New UN cybercrime convention has a long way to go in a tight timeframe

Cybercrime is a growing scourge that transcends borders, spreading across the boundaries of virtually all the world’s nearly 200 nation-states. From ransomware attacks to rampant cryptocurrency theft, criminal exploitation of borderless digital systems threatens global economic security and the political welfare of all countries.

Now, the United Nations has a major initiative to develop a new and more inclusive approach to addressing cybercrime. This revised global approach could spark new laws worldwide to battle cybercrime more effectively. However, concerns over the scope of the emerging international convention and its possible threats to free speech, privacy, and cybersecurity research, among other issues, have emerged following the recent release of early drafts of the new convention.

Cybercrime convention aims to be more global

On December 27, 2019, the United Nations General Assembly adopted a resolution to counter the use of information and communications technologies for criminal purposes. Through the resolution, the General Assembly established an open-ended ad hoc intergovernmental committee of experts from all countries to create the cybercrime convention, which will be voted on by the General Assembly at its 78th session starting in September.

This convention will supplement a convention on cybercrime developed in the 1990s and signed in Budapest in 2001, commonly referred to as the Budapest Cybercrime Convention. The Budapest Convention resulted in the first international treaty to define crimes committed via the internet and other computer networks. It went into effect in 2004, with updates adopted since then, most recently in 2022.

Sixty-seven countries ratified the Budapest Convention, with two additional countries, Ireland and South Africa, signing the convention but not ratifying it. The ad hoc committee aims to create a new cybercrime convention that is more widely adopted and influential than the Budapest Convention.

“The US and lots of other like-minded countries have been saying that we have the Budapest Convention on Cybercrime,” Chris Painter, president of the Global Forum on Cyber Expertise Foundation and the former top cyber diplomat for the US, tells CSO. “That’s great. But a number of countries, led by Russia and China, said they wanted a new UN convention since they weren’t part of the original negotiation of the Budapest Convention. So, the US and others said, ‘Okay, we’ll fully participate.’”

A new convention would enable “us to more swiftly, in a more modern manner, exchange information to pursue and bring to justice those who abuse computer systems,” Ambassador Deborah McCarthy, US lead negotiator on the Ad Hoc Committee for the Department of State, tells CSO. “This makes it truly global.”

Due to the tight timeframe to meet the September deadline, the working groups assigned to hammer out the new convention presented compilations of draft texts of the proposals at the fourth session of the Ad Hoc Committee in Vienna that concluded on January 20.

Bad cybercrime policies can come out of the process

The critical characteristic of any new cybercrime convention is that it could, when implemented, have the same force as federal legislation, Kurt Opsahl, deputy executive director and general counsel of the Electronic Frontier Foundation (EFF), told attendees at this year’s Shmoocon conference. EFF, along with Painter’s group and more than 74 digital and human rights organizations, are participating in the Ad Hoc Committee’s discussions at the encouragement of committee chair, HE Ms. Faouzia Boumaiza Mebarki of Algeria, to get views of “non-governmental organizations, civil society organizations, academic institutions, and the private sector.”

Because of this force of law, treaties resulting from conventions can “short circuit” the political process. “We have seen some bad policies come through the treaty process and then get adopted here in the states,” Opsahl said. For example, the Digital Millennium Copyright Act (DMCA), “which we’re not really big fans of,” mandated that US copyright law comply with two treaties established World Intellectual Property Organization (WIPO).

Cybercrime convention scope should be narrow

From Painter’s perspective, the fundamental questions in the current negotiations center on what’s in and out of the convention’s scope. “Those are the two things we’re dealing with, and they’re both difficult issues. The US, the EU, and others have been pretty clear that they think it should be restricted to real cybercrimes. There might be a couple of exceptions like child exploitation or things like that, but not every crime that may be cyber-enabled [should be included] because that’s everything; that would be every crime.”

Ambassador McCarthy underscores Painter’s point, emphasizing the cybercrime nature of the convention more broadly, saying, “This is not about cybersecurity, it is not about internet governance, it’s not about covering speech crimes or terrorism. Our aims are not broad; they’re quite narrow.” Likewise, when it comes to some countries’ goals of including a range of cyber-enabled crimes, “If you add all the cyber-enabled crimes that a number of countries would like to have, they touch on freedom of expression and freedom in general,” she says. “And we do not want to see that in this instrument.”

“It’s a very long treaty,” EFF’s Opsahl said at Shmoocon. “It covers a lot of things. It would be best if it is limited to cybercrime.”

Lots of room for improvement

The drafts released at the fourth session in Vienna point to a range of provisions that go far beyond the strict parameters of cybercrime, suggesting room for improvement before the US and its like-minded allies could agree to a new convention.

The first area for improvement is in the area of civil disputes, such as violating a site’s terms of service, “which should not be a crime,” Opsahl said. However, many of the ways that the cybercrime provisions are being written “could certainly have an interpretation that unlawful conduct would include contract violations. They should make it clear in the statute, in these proposed articles, that this is not going to be criminalizing civil disputes.”

Another area to watch out for is clarifying the nature of intent when it comes to provisions that criminalize “the serious and unlawful hindering of the functioning” of a computer system. “Intent is that difference between finding a vulnerability, proving it up, and helping the world with that information, and going, and exploiting it,” according to Opsahl.

Painter agrees, saying “you don’t punish researchers. As lawyers say, you actually have to have mens rea or mental state for these crimes, and not if you engineer something, suddenly you’re liable.”

Including speech content in cybercrime treaty could endanger rights

Perhaps most concerning are the draft sections that criminalize the content of speech, such as extremism or terrorism. “Many countries who will be signatories to this treaty use similar language to strike down dissent and say that anyone who’s opposing the regime is spreading sedition is spreading strife and hatred,” said Opsahl. “This has been used far too often to endanger rights. There are no agreed international definitions of what these kinds of terms mean.”

“What is cyber terrorism?” Painter asks. “What does that mean? To Russia, it might mean someone disagreeing with Putin. The Chinese representative reportedly said in one of the meetings that he wanted to introduce a substantive crime about disinformation, but he was talking about people spreading rumors about natural disasters or the pandemic.”

“Terrorism is handled in other fora, violent extremism is handled in multiple fora,” McCarthy says. “This particular instrument is not appropriate for these things that are being handled in other fora. If you try to incorporate all these other things on which there is sometimes no final agreement, it goes beyond being a crime instrument, and the process will never conclude.”

A broad desire for something tight, nimble

Despite these and other thorny issues, McCarthy says she is heartened at how the process has brought “more people under the tent” and how only a handful of countries have a list of demands that would threaten the acceptance of a new convention. She has faith in the caliber of the policy people and practitioners on the US team, which includes experts from the Department of Justice.

During a fifth session in April, small subgroups of the ad hoc committee will tackle “the difficult things that we ran into on the fourth session,” she says. In addition, the teams will continue negotiating between sessions. “There’s a broad desire to have something tight and nimble.”

The crunch time will come before the sixth session in late August, by which time the committee chair will have produced what is called the zero draft or the last draft version of the convention. “So, there’s not a lot of time,” says McCarthy.