First draft of controversial UN Cybercrime Treaty slated for June

SAN FRANCISCO — The first draft of the UN Cybercrime Treaty will be released in June after years of debate and concern over what the document might cover.

The UN General Assembly voted in December 2019 to begin negotiating a treaty centered around cybercrime after Russia took issue with a previous agreement – the Budapest Convention – and demanded something new to address the issue.

Jane Lee, senior counsel for computer crime and intellectual property at the U.S. Justice Department, said at the RSA Conference Thursday that she had just returned from the fifth negotiating session in Vienna, explaining that progress was made on an initial draft that will be released on June 28.

“Our objective in that process is a focus on criminal justice, which is aimed at improving the investigation and prosecution of cybercrime. We want that treaty to be firmly grounded in human rights, fundamental freedoms and rule of law,” Lee said.

“June 28 is an important date because that is when we’ll have a test from which to start negotiations. Up until this point, we’ve been sharing ideas, proposals, opposing proposals. But after June 28, we will have the basis for our next session in August in New York.”

During the meeting, member states raised a range of issues, including international cooperation on law enforcement operations, technical assistance, cybercrime prevention, implementation plans and more, she said.

Lee noted that one of the biggest issues is not creating an overlapping law or one that would be at odds with the Budapest Convention, which was created in 2001 and provided the basis for international cooperation around cybercrime.

The Budapest Convention and other agreements “are working and are already actively combating cybercrime issues,” she said. “So we don't want to start from scratch when we don't need to,” she said, noting that 68 countries agreed to and abide by the Budapest Convention alongside 20 others with varying degrees of fealty to the document.

“We don't want this instrument to undermine existing tools and channels for cooperation that exist.”

Lee added that the Budapest Convention already serves as the basis of local laws around the world, providing countries with a base from which to build out their own cybercrime conventions. The UN Cybercrime Treaty would do the same, if passed, she added.

Challenges to the treaty

Representatives from Microsoft and Google appeared on the panel alongside Lee, highlighting several other concerns they have as two of the biggest companies that typically face subpoenas or legal requests from governments.

Microsoft Senior Government Affairs Manager John Hering warned that governments may use the UN Cybercrime Treaty to violate human rights, arrest critics and even target cybersecurity researchers who examine vulnerabilities.

“One of the biggest challenges is conflict of law. With these different legal instruments, every request we get, we need to evaluate that it's a lawful request that respects human rights and things like that,” he said.

“This is a process that was kicked off by countries that seem to be a bit revisionist, and I think there are some concerns that it could cater to authoritarian and undemocratic interests when it comes to policing the digital environment. I think there's good reason to be concerned that this could include jeopardizing political activists, dissidents abroad. And also security researchers and white hat hackers. And people that have been kind of core to the cybersecurity framework for a while.”

So far, the only documents released have been amalgamations of ideas from each country, making it difficult to know what will be in the document and what will be left out.

Lee said there will be intense discussions between nations once the first draft is released in June. After the August meeting, more debates will take place before a final draft is put together at a meeting in January 2024.

The treaty will go to a final vote at the UN General Assembly in August 2024. When asked about the likelihood of the deal falling apart, Lee said the U.S. was optimistic that consensus could be reached. But she acknowledged that if the deal came down to a tight vote, it “wouldn't be in anyone’s interest.”

“An international instrument is really only as effective as how much participation it has. If you’re talking about an instrument that doesn't have widespread accession, it's not going to be a valid instrument at the end of the day,” she said.