimes. Some states—including Russia, Brazil, Egypt, India and the Philippines—favour casting the widest possible net for international cooperation. Others want to see international cooperation limited to the crimes included in the convention and a list of ‘serious crimes’ (e.g crimes defined within existing instruments and/or with a certain imprisonment sentence); this is the position of Canada, Germany, Nigeria and others.
The majority of states would like to see the exchange of e-evidence for a broader range of crimes. However, exactly what that means in practice—and what limitations there would be on exchange of e-evidence—is less clear. Would it mean clauses on data preservation (and for how long)? It’s also important to note that there isn’t a single agreed definition of e-evidence; for reference, see the European Commission’s definition.
All these questions highlight the need for strong safeguards in any convention, including data protection safeguards. Again, this is not an area where member states agree. The European Union, for example, has proposed a separate article on data protection, whereas the US argues this could unnecessarily hinder international cooperation by setting ‘overly’ stringent requirements on cross-border data sharing. Member states also disagreed on how to ensure protection for human rights. Should the convention set out to include express safeguards in relation to provisions, or simply make reference to existing human rights instruments? Other legal and procedural safeguards include dual criminality clauses, which require that the offence be punishable under the domestic law of both states.
It’s important to bear in mind that, at this point in the discussions, member states have not yet even agreed what cybercrime is. In this meeting, many states referred to the need to revisit these questions on international cooperation once the definition and scope of cybercrime has been locked down. But from a human rights perspective, while it is important for the scope of criminalisation to be narrow and limited to cyber dependent crimes, it is equally important that the strongest human rights safeguards are included within the international cooperation provisions. Without the mechanisms of international cooperation railed in by clear and high thresholds, as well as strong legal and procedural safeguards, there is a risk, as pointed out by the Electronic Freedom Foundation, that the convention will become a general purpose investigative tool, with wide-ranging and negative impacts on human rights.
Preventive measures and technical assistance
Discussions around preventive measures and technical assistance were also dominated by questions around the scope and range of the convention.
Depending on the scope of criminalisation and international cooperation, preventive measures could include capacity building for law enforcement and obligations imposed on companies to maintain certain cybersecurity standards. There was some overlap on these topics in discussions, as most states see preventive measures as covering both increasing law enforcement agency (LEA) capacity and raising awareness of cybercrime ‘threats’, which includes working with non-state actors. This is also an area where human rights could be impacted (e.g where LEAs are provided with methods to carry out intrusive offensive cybersecurity operations). For that reason, from a human rights perspective, technical assistance should also be narrowly focused, inclusive of all stakeholders and transparent. Member states seemed to agree that working with non-state actors on these areas was important, but disagreed on other areas, including whether cybersecurity obligations should be imposed on private sector actors. The US and other Western grouping states were adamantly opposed to this, arguing that it was out of scope and should be left to voluntary frameworks.
On this topic, Brazil garnered much attention and discussion for its proposal that member states conduct mappings or scopings of their national-level ‘needs’ in the area of technical assistance and submit these to the Secretariat. There was general support for this proposal, although a number of NGOs and member states pointed out that the role of non-government stakeholders should be reflected in the proposal—through, for example, a call for inclusive consultations to assess and identify needs. It is yet to be seen whether the full proposal will include this call and/or how member states will engage with the proposal.
Mechanism of implementation
There was also strong disagreement on the topic of how the treaty should be implemented. The discussion on this topic was preceded by a presentation on how other UN criminal justice treaties (UNTOC on transnational crime and UNCAC on corruption) deploy mechanisms for monitoring and implementation. Some, including Brazil and the EU, wanted to see a review mechanism established which is based on the UNTOC and UNCAC models, and would be overseen through a Conference of State Parties. Nigeria raised concerns about the inclusivity of the UNTOC and UNCAC models (which include limited member state membership in the Conference itself), while Norway argued that the UNCAC mechanism is ‘complex’ and needed to be simplified for any possible cybercrime convention.
The US put forward a different proposal, citing, among other reasons, the financial cost of a Conference of Parties (a point which was echoed by other member states ). Instead, they want to see the existing Commission on Crime Prevention and Criminal Justice be tasked with more specific, ‘lighter’ with the UNODC in a supporting role as Secretariat.
In the end, it was agreed that it was too early to agree on a mechanism.Instead, some concrete proposals and some more vague ideas were put on the table to be debated later, when there is greater clarity on the scope of the convention. Ultimately, this represented a kicking down the road of a controversial subject. In any case, it is unlikely the UN would set up anything drastically new—the very least member states can agree on is that whatever the mechanism is, it should build on or be modelled on something that already exists.
As for the preamble, which will sit at the top of the convention, nothing could be agreed here either. The preamble matters, because as pointed out by a commentator elsewhere, “the preamble text is often a contentious area of debate, as States try to include references to resolutions/conventions/organisations that they feel are most sympathetic to their values.” It could also make reference to the development of future additional protocols. A number of states (Australia, Chile, EU, Germany, Ghana) suggested that the preamble include a provision defining the relationship of the convention with other treaties (modelled on a similar article in the Budapest Convention). Other states—surprisingly Iran and the US sided together on this one—said that this would be unnecessary. Japan, Netherlands, New Zealand, Nigeria, South Africa suggested the preamble state that the convention should be considered as complementary to other instruments and would not supersede them. From a human rights perspective, as we recommend in our submission, the Convention should include in its preamble a clause that explicitly refers to international human rights law and, in particular, the International Covenant on Civil and Political Rights.
Others preferred to sit on the side, asserting that it was too early to discuss this part. Indeed, this was the prevailing mood and attitude of discussions. The second and third substantive sessions of the Committee, collectively known as the ‘first reading’, were opportunities for member states to share perspectives and put proposals on the table and to ‘understand’ what likely negotiating positions will be on the key topics. Both substantive sessions have therefore been, as predicted, a sign of how challenging the negotiations will be.
While there are some areas of agreement (e.g that the convention should build on and complement existing treaties), after tens of hours of discussions, hundreds of pages of cumulative statements and submissions on each of the main topics of the convention, everything is still to be played for. A lot hinges on the scope of criminalisation that is yet to be agreed.
The second reading of the convention—which is where the draft text will be discussed—will begin in January 2023. Next to come is the zero draft, a copy of which will be shared at some point towards the end of the year.