Microsoft joins opposition to current version of UN cybercrime treaty

Microsoft is the first large tech company to come out against the current draft of a cybercrime treaty being debated this week at the United Nations.

In a LinkedIn post on Tuesday, a representative from the company’s cybersecurity policy wing warned that the current draft of the treaty is too broad in scope and leaves too much to interpretation. The critiques mirrored warnings aired last week by representatives from multiple human rights groups involved in the treaty negotiations.

“The risk is that the treaty will not be a tool for prosecuting criminals but rather a weapon that allows for intrusive data access and surveillance instruments. The result could be an international agreement granting authoritarian states the power to suppress dissent under the guise of fighting cybercrime,” Amy Hogan Burney, Microsoft associate general counsel, wrote.

“States need to adopt a treaty that strengthens the fight against cybercrime. It should not provide an avenue for authoritarian states to criminalize online content, introduce new surveillance powers, expand cross-border government access to personal data, or potentially criminalize common security practices because of ambiguity in the text.”

For the last two weeks, U.N. member states have been in the sixth round of negotiations of the treaty, although this is the first debate over an actual draft of the text. The current line-by-line negotiations are scheduled to run until September 1, and once the final text is hammered out member states will reconvene in January, when the treaty could either be passed by consensus or by a two-thirds vote in the General Assembly.

So far, there are deep disagreements about issues both big and small — including even basic topics like the definition of “cybercrime.” Many states, led by Russia and China, want an expansive treaty that would leave room for countries to effectively make their own localized determinations on what cybercrime is.

The United States, European Union, several Latin American states and others are arguing for a more targeted treaty focused on core cybercrime offenses, as well as expanded surveillance and law enforcement cooperation between countries.

Hogan-Burney said countries should look at the treaty as an opportunity to create common definitions encouraging global cooperation in countering cybercrime and shaping international law.

She raised several issues with the treaty, including expansive provisions that allow governments to access personal data, conduct real-time surveillance and effectively request data from any country on any crime — even those not typically considered cybercrimes.

“The draft treaty also does not contain transparency safeguards to allow data custodians to notify targets of surveillance – or even the country in which the target resides – of an ongoing investigation. Surveillance could unfold in total secrecy, undermining human rights and national security,” she explained.

“Such a broad expansion of state surveillance powers will inevitably clash with existing data protection standards around the world, lead to significant jurisdictional disputes, and ultimately undermine rather than boost global efforts to fight cybercrime.”

Ideal conditions for cybercrime

She also echoed a concern raised last week by Raman Jit Singh Chima, Asia policy director at the digital rights organization Access Now, that the text does not contain language protecting cybersecurity researchers who need room to keep the digital ecosystem secure.

Ethical hackers working to identify vulnerabilities, simulate cyberattacks, and test system defenses need to be protected, she said, noting that several provisions are “too vague and do not include a reference to ‘criminal intent,’ which would ensure activities like penetration testing remain lawful.”

She went on to argue that if the issues raised are not addressed, the treaty would end up creating the “ideal conditions for cybercrime to thrive.”

To fix the treaty, Hogan-Burney suggested negotiators align it with existing data protection standards to avoid conflict in the law; focus on criminalizing illegal access to computer systems; limit data access to a narrow set of crimes; and avoid expanding the definition of cybercrime to “broadly encompass online content.”

Extradition measures should be strengthened in an effort to get rid of safe havens that allow cybercriminals to launch attacks without fear of repercussions, she added.

As did rights groups last week, she argued that the treaty must have human rights safeguards in the text of the treaty that outline concepts like independent oversight, the right to appeal, and mechanisms to redress issues.

In one key section of her post, she said the treaty should include ways for companies like Microsoft to challenge government demands for customer data or at the very least allow them to notify customers when they are forced to hand over data.

“So far, progress at this 6th session has been slow as countries continue to debate the content of the treaty and it remains to be seen what the outcome will be by the end of the week,” she explained.

“As the UN member states convene to discuss the next treaty draft this week, they should follow clear standards that balance human rights with efforts to fight cybercriminals.”