A year of United Nations cybercrime negotiations

The message of the Multi-Stakeholder Manifesto remains central as the process moves forward

The United Nations (UN) is currently engaged in a multiannual process with the aim of establishing a global cybercrime treaty. The open-ended Ad Hoc Committee (AHC) ^[1] UNODC, “United Nations Ad Hoc Committee (AHC) to Elaborate a Comprehensive International Convention on Countering the Use of Information and Communications Technologies for Criminal … Continue reading tasked with drafting the document has met four times since the first session commenced on 28 February 2022 in New York. If a convention is agreed upon, it has the potential to revamp the international policing of crimes committed with the use of Information and Communication Technologies (ICTs). 

A year of cybercrime negotiations is the time for balancing deliberations, their impact, course, and concerns that must be addressed before Member States cross the finish line. An international instrument with far-reaching consequences for cybercrime, its perpetrators, and its victims, takes careful crafting to avoid unintended implications and prevent further harm. 

Strengthening cross-border cooperation to allow for more effective prosecution and deterrence of cybercriminals is a core mission of the proposed instrument. At the same time, the negotiations have seen emerging concerns about the adequate protection of user data and essential digital services, as well as safeguards for human rights in order not to undermine existing protections. 

The human component of cybercrime 

The cybercrime negotiations represent the first time that the UN Member States draft a legally binding framework for cyberspace ^[2]Other UN and regional instruments have preceded these negotiations and the convention should in many respects build on existing anti-cybercrime frameworks, such as the UN Convention on Transnational … Continue reading. The resolution ^[3]In 2019, the UN General Assembly (UN GA) Resolution 74/247 agreed to establish the open-ended Ad Hoc Committee (AHC) to Elaborate a Comprehensive International Convention on Countering the Use … Continue reading mandating the AHC expressed concerns about the increase, scope and complexity of crimes committed with the use of ICTs, their multiple impacts, and the borderless nature of cyberspace which allows for spillover effects into interconnected  domains. Indeed, our societies, and vulnerable groups in particular, have found themselves on the sharp end of the rapidly evolving cyber threat landscape. 

The CyberPeace Institute has been monitoring the impacts and harm in sectors of critical importance for human security and the well-being of populations ^[4]CyberPeace Institute, “Cyber Attacks in Times of Conflict Platform #Ukraine,” available from: https://cyberconflicts.cyberpeaceinstitute.org; CyberPeace Institute, “Cyber Incident Tracer … Continue reading. These evidence-based analyses demonstrate that when threat actors attack the healthcare sector or humanitarian NGOs, they impact the organizations’ ability to deliver care to people in need and, especially, during times of crisis. Considering the human component in the malicious use of cyber, collective and evidence-based approaches to combating cybercrime are paramount to inform the Committee’s work. 

Prior to the negotiations, in September 2021, the CyberPeace Institute and its industry partners assembled under  the  Cybersecurity Tech Accord initiative published the Multi-Stakeholder Manifesto. The overarching message of the Manifesto, supported by over 50 civil society and industry representatives, is that human-centric principles are central to any cybercrime legislation. Just as important and valid today is the Manifestos’ call to ensure that any convention countering the criminal use of ICTs protects victims, preserves an open Internet and upholds basic human rights and freedoms guaranteed under existing international UN and other treaties. 

Driving topics and challenges of the cybercrime negotiations

The scope of the convention is yet to be decided, and is largely dependent upon the criminal offenses which are to be included. Crimes committed with the use of ICTs  can be generally differentiated as cyber-dependent or cyber-enabled. Member States have been forming an agreement in principle that the convention should include cyber-dependent crimes, these are  offenses  that can only be committed using a computer, computer networks or other forms of ICTs. The inclusion of certain cyber-enabled crimes, i.e. offenses that are carried out online but could be committed without ICTs generates more disagreement. There is general support for inclusion of limited exceptions on cyber-enabled crimes such as online child sexual exploitation and abuse or computer-related fraud. However, certain  cyber-enabled crimes are more controversial as they are either covered by other instruments or because of their potential  negative impacts on human rights such as with regard to the inclusion of online content-related offenses related to “extremism” and “terrorism”. 

There are also divergent views on the purpose and use of terms included in the convention. Agreeing on narrow definitions and making explicit references are vital, as is establishing baselines for best practices, with reasonable flexibility in interpretations and implementation. Some states came forward to clarify their positions, including a proposal that a broad glossary should be attached to the convention. Many countries agree that eliminating the terminology which is used in the text and keeping it in line with existing legal instruments can facilitate a common understanding of the main terms and allow for further harmonization. 

Protecting fundamental human rights

Expanded international cooperation in combating cybercrime must not come at the expense of existing protections for fundamental human rights. Most states insist on human rights and rule of law safeguards, but the exact provisions remain unclear. Member States, accountable to their citizens, cannot agree to a treaty without such safeguards. Moreover, provisions in the convention need to support victim protection, focus on preventing re-victimization, and advance redress mechanisms. Designing specific and adaptable mechanisms to protect human rights, with particular attention to the needs of vulnerable groups, will be critical for the positive impact of the process and the ensuing implementation.

Reaching decision must be a collective effort 

The AHC released the first draft text for the cybercrime treaty in November 2022 ^[5]UNODC, “Consolidated negotiating document on the general provisions and the provisions on criminalization and on procedural measures and law enforcement of a comprehensive international convention … Continue reading, covering general provisions, criminalization, and procedural measures and law enforcement. The second part on international cooperation, preventive measures, technical assistance and the mechanism of implementation and the final provisions will be discussed at the fifth session scheduled for April 2023. After this, there will be a  “zero draft” document, a copy of which will be shared with Member States towards the end of this year. The work of the Committee will be finalized once the draft convention is proposed to the UN GA, which is expected to be at the 78th session in September 2024. States will try to reach a consensus to help the treaty’s adoption and implementation, however, a decision could be taken to a vote. 

Consensus will be difficult, as will be concluding the negotiations by the deadline. Tough decisions are ahead as the new cybercrime treaty aspires for universal adoption. Stakeholders from civil society, the private sector, and academia participating in the process have an important role in informing the ongoing discussions and contributing to reaching a shared understanding. The AHC has in many respects been a model process of multistakeholder inclusion in cyber deliberations under the UN auspices. However, increased transparency will be essential to sustain the multistakeholders’ engagement, especially as key discussions have moved to informal negotiations that allow only for Member State participation ^[6]UNODC, “Ad Hoc Committee to Elaborate a Comprehensive International Convention on Countering the Use of Information and Communications Technologies for Criminal Purposes,” available from: … Continue reading. 

Countering cybercrime necessitates a whole-society approach to which an open, inclusive, and transparent process is vital. The CyberPeace Institute will continue to contribute in its expert capacity, as an accredited NGO, informing the negotiations and advocating for a treaty that ensures respect for human rights and an human-centric approach to countering cybercrime.