Summary of EFF’s Concerns About the UN Draft Cybercrime Convention

  • eff.org
  • Article
  • Summarized Content

    The UN Cybercrime Convention: A Threat to Privacy and Digital Rights

    The proposed UN Cybercrime Convention, a global pact designed to combat cybercrime, has been met with widespread criticism from privacy advocates and human rights organizations like the Electronic Frontier Foundation (EFF). Critics argue that the treaty, if adopted, will significantly erode privacy protections and empower governments to engage in surveillance and data sharing on an unprecedented scale.

    • The treaty mandates states’ cooperation in surveillance and data sharing, enabling them to collect, preserve, and share electronic evidence for any crime deemed serious by a country’s domestic law.
    • This broad interpretation of "serious crime" could encompass a wide range of activities, potentially including protected expressions like online criticism or dissent.
    • The treaty's lack of clear, enforceable safeguards raises concerns that it could be used as a tool for state abuse and transnational repression, rather than protecting human rights.

    Privacy Concerns: Overbroad Scope and Over-Criminalization

    The treaty's expansive scope is a major cause for concern. Critics argue that it goes far beyond tackling core cybercrimes and instead seeks to criminalize a broad range of activities, including some protected under human rights law.

    • The treaty's criminalization chapter includes crimes like "grooming" and Child Sexual Abuse Material (CSAM), even though these are not necessarily cybercrimes.
    • The definition of CSAM risks criminalizing consensual conduct between minors, raising concerns about the chilling effect on free expression and privacy.
    • The treaty's broad scope extends to authorizing surveillance activities for any crime, even those not considered serious, undermining the focus on actual cybercrime offenses.

    Privacy Violations: Invasive Evidence Gathering Powers

    The treaty grants law enforcement broad powers to gather evidence, potentially enabling domestic and cross-border spying on acts of expression.

    • Chapters IV and V of the treaty allow governments to gather potential evidence for any crime, regardless of its severity, if it was committed using ICT.
    • One state can assist another in surveillance for any so-called serious crime, enabling potential abuse of power.
    • The treaty's lack of safeguards for legally privileged information, protection against compelled self-incrimination, and protections for criminal defense attorneys raises further concerns about the erosion of privacy and due process.

    Privacy Threats: Secret Surveillance and Data Sharing

    The treaty allows for extensive secret surveillance with weak safeguards, posing significant risks to privacy and digital rights both domestically and internationally.

    • The treaty permits real-time interception of traffic data for any crime, even those not considered serious, while content interception is limited to serious crimes.
    • Service providers are compelled to assist in these surveillance activities under perpetual gag orders, preventing notification even when investigations are no longer jeopardized.
    • The treaty allows one state to assist another in carrying out such surveillance for serious crimes, forcing companies to comply with foreign surveillance requests, also in perpetual secrecy.

    Privacy Implications: Compelled Technical Assistance

    The treaty requires countries to have laws enabling authorities to compel anyone with knowledge of a particular computer system to provide necessary information to facilitate access.

    • This could involve asking a tech expert or engineer to help unlock a device or explain its security features, which may compromise security or reveal confidential information.
    • The treaty's lack of safeguards against compelled technical assistance raises concerns about potential misuse and abuse, particularly in cases involving privacy-sensitive information.

    Data Sharing and Transnational Repression

    The treaty's provisions on law enforcement cooperation raise concerns about the potential for transnational repression, where one state could use the treaty to target individuals in another state based on their political beliefs or activities.

    • The current wording of Article 47 risks supporting open-ended law enforcement cooperation without detailing the necessary limitations and safeguards required under international human rights law.
    • The treaty does not provide sufficient safeguards to prevent the misuse of mutual legal assistance frameworks for political purposes, potentially leading to human rights violations.

    Security Research and Digital Rights

    The treaty's failure to exempt security research, journalism, and whistleblowing from criminalization poses significant risks to cybersecurity and press freedom globally.

    • The treaty's provisions on illegal access, interception, and interference lack mandatory requirements for criminal intent and harm, threatening to penalize security research efforts.
    • The treaty's potential to chill security research and whistleblowing could have a detrimental impact on digital security and public interest work.

    LGBTQ Rights and the UN Cybercrime Convention

    The treaty's broad scope continues to pose significant risks to LGBTQ+ and gender rights.

    • The domestic and international cooperation chapter could be exploited to target individuals based on their gender or sexual orientation, especially if domestic laws criminalize these expressions as serious crimes.
    • The treaty's lack of clear safeguards against discrimination and abuse based on sexual orientation and gender identity raises concerns about its potential to exacerbate existing inequalities and human rights violations.

    Recommendations for Addressing Privacy Concerns

    To mitigate the privacy risks associated with the UN Cybercrime Convention, EFF and other organizations have issued a number of recommendations, including:

    • Restrict the definition of "cybercrime" to core cybercrimes, such as technical attacks on computers, devices, data, and communications systems.
    • Exclude human rights-protected activities from the scope of the treaty, such as online criticism, religious expression, or LGBTQ support.
    • Narrow the scope of the CSAM article to target only intentional, malicious actions and exclude consensual activity between minors.
    • Limit Articles 23(2)(c) and 35(1)(c) to core cybercrimes and delete Article 23(2)(b).
    • Ensure cooperation is limited to situations where there is a reasonable suspicion that legal assistance will produce evidence of a criminal offense.
    • Delete Articles 29, 30, 45, 46 to address concerns about secret surveillance and data sharing.
    • Delete Article 28(4) to address concerns about compelled technical assistance.
    • Limit Article 47(1) to Articles 7-11, delete Articles 47(1)(b), (c), and (f), and reference Articles 24 and 36 in Article 47(2).

    Ask anything...

    Sign Up Free to ask questions about anything you want to learn.