UN cybercrime treaty lead negotiator: US will suffer if it doesn’t vote yes

There will be serious consequences if the United States does not vote in favor of a recently agreed upon and controversial United Nations cybercrime treaty, a key American diplomat said Friday.

The treaty — which would be the first cybersecurity legal framework accepted by consensus among all U.N. member states — is expected to sail through the General Assembly after it received unanimous approval by the body’s Ad Hoc Committee on Cybercrime in August. 

But in recent weeks, Biden administration officials have publicly acknowledged concerns about the treaty in its current state. Human rights advocates have warned that it would enable surveillance on a massive scale, and allow countries to spy on individuals in secrecy. The tech industry and the U.S. Chamber of Commerce also oppose the treaty.

“It would be unheard of for us to pull out of consensus after we led the system and joined,” said Ambassador Deborah McCarthy, the lead U.S. treaty negotiator for the ad hoc committee, during a discussion hosted by the Center for Strategic & International Studies. “There'd be huge disappointment if all of us in the U.S. were to say, ‘You know, we're not part of this.’ And I think that would drive a big wedge at the U.N.” 

Calling a forthcoming U.N. General Assembly vote to ratify the treaty a “pretty much pro forma process,” McCarthy said that her team has polled other democracies and found that none of them plan to vote no.

Despite the intense pushback from industry and human rights leaders, McCarthy said the treaty is ultimately a good agreement governing cybercrime data sharing globally.

A wave of pushback

Critics say certain language in the treaty would allow countries like Russia and China to carry out human rights abuses. 

For example, crimes carrying sentences of four years or more, which the treaty labels serious crimes, will trigger a provision which requires governments to assist each other with investigations and share data, they say.

The treaty defers to individual governments to provide human rights protections, Deborah Brown, the deputy director for technology and human rights at Human Rights Watch, said via email.

“The treaty requires states to establish expansive electronic surveillance powers to investigate and cooperate on a wide range of crimes, even offenses where no information and communication system is involved in the commission of the crime,” Brown said. 

“With greater surveillance powers should come more robust human rights safeguards to protect against abuse,” she added.

Brown said that because the treaty fails to enumerate key human rights standards and requires governments to provide mutual legal assistance for any "serious crime" under national law, countries that criminalize behavior protected under international human rights law — including same-sex conduct, government criticism, investigative reporting, protesting and whistleblowing — will abuse the “powerful multilateral tools” the treaty establishes.

The tech industry also has fiercely opposed the treaty, sharing many of the concerns expressed by human rights advocates.

The treaty forces tech companies to retain user data for far longer than they do now and would require them to turn it over to law enforcement without standard legal procedures. 

It also could keep security researchers from reporting vulnerabilities they detect in networks and other tech systems because they will be more likely to fear prosecution under the treaty’s language, industry leaders say.

And industry shares concerns about the lack of transparency allowed by the treaty.

“There are eight references to keeping requests confidential in the treaty, and none to disclosure, even when it would not prejudice an ongoing investigation or prosecution,” Nick Ashton-Hart said via email, adding that the U.S. has changed its vote on treaties before. He leads the U.N. cybercrime delegation representing the Cybersecurity Tech Accord, which includes more than 100 cyber and tech organizations and several tech giants like Meta. 

McCarthy acknowledged that industry and human rights groups’ worries are legitimate, but said the treaty will spotlight the actions of authoritarian regimes.

“For those who have abused their citizens and abused every excuse to do so — including through a broad definition that anything that passes over the internet could possibly be considered a crime — this instrument [treaty] does not solve that, but it can shine a light on misuse.”

“By setting up mechanisms where we can share information on requests … it can help,” she said. 

Tough negotiations

The cost implications the treaty carries for industry are a concern, McCarthy said, but she noted that many other countries wanted the treaty to require service providers to respond directly to government requests for data. While she worked with industry to get that language removed, she did not succeed, McCarthy said.

Another hard-fought issue centered on how best to protect cybersecurity researchers, McCarthy acknowledged. While she said her team got “some language inserted,” the protections are not as robust as she would like, she said. 

Ultimately, McCarthy said it is important for the U.S. to ratify the treaty even if it is flawed because Russia and China are going to try and shape it to fit their interests and the U.S. needs to be in the room to stop them.

“The train has left the station and the train is going to go without us,” she said.

The U.S. tried “as hard as we could” to include elements allowing countries to reject requests for data when such sharing would harm dissidents and others whom repressive governments are targeting, McCarthy said.

“That includes Thailand's responding to the junta in Myanmar, to be able to say no, again, with a strong foundation,” McCarthy said. 

But human rights advocates and industry leaders say that because the treaty allows states to cooperate secretly with no procedural law safeguards — such as the right to appeal and a requirement for warrants — it will be possible for states to ask for data on nearly anything they consider a crime.

Will the Senate ratify?

The treaty could and likely will sail through the U.N., but even McCarthy called Senate ratification an open question, citing the looming election and changes in Congress.

A two-thirds vote in the Senate will be required for the U.S. to participate in the treaty, a threshold which Greg Nojeim, director of the Security and Surveillance Project at the Center for Democracy & Technology, called a “tall order because the treaty is short on benefits to the U.S.” 

“Who would want to vote for a treaty that gives Russia a political win, and gives despots around the world access to data they can use to oppress?” Nojeim said via email. “Which Senators will vote to pave the way for foreign governments to access Americans’ private communications?”

Not privacy hawk Sen. Ron Wyden (D-OR) it would appear. 

The U.S. “shouldn't have anything to do with helping China or Russia justify abusing surveillance to prop up their authoritarian states,” Wyden said in a statement.

From Wyden’s perspective, that’s what the treaty will do if it is adopted with its current language. He said he is working with Senate colleagues to ensure that the U.S. “change course and begin listening to human rights activists who have been sounding the alarm about this convention [treaty] for years."

In her remarks Friday, McCarthy acknowledged that the treaty is not perfect but called it “definitely an advancement.” 

The treaty’s provision which automatically allows for the extradition of cyber criminals “without having to negotiate country by country,” is a win, McCarthy said.

The treaty is a “tool in the toolbox, and we shouldn't just throw it out, but we should use it … never forgetting what the ultimate aim was, which is to fight cybercrime,” McCarthy said.