On 7 August this year, a draft of the United Nations Convention against Cybercrime (UNCC) was accepted after a three-year-long discussion by the UN Ad Hoc Committee to Elaborate a Comprehensive International Convention on Countering the Use of Information and Communications Technologies for Criminal Purposes.
The UNCC seeks to strengthen international cooperation in combating certain crimes committed using information and communications technology (ICT) systems and for the sharing of electronic evidence pertaining to serious crimes. A treaty to fight cybercrime worldwide is very pertinent as instances of the same have been soaring with its transnational tentacles and increased sophistication. The draft UNCC will go to the UN General Assembly for approval this year.
It will take time before the treaty starts working. Countries will need to sign and approve it first. The treaty becomes official when 40 countries approve it. Many developing countries say they need help to put the treaty into practice.
The UNCC, a treaty first proposed in 2019, represents a significant international effort to address the growing threat of cybercrime. Substantive debates on the treaty's content and scope began in earnest in 2021, bringing together representatives from various nations to negotiate its terms.
The primary objective is to provide law enforcement agencies and judicial systems worldwide with the necessary tools and legal mechanisms to combat increasingly sophisticated cyber threats. These range from financial fraud and identity theft to cyberattacks on critical infrastructure and state-sponsored hacking campaigns.
In July this year, shortly before the final session of the Ad Hoc committee in New York, the United States and its partners in the Freedom Online Coalition released a statement highlighting both the potential benefits and risks associated with the agreement. They recognised the treaty as a valuable opportunity to enhance international cooperation in fighting cybercrime.
However, the coalition also expressed significant concerns and warned that without proper safeguards and clearly defined limitations, the treaty could potentially be misused by governments as a tool for human rights violations that could include the application of broad cybercrime laws to suppress free speech, persecute dissidents, or conduct unwarranted surveillance on citizens.
To mitigate these risks, the Freedom Online Coalition called for a more precise definition of the treaty's scope.
The Rising Tide of Ransomware
Features
The draft UNCC mandates that member states align their national laws to criminalise a range of cyber offences. These encompass unauthorised data access, system interference, misuse of devices, and computer-related fraud. By establishing a common legal framework, the treaty aims to create a unified front against cybercrime across borders.
A key feature of the treaty is its emphasis on facilitating smooth cross-border cooperation among law enforcement agencies including mutual legal assistance, real-time exchange of electronic evidence, and joint investigative protocols. Such collaboration is crucial given the inherently borderless nature of cybercrimes.
By standardising legal approaches and fostering inter-agency cooperation, it seeks to close loopholes that cybercriminals might exploit. This collaborative framework enables law enforcement to track, investigate, and prosecute cyber offenders more efficiently, even when crimes span multiple jurisdictions.
But the treaty's criminalisation section, particularly Articles 7-11 outlining core cybercrimes, lacks precise language. This ambiguity could allow states to classify mere computer system access as a cybercrime, even without criminal intent. Consequently, countries might enact overly broad cybercrime laws based on this treaty, potentially criminalising the legitimate activities of journalists, security researchers, human rights defenders, and activists.
Another concerning aspect is found in Articles 24 and 35, which address safeguards for electronic evidence and data gathering. The treaty stipulates that these powers should be exercised in accordance with the principle of proportionality. However, this wording is inconsistent with established international human rights law, which typically cites necessity, legality, and proportionality as the key principles. Notably, these are the same legal standards set forth by the Supreme Court of India in the Justice K Puttaswamy vs Government of India judgment in 2017.
Understanding the Progress
The new UNCC draft is a significant development, as efforts from the Budapest Convention lingered and did not move towards a consensus despite countries recognising the growing impact of cybercrimes across governments, institutions, and individuals. Three reasons can be ascribed to the success we are seeing now.
Firstly, the global reach and inclusivity. Unlike the Budapest Convention of 2001, which was primarily a European initiative, this new treaty has been developed with inputs from countries worldwide. The global approach means it's more likely to be adopted by a diverse range of nations, including those in the Global South.
Secondly, the draft has tried to address modern cybercrime challenges. The cybercrime landscape has evolved significantly since 2001 and the new treaty has the potential to address more contemporary cybercrime instances such as ransomware attacks, cryptocurrency-related crimes, and advanced hacking techniques. By starting fresh, negotiators have incorporated the lessons learnt from the last two decades.
Thirdly, the potential for better international cooperation is being realised even more now. One of the main criticisms of the Budapest Convention was its limited effectiveness in facilitating international cooperation, especially with non-member countries. This new draft UN treaty has the potential to create more robust mechanisms for cross-border collaboration in investigating and prosecuting cybercrimes.
Concerns
Many concerns remain, particularly from privacy organisations as well as the business community who have indicated that the draft raises significant concerns regarding privacy, freedom of expression, economic growth, and national security, and that the proposed measures could undermine fundamental rights by enabling data collection without adequate safeguards or judicial oversight.
This approach even risks denying individuals the ability to challenge arbitrary access to their personal information. Such broad data collection powers, if abused, could have a chilling effect on free speech and political dissent. From an economic perspective, the convention may stifle growth and innovation in the digital sector.
At a time when digitalisation is crucial for global socio-economic development, conflicting national rules could lead to high compliance costs for businesses. This regulatory uncertainty may discourage investment in digital services and potentially criminalise important cybersecurity research, hampering technological progress. Most alarmingly, the convention could paradoxically jeopardise national security by increasing vulnerability to cybercrimes. Unchecked data collection exposes sensitive information to potential breaches.
Moreover, provisions allowing authorities to compel assistance in breaching security systems could weaken overall cyber defences, making nations more susceptible to attacks. They further claim that the UNCC's approach appears to prioritise law enforcement powers over individual rights and security considerations.
While combating cybercrime is crucial, a more balanced approach is needed to protect privacy, foster innovation, and enhance true cyber security. Policymakers should reconsider these provisions, ensuring that any international cybercrime framework respects fundamental rights, promotes economic growth, and genuinely strengthens national security in the digital age.
There is much work to be done to make the draft UNCC more comprehensive but we are seeing a good start. The Ad Hoc committee also agreed to work on additional rules for more online crimes later. This was a compromise with countries that wanted to make many types of online content illegal.
Overall, the draft UNCC indeed strives to create a more robust and interconnected global cybersecurity ecosystem, enhancing the collective ability of nations to combat the ever-evolving threat of cybercrime.
(Subimal Bhattacharjee is a Visiting Fellow at Ostrom Workshop, Indiana University Bloomington, USA, and a cybersecurity specialist. This is an opinion piece. The views expressed above are the author’s own. The Quint neither endorses nor is responsible for them.)