16 Jan 2024

UN Cybercrime Convention: time is running out to address draft’s urgent risks to human rights

In two weeks, final negotiations will begin on the UN’s proposed Cybercrime Convention, a document which has elicited widespread concern from civil society, industry groups and some states, due to the serious risks it poses to human rights including privacy and freedom of expression.

Since 2022, GPD and other groups, including EFF, Human Rights Watch and Privacy International, have sought to alert stakeholders within the process to the need for substantial revisions to the treaty’s text to avoid it becoming an instrument of surveillance and repression. As we enter crunch time in the discussions, we present below a rundown of the most pressing issues within the most recent draft (published in November last year), in the hopes that policymakers will mobilise to address them. 


It criminalises an overly broad range of offences (including those which only incidentally involve digital technologies)

As drafted, the Convention’s chapter on criminalisation is vastly overbroad. Instead of just covering the traditionally understood range of cybercrimes like illegal access or interference with computer systems, it goes significantly beyond this to capture a range of cyber-enabled crimes—which includes misuse of devices and computer fraud. Troublingly, it also captures content-based offences like intimate image sharing and grooming, due to overly broad definitions that risk clashing with the exercise of human rights: notably freedom of expression and access to information, privacy, non-discrimination, and the rights of the child. 

We’ve already seen how vaguely drafted cybercrime laws have been used to restrict online activity and violate human rights. Recent research by APC and Derechos Digitales maps where cybercrime laws have been used to stifle dissenting voices and criminalise those advocating on behalf of women and LGBTQIA+ people: from a trans influencer in Nicaragua forced into exile for social media posts, to an Egyptian human rights activist sentenced to two years in prison for a video on sexual harassment.

If exercised through a global, binding treaty, this would have disastrous outcomes for the freedom and security of all internet users globally.


It puts security researchers, activists and whistleblowers at increased risk

The draft’s criminalisation chapter fails to account for the protection of security research and other public interest activities that could be prosecuted according to the current provisions, harming both cybersecurity and the right to seek and receive information by whistleblowers and journalists. The effect of these drafting flaws is a Convention which will make us less secure: chilling the work of cybersecurity researchers and others by exposing them to excessive criminalisation of actions executed to improve digital security and benefit the public interest. This is the opposite of what a global Convention purporting to fight cybercrime should seek to achieve. 


It lacks meaningful human rights safeguards

While the scope of the treaty has been consistently enlarged throughout the drafting process, this has not been accompanied by the required and necessary human rights safeguards, despite repeated calls from GPD and other groups. In the present draft, they are entirely insufficient to prevent the abuses which the current wide scope facilitates. 

We are concerned with the latest draft’s deletion of a reference to the right to effective remedy regarding the proposed safeguards, and we continue to recommend more granular guidance on conditions and safeguards, such as the principle of prior authorisation for the accessing or sharing of data, and a guarantee that the investigatory powers provided for cannot be used to compromise the security of digital communications and services. 

Even the fragile safeguards included in the text risk being undermined if certain proposals are enacted. The current draft text limits the safeguards already established to the procedural measures chapter, which means there are no proper human rights protections for the activities pursued under the international cooperation and preventive measures chapters. This absence of robust safeguards is antithetical to the UN’s responsibility to ensure compliance with international human rights law.

We are particularly concerned by the inclusion in this draft (in the international cooperation chapter) of language referring to the possibility of preserving, accessing or collecting data “where the data are in the possession or control of a service provider located or established in that other State Party”. Without proper safeguards, this phrase creates the risk of mass extraterritorial surveillance: enabling states to secretly surveil individuals located in third states via service providers. With the current weak safeguards, nothing will prevent this from happening in total secrecy, without users whose data is impacted being notified. 

Many of the issues highlighted above are still italicised in the text, meaning that they are currently subject to informal and opaque negotiations. It is concerning that some of the proposals that would positively strengthen safeguards or limit the scope of the Convention are not reflected in the draft at this point, even those which seem to have wide support from states and other stakeholders in the process.


It has an uncertain (possibility limitless) remit

All the issues raised above are serious and troubling enough on their own terms. But the looseness of certain parts of the present draft raises the possibility that the scope and criminalisation of the treaty could be expanded even further in the future: raising the spectre of an limitlessly expanding, increasingly punitive framework.  

The key provision here is the current draft’s inclusion of an open ended reference to “applicable international conventions and protocols”. This is significant, because it opens the door to expanding without clear limits the offences that could be enforced through the treaty, transforming it from a cybercrime treaty to a general purpose one. 

States are continuing to discuss different approaches to this provision, including placing it within the criminalisation chapter or the international cooperation chapter (which could mitigate some of the risk), or removing it entirely. We are concerned by signals that the provision is likely to remain in some form, despite the uncertainty it introduces and the clear human rights risks this poses. We urge states to entirely remove this provision.

The cumulative effect of this provision and the aspects described above is that, in its current form, the draft Convention has a potentially limitless scope. This is an issue which has been rightly acknowledged by Canada alongside 39 other states and the EU, who have referred to a “continuous push” to widen the draft Convention’s remit.


Next steps

These fundamental flaws in the draft must be corrected. Otherwise, due to the risks it poses to human rights, the Convention should not be moved forward for adoption. 

In concrete terms, addressing these flaws would mean: 

  • Narrowing the scope of the treaty to cyber-dependent crimes;
  • Ensuring that security researchers, whistleblowers and journalists are not prosecuted for their legitimate activities;
  • Including strong human rights safeguards applicable to the whole treaty; 
  • Avoiding ambiguities by deleting reference to offences established by other undetermined international treaties; and,
  • Avoiding the use of the treaty as an instrument for state surveillance—by limiting the application of its procedural measures and international cooperation chapters to cyber-dependent offences established in the treaty.

For more detail on these suggested changes, read our full submission to the AHC on the latest draft.