UN assembly showing cybercrime convention

UN Cybercrime Convention Treaty Criticized by Both Activist and Business Interests

Despite receiving a raucous round of applause upon its adoption, the UN cybercrime  convention’s new treaty seems to thus far have displeased most of the entire spectrum of private interests. Human rights watchdogs say that its terms are too broad and open to potential abuse, while business interests worry that it will stifle investment in technology and end up promoting more cybercrime globally.

Cybercrime convention criticized for enabling cross-border surveillance by repressive governments

The treaty is the first of its type to be agreed upon since the Budapest Convention on Cybercrime 20 years ago, and took the UN cybercrime committee three years of deliberations to reach. Though human rights groups ultimately ended up unhappy with its terms, a loose confederation of dozens of nations seemingly spearheaded by Iran fought until the final hours to have even more protections stripped from it.

The central point of contention is that the cybercrime convention would enable repressive regimes to request assistance from other countries in a way that was not previously available. To continue surveillance of a subject two countries would previously have had to work out a mutual legal assistance treaty (MLAT), something that was obviously not extended by democracies to more repressive and authoritarian regimes. Human rights watchdogs are concerned that the new treaty terms could require that these regimes be assisted with certain information requests when a surveillance target crosses international borders.

In spite of this new approach to mandatory cooperation, the cybercrime convention leaves human rights protections largely up to the laws of each individual nation. There is no “equivalency” factor as pertains to these requests for international cooperation; the fact that something might be considered a human rights violation according to the laws of one country would not stop another country from requesting assistance. There is also no requirement to demonstrate that the act that prompted the request was done with malicious intent, or that it caused some demonstrable harm.

The cybercrime convention is not entirely without human rights protections, though some nations battled to remove even those that remain up until the last minute. States can refuse requests for assistance when there is a risk of political persecution, though Iran along with China, India, Russia and Venezuela (among a number of other nations) fought to have this stripped. Iran took point on crusading against anything in the treaty involving human rights, lobbying that the term itself be entirely stripped from the document.

The big and broad split in national interests appeared to be more democratic nations wanting the treaty to focus on criminal cyber attacks such as ransomware and a more limited set of content- and speech-related issues such as child sexual abuse material, versus more authoritarian nations wanting speech against the government and denunciation of religious values to also be included. While the latter group was not entirely catered to, it was largely placated in leaving the door open for the scope of what constitutes “cybercrime” to be expanded to such speech and political dissent issues.

Big tech, commerce also not pleased by the results

Human rights groups are concerned about the cybercrime convention, but so too are business and big tech interests. The International Chamber of Commerce has issued a scathing opinion piece criticizing the UN’s final terms on the basis of an expected increase in compliance costs, hesitance in tech investment, a potential chilling effect on cybersecurity research, and instability caused by risks to national security.

The Cybersecurity Tech Accord, which represents Microsoft and Meta along with about 150 tech firms, has also come out in opposition to the cybercrime convention. The tech industry chiefly opposes the treaty on the basis of it potentially requiring compliance complications and turnover of personal information that would be in conflict with local laws. A delegate for the Accord also noted that tech firms tend to believe the treaty’s terms will actually boost cybercrime by making cybersecurity more difficult.

No country in the UN is actually compelled to sign the treaty, and some may well end up abstaining due to all of these various concerns. But even if cooperation remains spotty, the cybercrime convention will likely be one of the biggest influences on the direction of cybercrime laws since the internet became available for home use.

The cybercrime convention still has several steps to go through before it becomes active. Sometime prior to the end of 2024, it will be put to a vote among the UN’s member states. If it achieves a majority vote, it then heads to the ratification process in which each individual state decides whether or not to sign on. At least 40 member states must ratify it for it to become an official UN instrument. This process could mean months before the treaty actually comes online.