The unplanned, closed-door UN negotiations in Vienna are a last-ditch attempt to bridge differences among governments on the treaty’s scope and on what role, if any, human rights should play not only in the design of the treaty but also in its implementation and eventual enforcement, write Deborah Brown and Katitza Rodriguez.
In the last few months alone, cybercrime has disrupted government services by taking down an e-citizen online portal in Kenya, exposing the personal data of 168 million citizens in India, and forcing a California-based healthcare system to close some of its locations.
Governments are meeting in Vienna beginning October 19 to negotiate a global treaty on cybercrime. But instead of sticking to the task at hand – fostering global expertise and cooperation in cybercrime – the proposed treaty seeks expansive powers to investigate virtually any imaginable criminal offence, even if no technology is involved at all.
This misguided approach will facilitate cross-border repression. And it will make it more difficult to investigate actual cybercrime.
The unplanned, closed-door UN negotiations in Vienna are a last-ditch attempt to bridge differences among governments on the treaty’s scope and on what role, if any, human rights should play not only in the design of the treaty but also in its implementation and eventual enforcement.
A core point of disagreement has been whether the proposed treaty should cover only computer-related offences, like attacks on computer data or systems, or a larger umbrella of crimes that are facilitated through technology.
A gravely concerning tradeoff package is emerging that would criminalize a relatively narrow set of offences in exchange for international cooperation on any activity a government criminalizes domestically that carries a penalty of at least 3 or 4 years in prison. This approach sacrifices human rights in an effort to manufacture consensus.
Governments around the world criminalize the ability to speak freely, to express non-conforming sexual orientation or gender identity, or protest peacefully, in blatant violation of human rights. People have been handed significant jail terms or even sentenced to death for criticizing their governments on social media.
LGBT people have been detained and even tortured on the basis of their sexual orientation or gender identity; waving a rainbow flag at a concert or having an account on a same-sex dating application can be enough to invite persecution disguised as prosecution. In today’s world, these and other acts leave digital trails that are more often than not in another jurisdiction.
In requiring mutual legal assistance for these and other “crimes,” the proposed treaty invites governments to facilitate human rights abuses around the world by making highly intrusive surveillance powers available for cross-border investigations through an unprecedented multilateral tool.
Governments argue that the proposed treaty can address human rights problems by allowing them to refuse cooperation requests if the underlying activity being investigated is protected by human rights, if it’s politically motivated, or if it isn’t a crime within their borders.
Although including all these grounds for refusal would be helpful, the proposed framework would continue to threaten human rights while undermining the purpose of the treaty–addressing genuine cybercrime.
First, grounds for refusal are discretionary. Even governments that have strong protections for free expression and privacy at home have proven unreliable defenders of rights when it comes to international cooperation—for example, in the name of countering terrorism.
In cases where cooperating countries both criminalize conduct protected by human rights, this treaty as currently drafted would provide a legal foundation and legitimate basis in international law for those governments’ collaborative abusive endeavours.
Second, as a practical matter, the proposal would overwhelm an already overstretched mutual legal assistance system, leading to even more delays and backlogs. Opening mutual legal assistance to such a wide range of offences instead of focusing resources on genuine cybercrime will increase already significant delays.
Greater strains on systems for mutual cooperation would also complicate authorities’ ability to identify human rights abuses when processing requests. This would increase the likelihood that cooperation might lead to identifying or locating someone who has fled a country to escape abuse, resulting in their harassment, torture, disappearance, or even death.
Finally, as data is increasingly stored in multiple jurisdictions, the likelihood that governments will exercise their right to refuse mutual legal assistance on human rights grounds is at best remote. Historically, global data storage was concentrated in a handful of countries.
But in recent years, there has been a shift toward localizing data storage in countries around the world, and cloud providers are actively expanding their operations and services to new regions, including in countries with egregious human rights records.
The Budapest Cybercrime Convention, drafted in 2001, adopts a similarly broad approach to gathering evidence. But at the time of its adoption, electronic evidence played a limited role in a few technology-fueled offences.
The consequences of repeating this approach in a global treaty two decades later, with state parties that have very different approaches to human rights protection and safeguards, will be much more severe and expansive.
Absent robust safeguards, a contained scope of application, and an obligation to comply with international human rights law—including by refusing investigations that are inconsistent with human rights—this treaty is primed to facilitate abuses on a global scale.
Governments should reject any such tradeoff and ensure that this treaty elevates, rather than sacrifices, our most fundamental rights.