On eve of final negotiations, US says consensus growing around ‘narrow’ UN cybercrime treaty

The U.S. government is holding firm in its desire for a much narrower version of a United Nations Cybercrime Treaty than the draft released in November, on the eve of a final round of negotiations later this month.

Russia and several allies started the effort for the treaty in 2017, with the professed hopes of developing global rules addressing the thorny issue of transnational internet crimes.

The U.S. initially accused Russia of simply wanting to circumvent existing international rules, but eventually decided to get involved in the process when other countries showed interest in a new treaty covering cybercrime.

In a media briefing for reporters last week, a senior State Department official deeply involved in the negotiating process said the core debate happening right now is over the difference between “cyber enabled crimes,” which cover any offense involving technology or the internet, and “cyber dependent crimes” — offenses that did not exist before the advent of the internet.

“The former definition is so expansive, it is so broad that — with the concurrent proposals for additional crimes — it is clear that the aim is to control the information space, something that is not acceptable to us,” the official said.

“Because it would cover so many more countries with whom we do not have trusted relationships, it has to have heavy safeguards and human rights language as part of any final instrument.”

The U.S., its allies and certain other countries want the treaty to focus on “cyber dependent crimes” and law enforcement mechanisms that enable broader collaboration between governments in stopping cybercrime. Russia and China have sought to make the treaty more expansive, covering any crime involving technology or the internet.

The most recent draft prompted outrage from tech giants, human rights organizations and many others who said the treaty in its current form criminalizes cybersecurity research, ignores human rights entirely and erodes data privacy on a global level.

Dozens of the world’s largest human rights organizations — including Human Rights Watch, Electronic Frontier Foundation and Access Now — published an open letter on Tuesday arguing that if the treaty is not meaningfully changed and narrowed to focus solely on tackling cybercrime it should be rejected.

“Absent meaningful changes to address these shortcomings, the Convention should be rejected. Civil society groups have contributed time and expertise to improve the draft and fully align it with existing human rights law and standards, the principles of the UN Charter and the rule of law, as well as best practices to provide legal certainty in efforts to improve cybersecurity,” they said.

“National and regional cybercrime laws are regrettably far too often misused to unjustly target journalists and security researchers, suppress dissent and whistleblowers, endanger human rights defenders, limit free expression, and justify unnecessary and disproportionate state surveillance measures.”

They said the latest draft “fails to address” many of their concerns and the “risk of abuses and human rights violations will increase exponentially and leave us with a less secure internet.”

The organizations took issue with the broad scope of activities it requires signatories to criminalize and warned that countries could interpret parts of it to effectively “criminalize legitimate online expression.”

The draft law has “insufficient” references to human rights law and does not incorporate language that protects researchers, activists and journalists, they said.

EFF’s Katitza Rodriguez, who has been heavily involved in the treaty process, told Recorded Future News that the current treaty offers “nations undue authority to access data held by foreign companies, potentially breaching international privacy laws.”

“It dangerously expands its jurisdiction, encompassing a broad range of non-cybercrimes, and retains the problematic expansion of evidence collection and sharing across borders for serious crimes, some of which may contravene human rights laws,” she said.

“The treaty needs more than just minor adjustments; it requires a complete overhaul towards a more focused, narrowly defined approach to tackle cybercrime including its surveillance powers. Above all, human rights must be the treaty's cornerstone, not an afterthought.”

State Department stance

The committee at the center of the treaty’s creation will convene at the U.N. from January 29 to February 9 for the seventh and final negotiating session. After that, a report will be issued and a General Assembly vote will likely be held at some point in September.

The State Department official who spoke to reporters last week noted that the U.S. is already party to several other international cybercrime instruments — like the Budapest Convention — and will vote against the new treaty if it does not narrow its scope and include human rights protections.

Adopted in 2001, the Budapest Convention was the first cybercrime treaty ever created and was signed by at least 68 countries. Dozens of other countries, like India and Russia, have declined to adopt it.

“In the informal [discussions] that we've had since [the August negotiating sessions in New York]... there's been a concerted push back on these proposals, not only by the United States, but an interesting number of small and medium states. Working with our allies and partners we've been able to push back and note objections, note language contradictions, etc. And [we’re] very much emphasizing that the time is short,” the official said.

“I think there's also a sense that because the airtime was taken up in the last open session by a number of countries such as Russia, China, Iran, Pakistan, that somehow they had taken over the process and were dictating what would be in the final [draft] and I must say that we're trying to disabuse that notion.”

During that session, countries like Russia and China added dozens of crimes to the treaty which were not originally present.

Since that negotiating session in August and the subsequent draft released in November, the U.S. and several states have met formally and informally to discuss ways to narrow the treaty and include “strong human rights language and safeguards.”

The official noted that one of the biggest fights is over obligations imposed on internet service providers. Russia and several other countries, according to the U.S. official, are trying to use the treaty as a mechanism to force ISPs to hand over customer data not only in their own countries but internationally.

“There were many attempts to have the long arm of this treaty touch our service providers or major companies. A number of countries [are] frustrated that they couldn't get information directly from many of our large companies and wanted to use this treaty to force companies to give up information,” they said. “And we have held firm on that as well.”

The official confirmed that there are “red lines” or versions of the treaty that would force the U.S. to vote against it.

“There is no broad consensus on watering down the human rights safeguards, so that gives us reason for optimism,” the official said, noting that several countries have adopted the Budapest Convention since the treaty process began.

“But certainly we're not going to accept an instrument, for we do not need an instrument by any means.”

The official noted that currently, the “numbers are good” in support of a treaty that is narrow and focused on crimes that did not exist before the advent of the internet, alongside limited rules around one cyber-enabled crime: material related to the exploitation of children and online recruitment of minors. The U.S. official said that based on the small informal sessions they have held, there is “no consensus on a broad expansion of the scope” of the treaty.

In an effort to fix the last draft that was published, New Zealand and Canada have proposed new human rights language to add to the treaty, which the U.S. supports.

The additional articles would focus on making sure the treaty is not interpreted as “permitting or facilitating repression of expression, conscious opinion, belief, peaceful assembly, association, etc,” they added. Some of the other additions focus on anti-discrimination clauses or other measures that protect free speech online.

The State Department official also took time to dispute complaints from human rights groups that the U.S. was supporting efforts to expand surveillance and widespread data sharing among governments.

The U.S. is fighting for safeguards that would govern the sharing of electronic evidence for serious crimes, they said, noting that the U.S. already has domestic rules about data sharing that they would have to abide by.

Another criticism from experts centered around the lack of protections for researchers doing good-faith cybersecurity research and pentesting.

The State Department official said language in the treaty is “sufficient” but conceded that many in the cybersecurity industry do not agree. At least one representative proposed a carve-out for cybersecurity research, which met opposition by countries who claimed people with “nefarious intentions… could shield criminals by saying they were researchers and testers.”

There is language in the treaty governing “illegal access to systems with permission” which would make space for researchers to test systems without fear of prosecution, the official said.

“Clearly, those who proposed [the treaty] wanted to control the information space beyond their national borders,” they said. “We have our own interests, but we're definitely seeking to prevent that.”