"We've seen vaguely worded international cybercrime laws misused to violate freedom of expression, target dissenters, and put them in danger. It's paramount that the proposed treaty does not invite abuse and overreach by countries by obligating states to cooperate in open-ended investigations of ill-defined criminal matters" - EFF
This statement was originally published on eff.org on 30 August 2022.
In a new round of talks this week to formulate a UN Cybercrime Treaty, EFF is calling for strictly limiting the scope of the convention’s international cooperation provisions and safeguards to ensure that states respect human rights when responding to legal assistance requests.
EFF is among a group of digital and human rights organizations participating in the UN-convened talks, which started in February. A third round of discussions that began yesterday in New York focuses on the scope of the treaty’s cooperation and mutual assistance provisions. The goal is to work towards finding consensus on the extent to which governments should cooperate and provide legal assistance to each other in cybercrime investigations.
On the table are extremely serious and contentious issues about the contours of cooperation among international law enforcement agencies for accessing user data in territories outside their own, respecting existing mutual assistance agreements, navigating national laws governing criminal investigations, and, importantly, ensuring privacy and human rights protections are included and prioritized.
Early work on the treaty has demonstrated that finding consensus about even baseline matters, such as the definition of cybercrime and what crimes should be covered by the convention, is challenging.
The first meeting of the Ad-Hoc Committee Secretariat from the UN Office on Drugs and Crime, the UN-convened committee of over 100 government officials from around the world charged with drafting the treaty, was four days after Russia’s invasion of Ukraine. Russia was the initial driving force behind the creation of the treaty, leaving Member States questioning whether it could defend claims of sovereignty in formulating cybercrime provisions while invading Ukraine and unleashing cyberattacks.
At the second meeting in June, we were alarmed to see Member States pushing to cover a broad array of crimes under the treaty, including content-related crimes. We adamantly oppose this on grounds that it will likely result in overbroad, easily abused laws sweeping up lawful speech and threatening the free expression rights of people around the world.
In our comments for this week’s third round of talks, EFF outlined a strategy for carefully limiting the scope of cooperation and safeguarding human rights.
Our recommendations comprise three inter-related categories: clear limits on cooperation and providing technical assistance, safeguarding human rights, and guaranteeing nondiscrimination when providing assistance, and the continued use of Mutual Legal Assistance Treaties (MLATs) as the primary approach for legal cooperation.
Scope of cooperation should be carefully limited
The convention has the potential to substantively reshape international criminal law and bolster cross-border police surveillance powers to access and share users’ data, implicating the human rights of billions of people worldwide. We’ve seen vaguely worded international cybercrime laws misused to violate freedom of expression, target dissenters, and put them in danger. It’s paramount that the proposed treaty does not invite abuse and overreach by countries by obligating states to cooperate in open-ended investigations of ill-defined criminal matters.
Despite the fact that this convention is for cybercrime, some states have argued it should form the basis for international cooperation in evidence gathering for any crime under investigation. The European Union, for example, has put forward compromise language, saying it remains open to the concept of cooperation applying to the collection of evidence in not just serious crimes but any crime – a provision in the Budapest Convention.
But cross-border investigations are intrusive, posing a heightened risk to human rights. We therefore believe the proposed UN treaty should not become a general-purpose investigative tool but should be limited to actual cybercrimes or, at least, to investigations of crimes that states agree are truly serious. We also support Canada’s call for a de minimus clause out of recognition that even violations of serious offences can be trivial, and states should be permitted to refuse investigative assistance in those instances.
Some countries have also argued that the convention should form the basis for assistance outside the criminal justice system. For example, Brazil and Russia see international cooperation as including mutual assistance for investigations and prosecutions in “civil and administrative” cases and other investigations of undefined “unlawful acts.” But the privacy implications of civil or administrative investigations can be substantial and the personal consequences of some civil or administrative matters can be quite severe.
Some states may also wish to use the Convention as a means for cooperation in a range of emerging offensive cybersecurity operations that require intruding onto secure networks in order to interfere with the use of computing devices or communications networks. Such disruptive activities pose a particularly insidious threat to human rights and fall outside the normal parameters of the criminal justice system. They should not be legitimized through an international instrument.
Cooperation must safeguard human rights
The treaty should also supplement the MLAT system by establishing an adequate baseline of protection to ensure that states respond to legal assistance requests in a manner that respects human rights. Oversight and monitoring mechanisms should be built into the treaty to check whether human rights safeguards are being followed and provide a way to combat and end any abuses.
Interfering with privacy rights when cooperating in international cybercrime investigations should be explicitly prohibited unless subjected to independent authorization concluding that the incursion is likely to yield evidence of a specific crime. Data processing that is not necessary, legitimate, and proportionate, as defined in international human rights law, should also be prohibited, as should any cooperation to prosecute or punish individuals on the basis of race, religion, nationality, gender identity or political opinion.
Regrettably, there is no definitive international mechanism for enforcing human rights. States should therefore be permitted, if not obligated, to carefully and continually scrutinize cross-border access by foreign governments through independent regulators and these regulators should be empowered to correct or even suspend cooperation with any state or agency who fails to adequately safeguard human rights.
Cooperation must remain focused on the MLAT regime
The primary vehicle through which legal assistance occurs on a global scale is still the MLAT regime, where one state asks another state’s government to use its existing legal powers to help investigate people or evidence in its territory. States have failed to invest sufficiently in the MLAT regime despite growing demand for cross-border investigative assistance, and this has led to calls and attempts at replacement systems for international cooperation.
Unfortunately, most proposals to replace the MLAT system have been accompanied by significant erosions of privacy, data protection, due process, and human rights safeguards.
Rather than throwing out the MLAT system, this treaty should revitalize it by committing governments to invest more resources and training into its operation and creating international knowledge exchange points that would help law enforcement navigate the MLAT systems of other governments.
Our full submission can be found here and a compilation of comments and submissions by Member States can be found here. The Ad-Hoc committee is scheduled to meet through Sept. 9.