Posted on 22 Jul 2024
From 29 July to 9 August 2024, state representatives will reconvene at the United Nations in New York to try to agree to a new convention on cybercrime. Members had intended to conclude negotiations at the planned closing session in February 2024, but there was still disagreement on several key issues, not least the title of the treaty – and therefore the entire framing of the convention.
The process of negotiating the treaty, initiated by Russia and with strong opposition from Western countries, has evolved over two years. However, the draft presented ahead of the reconvened final session would achieve most of Russia’s main objectives for this treaty if it is accepted. These include a broad and ambiguous range of offences that could be covered by the treaty (in line with Russia’s desire for a ‘comprehensive’ treaty); provisions giving governments wide latitude to access and share data; a definition of cybercrime that is in line with Russia’s preferred terminology; and the ability to include additional protocols that could broaden the scope of the convention even further. Without urgent intervention by those states that have been advocating for a more targeted scope for criminalization and stronger safeguarding of rights, these Russian objectives could result in a convention that would lead the world into a new era of UN-sanctioned internet and information control.
Despite ongoing disagreement among states on the form the treaty should take, the atmosphere of the negotiations over the past two years has been largely collegial. The efforts made in the informal sessions have produced some consensus on issues such as terminology, the scope of the treaty and the crimes covered. The fact that some central issues remain undecided reflects different perspectives on the treaty’s purpose and how cyberspace should be governed more generally. These divergent views could ultimately lead to an indefinite delay or the treaty enacted under duress, which in the diplomatic halls of the UN means by that it would be decided by a vote. The result may be a treaty that is technically approved by the UN, but fails to pass the approval of many legislatures for true ratification, and therefore fails to enter into force.
Could the UN redefine cybercrime?
A UN treaty will create new international standards and norms, including through the very naming of the convention. This has been one of the underlying conflicts of the process from the outset. The latest revised draft combines the two proposed titles – one promoted by Russia and the other by Western-aligned countries – in the verbose ‘United Nations Convention against Cybercrime (Crimes Committed through the Use of an Information and Communications Technology System)’. Through this formulation, it not only privileges Russia’s preferred terminology but also effectively redefines cybercrime.
Within the text of the draft convention, an ‘ICT system’ is defined as ‘any device or group of interconnected or related devices, one or more of which, pursuant to a program, gathers, stores and performs automatic processing of electronic data’. This takes the exact language for ‘computer system’ from the 2001 Budapest Convention, the standard bearer for cybercrime cooperation so far. Countries such as Russia and China have, however, rejected this convention and called for an international treaty. Co-opting the language from the Budapest Convention under a new definition at best conflates and confuses existing terms, but at worst redefines computer systems (and the crimes committed using them) as ICT – a broader term with a wider remit.
There is no international definition of ICT, but as pointed out during the negotiations by some states, it can also include radio, television and even satellites. (UNESCO has a definition that includes podcasting and video-conferencing.) Russia often refers to the internet and related systems as the ‘information space’, and has sought through the UN treaty to include as wide a list of crimes as possible, including content-related crimes, which could include social media posts and private messaging through an app. This laundry list of crimes has not made it into the treaty draft directly, but the backdoor option of an additional protocol is being seriously considered by the Ad Hoc Committee. Russia’s proposed protocol for a wider set of crimes is to be negotiated independently from the Ad Hoc Committee process, yet sanctioned by it and rolled into the treaty at a later stage.
While the draft treaty does not match the original submitted by Russia before the negotiation process began, a protocol would manage to introduce many of the same elements that Russia has sought. And if the redefinition of cybercrime and computer systems sticks, it would be a major victory for Russia at the UN.
Do safeguards matter?
Throughout the negotiating process, states have also been debating the inclusion of safeguards, intended as a way of ensuring compliance with obligations under the treaty and fostering cooperation among governments with different domestic positions. In discussion on the relevance of safeguards, experts in the field of cybersecurity and international cooperation expressed that the basis for cooperation is trust. They suggested that safeguards provide a baseline for groups of governments who do not have that level of trust in one another to try to cooperate on sensitive issues, of which cybersecurity is one. However, one expert painted a stark picture, arguing that safeguards only matter if they are followed, and pointed out that often in international cooperation, they are not.
That the language on safeguards in the current draft continues to be whittled down does not bode well for achieving new trusting relationships. The main articles on safeguards are couched within state sovereignty and domestic law. The language on legal safeguards, which has been fought over endlessly in this process, remains mostly weak and non-binding. One example is dual criminality in the context of extradition – the principle that a person can be extradited from one country to another only if the act they are accused of is considered a crime in both countries. Similarly, while the preamble currently calls for an overarching application of gender mainstreaming across the treaty, the integration of gender perspectives and considerations is sure to be challenged in the reconvened final session of the Ad Hoc Committee.
Efforts have been made to have rights and safeguards clearly articulated throughout the process, but they have been resisted all the way. As the scope of the treaty expands, and the text nears completion, safeguards and legal protections have become even more crucial to limit a treaty that seems set to adopt Russia’s core objectives on terminology and scope under the guise of compromise.
