(New York) – A possible global treaty to address cybercrime risks legitimizing abusive practices and could be used as an excuse to silence government critics and undermine privacy in many countries, Human Rights Watch said today. Governments will kick off the process for a global cybercrime treaty, first proposed by the Russian government, at the United Nations on May 10, 2021.
Several national cybercrime laws in various parts of the world already unduly restrict rights and are being used to persecute journalists, human rights defenders, technologists, opposition politicians, lawyers, religious reformers, and artists. Instead of a treaty, governments should prioritize reforming these abusive laws to conform with international human rights standards. Any effort to address cybercrime needs to reinforce, not undermine, freedom of expression and other human rights.
“Cybercrime poses a real threat to people’s human rights and livelihoods and efforts to address it need to protect, not undermine, rights,” said Deborah Brown, senior digital rights researcher and advocate at Human Rights Watch. “Governments should oppose overbroad and aggressive cybercrime measures that threaten rights.”
The negotiating process for a possible treaty should be open and transparent, and human rights groups should be consulted every step of the way, Human Rights Watch said.
The term “cybercrime” is typically used to describe both actions taken against the confidentiality, integrity, and availability of computer data or systems and traditional offenses committed through the internet and communications technology. In recent years, there has been a surge in cybercrime laws around the world, some of which are overly broad and criminalize online expression, association, and assembly.
Pakistan’s Prevention of Electronic Crimes Act, as just one example, authorizes blocking websites deemed critical of officials and requires service providers to retain or provide authorities with access to copious amounts of people’s data, which is open to abuse. Other laws, like Egypt’s Anti-Cyber and Information Technology Crimes Law, have been used to prosecute people for using secure digital communications, which are crucial to keeping people safe online.
If UN member states choose to pursue a global treaty, they should bolster protections for freedom of expression and other fundamental rights, Human Rights Watch said.
The upcoming UN meeting will focus on key procedural matters, such as who can participate in future negotiations, where negotiations will occur, and whether the process will be based on consensus.
Ahead of the treaty negotiations, Human Rights Watch analyzed the key risks to freedom of expression and privacy posed by national legislation and international cooperation to address cybercrime, based on Human Rights Watch reporting on cybercrime for at least a decade. In March and April of 2021, Human Rights Watch also conducted phone and email interviews with cybercrime experts.
Governments have obligations under international human rights law to protect people from harm resulting from criminal activity carried out through the internet. For example, part of governments’ obligation to protect women’s human rights includes combating gender-based violence online, such as the nonconsensual distribution of intimate images online. But government responses to cybercrime are often ineffective or disproportionate, and can undermine rights.
Investigating and prosecuting crime increasingly requires international cooperation. Data is physically stored and processed in multiple countries, often different from where the criminal prosecution takes place, even when referring to data in the “cloud.” Governments try to access data stored outside their jurisdictions through legislative, informal, and coercive measures that can erode the right to privacy. Governments, sometimes with the support of major companies, have tried to speed up cooperation to share data for criminal investigations through measures that can bypass or weaken due process protections.
So-called morality clauses have led to arrests and prosecutions of women and LGBT people for expressing themselves online. A new treaty risks legitimizing and normalizing these practices. The UN General Assembly has expressed grave concern that cybercrime laws are “in some instances misused to target human rights defenders or have hindered their work and endangered their safety in a manner contrary to international law.”
Cybercrime laws have also been used to crack down on critical voices. For example, the prominent Philippines journalist Maria Ressa was convicted of “cyber libel” in 2020 and faces up to seven years in prison. The renowned Emirati human rights defender Ahmed Mansoor is serving a 10-year sentence for cybercrimes and other vague offenses related to his human rights work.
The risks of proceeding with a global treaty – particularly one that has been championed by some of the world’s most repressive governments – are considerable, Human Rights Watch said. A global treaty would set the standard for countries around the world that are still developing their approaches to addressing cybercrime at the national level. It could also significantly influence how law enforcement shares data across borders.
A treaty is most likely unnecessary, and efforts would be better spent improving mutual legal assistance processes and providing more resources and training for law enforcement officials engaged in cross-border requests for data to ensure timely responses that do not infringe on people’s rights.
“Delegations should think long and hard about whether the world actually needs a cybercrime treaty,” Brown said. “They should also ensure that nongovernmental groups have a seat at the table, as so many advocates have been targeted by abusive cybercrime laws and have relevant expertise on what safeguards are needed.”
For more information on the impact of measures to address cybercrime, please see below.
Cybercrime and Rights
Digital technologies play an increasing role in people’s everyday lives. Cybercrime, and abusive measures aimed at fighting it, are growing and present significant human rights challenges. Cybercrime can undermine rights, including the rights to privacy, freedom of expression, and nondiscrimination, and can affect people’s livelihoods.
Malicious hacking of personal data can reveal intimate aspects of people’s lives. Blackmail facilitated by phishing attacks can restrict people’s freedom of expression and cause psychological harm. Capturing or sharing intimate images without consent can cause lifelong impact for people targeted, most of them women and girls. Online scams, and the use of malware to obtain bank login credentials can cause severe financial distress.
Older people tend to be hit disproportionately in some contexts because they are perceived to have significant financial resources and to lack the tools and experience to identify attacks and fraud. Governments may not consistently support older people with information and skills to protect themselves online. Cybercrime is on the rise and will most likely grow, as data breaches and leaks at companies like Facebook, LinkedIn, and Clubhouse expose the sensitive personal data of hundreds of millions of people and leave them vulnerable to attacks.
There is no consensus on how to tackle cybercrime at the global level or a common understanding or definition of what constitutes cybercrime. Most definitions include a limited number of acts, often referred to as “cyber-dependent crimes,” against the confidentiality, integrity, and availability of computer data or systems. Cybercrime laws also often include criminalization of what is often referred to as cyber-enabled crimes, traditional offenses committed through the internet and communications technology. These include acts for personal or financial gain or harm, such as identity-related crime, and computer content-related acts, like child sexual exploitation and copyright infringement. Cybercrime laws also typically contain procedural powers that enable specialized investigative and international cooperation, which law enforcement in one country can use to obtain electronic evidence in another country for any criminal investigation.
National Cybercrime Laws that Unduly Restrict Rights
In his 2019 report, the UN special rapporteur on the rights to freedom of peaceful assembly and of association, Clément Nyaletsossi Voule, observed, “A surge in legislation and policies aimed at combating cybercrime has also opened the door to punishing and surveilling activists and protesters in many countries around the world.”
The following analysis is not comprehensive, but identifies trends observed in reporting on cybercrime laws in various regions. It focuses primarily on cybercrime laws, but cybercrime provisions that are used to restrict rights can also be found in laws governing information and communications technologies (ICTs), telecommunications, and cybersecurity, and in penal codes. Additionally, cybercrime laws are often used in conjunction with other laws, like counterterrorism laws, to restrict rights.
Criminalization of Expression
Many governments are putting into place cybercrime laws with provisions that directly violate freedom of expression, or that are overbroad and vague, lending themselves to crackdowns on freedom of expression.
Pakistan’s Prevention of Electronic Crimes Act (PECA) criminalizes anyone who “prepares or disseminates” information through any information system or device with the intent to praise a person “accused of a crime,” or to “advance religious, ethnic or sectarian hatred,” or with intent to praise terrorism or proscribed organizations. These provisions on their face violate free expression rights.
Cambodia’s proposed cybercrime law prohibits acts that vaguely constitute “disturbing, frightening, threatening, violating, persecuting or verbally abusing others by means of computer.” The United Arab Emirates’ Federal Legal Decree No. 5/ 2012 on combating cybercrimes broadly criminalizes the use of information technology “with the intent of inciting to actions, or publishing or disseminating any information, news, caricatures, or other images liable to endanger state security and its higher interests or infringe on the public order.”
Many countries have made spreading “false” information online a cybercrime. But what is “false” is often highly contested, and criminalizing “false” statements opens the door to broad criminalization and chilling of speech. Human rights experts at the UN and regional bodies have long condemned governments for using vague and ambiguous terms such as “false news” and “non-objective information” to outlaw disseminating certain types of information.
In October 2020, Nicaragua’s Congress adopted a cybercrime law that criminalizes “publication” or “dissemination” of “false” or “distorted” information on the internet “likely to spread anxiety, anguish or fear.” It also punishes anyone who publishes “false or distorted information” that “promotes hate and violence, [or] endangers economic stability, public order or health, or national security,” terms that are not defined.
In March 2020, Russia introduced Article 207.1 into the criminal code for “public dissemination of knowingly false information in circumstances threatening the life and safety of citizens,” punishable with up to three years of liberty restriction. A proposed cybercrime law in Eswatini outlaws publishing a statement or “fake news” through any medium, with the intention to deceive anyone else or any group of people.
Thailand’s 2016 Computer-Related Crime Act (CAA) criminalizes publishing content that is “likely to cause damage to the public,” including “false or partially false” data, “distorted or partially distorted” data, or data likely to “cause public panic” or harm “maintenance of national security, public safety, national economic security, public infrastructure serving the public interest.” Rwanda’s Law on Prevention and Punishment of Cyber Crimes prohibits the publication of “rumors.”
Some countries also use cybercrime laws to criminalize conduct viewed as harming morality or religious values. Such provisions pose a particular threat to the free speech of women’s rights advocates and LGBT people.
Saudi Arabia’s 2007 Anti-Cybercrime law criminalizes “producing something that harms public order, religious values, public morals, the sanctity of private life, or authoring, sending, or storing it via an information network.” Egypt’s 2018 Anti-Cyber and Information Technology Crimes Law restricts online content deemed to “undermine family values” or violate “public morals.” Nigeria’s Cybercrimes Act criminalizes a broad range of offenses, including insult of people based on their religion.
These restrictions are inconsistent with international human rights law, which requires any regulation of freedom of expression to be necessary for a legitimate purpose, such as the protection of national security, public health, or the rights of others, and to be strictly proportionate to that end. Even when a law has a legitimate purpose, governments are obligated to specifically identify the nature of the threat being addressed and how the measure proposed is both a necessary and proportionate means of addressing it.
Restrictions on Investigative Journalism, Research, and Whistleblowing
A core element of cybercrime laws is usually the criminalization of unauthorized or illegal access to and interference with computer systems and data. These provisions can provide important safeguards against privacy violations and generally strengthen cybersecurity. However, these laws can undermine human rights when they are overbroad, such as by criminalizing mere access to computer systems and data, regardless of intent and without allowing a public interest defense.
Such laws can easily be used against whistleblowers who may access systems and data to expose government or corporate wrongdoing, or security researchers, who may do so to disclose vulnerabilities in information systems, to allow companies to improve infrastructure and software security for the public’s benefit. Such overbroad laws can also be used against activist groups or media outlets that publish information that was obtained without authorization. Publishing such data is key, for example, to Justice for Myanmar’s work to expose international businesses with financial ties to Myanmar’s military with the release of sourced evidence.
Pakistan’s PECA prohibits unauthorized access to, copying, or transmission of “critical” information with intent to create a sense of fear or insecurity in the government or the public or to advance religious, ethnic, or sectarian hatred. These vague definitions create a serious threat to whistleblowers who may seek to reveal intelligence that shows abuses by government officials or agencies.
Cambodia’s proposed cybercrime law criminalizes “unauthorized access” to a computer system, or transferring data from a system without authorization, with no protections for journalists or whistleblowers. The provisions could be used to prosecute whistleblowers and investigative journalists who use leaked materials in their work.
Nicaragua’s cybercrime law punishes the use of communications technology to disclose classified information as well as information considered “personal.” Article 232 of Ecuador’s Criminal Code broadly criminalizes a range of activities, including destruction of, damaging, erasing, altering, or blocking computer data or systems, or even designing or developing programs that could be used this way. The law does not require malicious intent and can be interpreted broadly by prosecutors.
In the United States, the Computer Fraud and Abuse Act (CFAA) prohibits unauthorized access to computers but does not explain what “without authorization” actually means. Along with contradictory court decisions, this has created uncertainty and confusion for security researchers and ordinary internet users.
The ambiguity of “unauthorized access” has opened up researchers to legal risk from platform companies claiming that “scraping” violates their sites’ terms of service. Scraping is using a computer to automatically load and read the pages of a website for later analysis.
The CFAA is also cited in the US indictment of Julian Assange, the founder of Wikileaks, which constitutes a threat to media freedom because much of the conduct it describes is routinely used by journalists. Journalists at major news publications regularly speak with sources, ask for clarification or more documentation, and receive and publish documents the government considers secret.
Interference with Privacy
Cybercrime laws often establish new investigative powers, including allowing authorities to intercept, retain, and access people’s data. Obtaining data from internet service providers and other online services such as social media platforms or cloud storage services can be essential for prosecuting cybercrime. But some laws require disproportionate data collection and retention without judicial oversight and basic due process protections. In some cases, law enforcement may be able to obtain stored subscriber data, traffic data, and even content data, directly and in real time. Laws also often impose harsh sanctions on companies for failure to retain data and provide access to law enforcement.
The Philippines’ Cybercrime Prevention Act authorizes police to collect computer data in real time without a court order or warrant. Thailand’s CCA expands the government’s data collection and other investigatory powers, allowing their use in response to any criminal offense under other laws that involve the use of computer systems, computer data, or devices. Service providers may be required to retain user data for up to two years. Authorities are able to access “traffic data” and other user-related data without a court order when investigating an offense under the CCA or other laws. With a court order, the authorities are also potentially able to compel service providers to assist with decrypting encoded data, raising concerns that the law could undermine the use of encryption tools that protect cybersecurity and users’ privacy. Undermining encryption compromises the security of everyone’s communications, exposing people to a range of threats online, including from cybercriminals.
Palestine’s Law on Electronic Crimes permits the authorities to “seize” information systems and information technology tools “which may help uncover the truth” for investigative purposes without demonstrating the necessity or proportionality. The law also obligates service providers to make available subscriber information “at the request of the prosecution or the competent court” and retain that information for at least three years without clarifying what that entails or setting out restrictions or sufficient safeguards against abuse. This requirement disproportionately infringes on the right to privacy of all users whose data is collected regardless of whether they are suspected of wrongdoing.
Egypt’s cybercrime law requires internet service providers to collect and store customer usage data for 180 days. That includes data that enables user identification, and data related to all user activities, including phone calls and text messages, websites visited, and applications used on smartphones and computers. The National Telecommunications Regulatory Authority can also issue an administrative decision obliging telecommunications companies to save “other data” without specifying what kind. Service providers are also required to provide their “technical capabilities” to national security entities and grant them access to review retained data.
The UN Office of the High Commissioner for Human Rights has criticized governments for imposing mandatory obligations on service providers to retain communications data for extended periods because such requirements limit people’s ability to communicate anonymously, create the risk of abuses, and may facilitate disclosure to third parties, including criminals, political opponents, or business competitors through hacking or other data breaches.
Misuse of Cybercrime Laws
Cross-Border Data Access
Because of the transborder nature of cybercrime, with data stored and processed in multiple countries, subject to different laws, international cooperation is essential to carrying out investigations and bringing perpetrators to justice. But additional human rights challenges emerge when coordinating investigations and prosecutions across borders.
Law enforcement agencies try to access data stored outside their jurisdictions through a range of legislative, informal, and coercive measures. US providers in certain circumstances share subscriber data voluntarily with non-US law enforcement entities. Governments sometimes extract data or compel companies to “pull” data from servers in other countries, without obtaining the other country’s consent, in ways that can violate the human rights of the data subjects.
Mutual legal assistance treaties (MLATs) are international legal frameworks used to obtain evidence – including communications data – across borders. The process of obtaining such evidence under such a treaty can take months because of administrative legal processes in each country. While frustrations with the process are understandable, and such transnational barriers to cooperation should not undermine accountability, law enforcement sometimes attempts shortcuts to speed up access to data that can undercut human rights protections, like due process.
For example, in the United States, the 2018 Clarifying Lawful Overseas Use of Data (CLOUD) Act, opposed by Human Rights Watch and other civil society groups, transformed the system for cross-border access to data in criminal investigations. It allows the US to enter agreements with other countries to authorize law enforcement in each country to directly serve requests for data like email contents, or to issue a wiretap internationally in the other country, without the oversight of the nation where the interference occurs, even when it involves a citizen or person whom the nation normally offers legal protections.
The subsequent US-UK CLOUD Act Executive Agreement fails to adequately protect the privacy and due process rights of US and United Kingdom citizens. For example, the agreement lowers the bar for law enforcement access to both stored communications contents, such as emails, and live wiretaps in the US, by using vague oversight and notice requirements and by eliminating the stringent probable cause requirement for foreign law enforcement access to stored content data.
In the absence of a global cybercrime treaty, there are some multilateral treaties – including among Arab governments, African governments, and the Shanghai Cooperation Organisation – that address aspects of cybercrime. The Council of Europe Convention on Cybercrime (the Budapest Convention) is the most complete international framework, as it seeks to harmonize national laws, improve cybercrime investigation techniques, and promote international cooperation. It also has the broadest support internationally, as it has been ratified by 65 countries, including non-CoE members – 13 in the Americas, 11 in Africa, 4 in Asia, and 2 in Oceania.
The Budapest Convention requires states parties to make certain acts – such as illegal access to computer systems, illegal interception of electronic communications, sending malware, copyright violations, and the production or dissemination of child pornography – criminal under their national law. It makes extensive provisions for international cooperation in fighting such crimes, including mutual legal assistance in investigation and preservation of evidence, extradition and similar matters, and acts as a legal framework for international cooperation on criminal justice issues.
A Second Additional Protocol, on enhanced international cooperation and access to evidence in the cloud, is currently being negotiated. The Electronic Frontier Foundation has said that the Second Additional Protocol seeks to reshape the basis for cross-border law enforcement activities, with far-reaching implications for privacy and human rights. EFF is deeply concerned that civil society is being asked to comment on this momentous text in too limited a time frame.
The Budapest Convention is sometimes referred to as the “gold standard” of international conventions on cybercrime, but human rights experts have long pointed out that it should incorporate stronger safeguards for human rights. Article 15 says that state procedures relating to the investigation and prosecution of the crimes listed must be in accordance with the European Convention on Human Rights (ECHR), for Council of Europe member states, or with other international human rights treaties such as the International Covenant on Civil and Political Rights, for non-European states. However, it doesn’t provide details or guidance on what this entails. Article 15 only applies to procedural matters.
When it comes to substantive criminal articles, the European Convention provides states with flexibility in implementation. The provisions on illegal access and data interference are problematic, as they could be interpreted to allow the criminalization of security research and non-malicious “hacking” that causes no harm and may even have positive effects, for instance by exposing security vulnerabilities. The convention does not include a public interest defense for whistleblowers or journalists. Governments should use the flexibility in implementation to uphold human rights standards.
In CoE states, other binding human rights instruments, like the ECHR, apply and people would have a remedy to the European Court of Human Rights if their rights are breached. But the same cannot be said for non-CoE countries that join the Budapest Convention, countries that are not subject to the ECHR or comparable human rights treaties, where the rule of law is too weak to enforce safeguards against abuse of cybercrime laws.
Recent Developments at the United Nations
Russia, though a member of the CoE, has not joined the Budapest Convention. Instead, it has been promoting the idea of a UN treaty on cybercrime since at least 2010, when its proposal for a new treaty at the UN Crime Congress was rejected. In recent years, as Russia significantly expanded its laws and regulations tightening control over internet infrastructure, online content, and the privacy of communications, it also stepped up its efforts toward a UN cybercrime treaty.
In 2017, it circulated a draft treaty and the following year it introduced a resolution calling for a report from the UN secretary-general on the challenges member states face in countering the use of information and communications technologies for criminal purposes. Governments from the EU, the US, and their allies voted against the resolution, though it ultimately passed.
In 2019, Russia introduced a resolution to establish an Open-ended Ad Hoc Intergovernmental Committee of Experts to elaborate a comprehensive international convention on “countering the use of information and communications technologies for criminal purposes.” Leading digital rights and human rights organizations and experts urged delegations to vote against the resolution, warning that the proposed treaty poses a threat to human rights online.
The resolution passed but with a smaller margin. The resolution potentially opens the scope of the proposed treaty to a broader definition of “cybercrime” that does not correspond to any previously established definition. The resolution also does not explicitly provide for the participation of nongovernmental organizations in the treaty development process.
Governments should increase international cooperation and capacity building around cybercrime in ways that respect human rights and the rule of law, Human Rights Watch said. Proceeding with a proposed treaty risks reinforcing increasingly common restrictions on freedom of expression, privacy, and due process rights.
It is also essential for governments to adopt inclusive and transparent working methods at the organizational session to ensure that any negotiations do not undermine rights. Specifically, Human Rights Watch recommends:
- Accrediting all interested nongovernmental groups, including those with relevant expertise but that do not have consultative status with the Economic and Social Council of the UN;
- Providing for written contributions and oral interventions from all accredited participants;
- Providing for webcasting, remote participation, interpretation services, and online consultations to facilitate the participation of groups that are not able to participate in person; and
- Maintaining an up-to-date, dedicated webpage with relevant information, such as practical information (details on accreditation, time/location, and remote participation), organizational documents (i.e. agendas, discussions documents, etc.), statements and other intervention by states and other stakeholders, background documents, working documents and draft outputs, and meeting reports.