Latest UN Cybercrime Treaty draft a ‘significant step in the wrong direction,’ experts warn

Dozens of cybersecurity experts and human rights groups have criticized the latest draft of the controversial UN Cybercrime Treaty currently being negotiated by member states, with some saying that it is significantly worse than the first draft.

Several experts involved in the negotiating process told Recorded Future News that the draft published late last month would effectively criminalize cybersecurity research and overlook human rights.

“The latest UN cybercrime treaty draft not only disregards but also worsens our concerns. It perilously broadens its scope beyond the cybercrimes specifically defined in the Convention, encompassing a long list of non-cybercrimes,” said Katitza Rodriguez, policy director for global privacy at the Electronic Frontier Foundation (EFF).

“This draft retains the concerning issue of expanding the scope of evidence collection and sharing across borders for any serious crime, including those crimes that blatantly violate human rights law. Furthermore, this new version overreaches in investigating and prosecuting crimes beyond those detailed in the treaty.”

The treaty draft was prompted by a UN General Assembly vote in December 2019 to begin negotiating a cybersecurity accord after Russia took issue with the previous agreement — the Budapest Convention — and demanded something new to address the issue.

After seeing the first draft in August, human rights groups and even tech industry giants like Microsoft warned that significant changes need to be made to stop the treaty from being used by governments as a tool of repression. An updated draft was published on November 28, following lengthy negotiating sessions.

‘Blatant disregard of our input’

Rodriguez said the initial draft of the treaty limited its scope to a detailed list of crimes involving technology. Rodriguez added that EFF is “deeply troubled by the blatant disregard of our input” which “moves the text further away from consensus.”

“This isn't just an oversight; it's a significant step in the wrong direction,” she explained, noting that the original treaty was aimed at combating cybercrime but has since “morphed into an expansive surveillance treaty, raising the risk of overreach in both national and international investigations.”

The new draft retains a controversial provision allowing states to compel engineers or employees to undermine security measures, posting a threat to encryption, according to Rodriguez.

It also empowers states to cast a wider net by accessing data stored by companies abroad, potentially in violation of other nations’ privacy laws.

“This new text not only falls short of reining in its intrusive surveillance powers but also endangers human rights, global cooperation, and cybersecurity; thereby undermining its original cybercrime-fighting intent,” she said in an email.

Human Rights Watch acting associate director Deborah Brown said the latest draft is “primed to facilitate abuses on a global scale” because it gives governments expansive cross-border powers to investigate “virtually any imaginable crime – like peaceful dissent or expression of sexual orientation – while undermining the treaty’s purpose of addressing genuine cybercrime.”

“Governments should not rush to conclude this treaty without ensuring that it elevates, rather than sacrifices, our fundamental rights,” she said.

Governments will hold further negotiating sessions on December 19 and 20 in Vienna before the draft is considered in New York at the end of January. The treaty will be voted on by the full assembly during that January session.

Since the initial draft was published, member states have battled over issues both big and small — including even basic topics like the definition of “cybercrime.” Many states, led by Russia and China, want an expansive treaty that would leave room for countries to effectively make their own localized determinations on what cybercrime is.

The United States, European Union, several Latin American states and others are arguing for a more targeted treaty focused on core cybercrime offenses, as well as expanded surveillance and law enforcement cooperation between countries.

Human rights activists and cybersecurity experts have been alarmed by stances taken on both sides, expressing concern about how the treaty will be abused by dictatorships as well as countries like the U.S. that are seeking to expand its surveillance capabilities on a global scale.

A U.S. State Department spokesperson told Recorded Future News that the treaty is still under negotiation and they are preparing for the upcoming seventh round of negotiations.

The spokesperson said they have “worked closely with U.S. stakeholders in this process and welcome their contributions.”

“We look forward to working with Member States to finalize the treaty during the next session scheduled for January 29 to February 9, 2024 in New York,” the spokesperson said.

Tech industry backlash

Human rights groups aren’t the only ones criticizing the treaty — the tech industry has lodged similar complaints about the treaty’s lack of protections for cybersecurity researchers.

The Cybersecurity Tech Accord — a global industry group representing more than 157 large tech companies including Microsoft, Meta, Oracle, Cisco, SalesForce, Dell, GitHub, HP and more — published a warning this week saying it is “gravely concerned” by the direction of the UN cybercrime treaty negotiations and called for “extensive changes over the final draft text.”

The Cybersecurity Tech Accord has been participating in the cybercrime treaty negotiating process since it began in 2021.

The group warned that if adopted in its current form, the treaty would “erode data privacy, weaken cybersecurity, and undermine online rights and freedoms across the world.”

The latest draft, they said, added concerning new provisions that cover any crime involving the use of technology, extend extraterritorial surveillance without safeguards, and allow legitimate cybersecurity research and penetration testing to be criminalized.

“Without significant changes, this Convention will facilitate, rather than reduce, crime online,” said Nick Ashton-Hart, the Tech Accord’s head of delegation to the negotiations.

“Among its many flaws are that it allows legitimate cybersecurity research and penetration testing to be criminalized. These activities are fundamental to securing online systems from criminal abuse. Creating legal hazard for these professionals will make systems globally more vulnerable to cybercrime, exactly the opposite of the Convention’s stated purpose.”

The organization noted that it previously raised its concerns with the negotiating parties, providing comments and text suggestions to nations. But the latest draft did nothing to address them.

Their main concerns include:

• The removal of sections that limit the treaty’s powers to narrowly-defined cybercrimes
• Nation-state surveillance across borders without safeguards
• Now-optional protections for cybercrime victims
• Expansion of the “online fraud” concept

Ashton-Hart added that any UN member state should be concerned about creating a convention “that allows every government in the world to transfer the personal information of citizens between themselves in secret in perpetuity, and to force the service providers who are responsible for that data to hand it over without any ability to object or refuse on any grounds.”

He expressed particular disappointment with democratic states, virtually all of which “have not objected to this glaring lack of transparency and due process given it isn’t congruent with their own legal systems – or with democratic values.”

Dev Stahlkopf, chief legal officer at Cisco, said that while international alignment on the investigation and prosecution of cybercrime is needed, respecting privacy and human rights is paramount.

The group said the treaty needs to be narrowed to focus only on cyber-dependent crimes, limit the definition of cybercrime to stop the potential for states to use the treaty as a means of repression, limit government access to personal data, add in robust human rights safeguards and provide exemptions for cybersecurity researchers.

Backsliding

Raman Jit Singh Chima, senior international counsel for Access Now, told Recorded Future News that the latest draft walks back some of the discussions that were had in New York in August.

In many ways, the latest draft reopens areas that human rights experts thought had been shut down based on discussions with negotiating parties. Many potential additions related to human rights, safeguards and procedural checks were not included in the new version.

It appears, he said, that the treaty was negotiated down conservatively in order to accommodate the concerns of some negotiating states who “seem to be averse to civil society being specifically mentioned in the treaty.”

“What's particularly concerning from our perspective is that this treaty does not address the concerns relating to providing strong safeguards and clarifying that the work of security researchers as well as the legitimate security research that might be conducted by journalists, civil society and others, should not be included in the scope of criminalization,” he said.

Negotiating states have not learned from the mistakes seen with the Computer Fraud and Abuse Act in the U.S. and other laws that have been used to charge and imprison cybersecurity researchers, he said.

Singh Chima added that any laws based on the treaty would create legal uncertainty and “a potential chilling effect” to legitimate security research.

Based on the current draft, he said it is unclear whether it has a chance of advancing considering how little time is left for negotiators.

“It's quite unclear at this point of time whether there will be full consensus achieved in the January-February session. Negotiating states would barely have a few weeks after [the December 18th session] to further improve the text for substantive negotiations, so right now, the odds are stacked against this treaty reaching consensus,” he said.