The UN Cybercrime treaty is a cesspit of overreach and authoritarianism
Cybersecurity Awareness Month is still two months away, but given the importance and urgency of this topic, I thought I’d write about the UN Cybercrime Treaty. And as the negotiations for the treaty draw to a close on August 9th, the stakes couldn’t be higher. This treaty was initially proposed by Russia and now under the management of the UN Office on Drugs and Crime. It promises to strengthen “international cooperation” against “cybercrime”, which to my cybersecurity ears translates to : “We want more power. And we want a UN stamp on it.” Every detail buried within the treaty’s provisions is a step closer towards government’s overreach, especially in the areas of surveillance, data collection, and criminalisation. I’ve listed down here three points of why the treaty is no friend of human rights activists.
First, the treaty mandates expansive powers for data preservation and access (see Articles 25-29). Basically, this legitimises state surveillance. The mandate for “expedited” data preservation and allowing the state to continually renew orders to preserve electronic data sets a precedent for perpetual surveillance. There is also a lack of definition on what constitutes “grounds to believe”. At this point, are we just meant to ask the mirror on the wall?
I am sure the mirror will have a hard time finding who, not because there is none, but because there are too many. The lack of definition gives authorities unchecked power to justify indefinite data preservation. This blatant overreach tramples on privacy rights and creates a chilling effect on free speech. Might as well be the end of investigative journalism, as we know it. Article 27(b) also allows the state to force a service provider to divulge information related to the case being investigated. And we know how history is littered with good examples on why this is a bad idea.
In Vietnam, Facebook bent its knees to the government of Vietnam faster than Jon Snow bent his to the Targaryen Queen. And it was noted that Facebook has “been making repeated concessions to Vietnam’s authoritarian government, routinely censoring dissent.” In Iran, authorities have used private Telegram chats, phone logs, and text messages to incriminate activists, as seen in the case of Negin, who was interrogated and threatened with execution. In Pakistan, the government released an order titled “citizens protection against online harm 2020” which forced service providers to give out data and personal information, as requested by the country’s Inter-Services Intelligence. Not to mention how the broad definitions of crimes and the powers granted to prosecute “cybercrime” could be misused to target activists, journalists, and dissidents under the guise of national security. And asChina seeks to expand the definition of cybercrime to include the “fake news” online, we may be entering a time when the delicate balance between enforcing public order and curbing free speech could grow increasingly indistinct.
“Illegal access” (Article 7) could also be interpreted to include the activities of journalists accessing information for public interest reporting. Late last year, Delhi police carried out raids on the office of NewsClick, a news outlet that is highly critical of Narendra Modi. Houses of almost 50 journalists, activists and comedians in India were also raided under the ‘anti terrorism’ law that allows charges for “anti-national activities. In the Philippines, a similar ‘anti-terrorism’ law was being used to surveil environmental activists. At least 281 environmental defenders were killed in the Philippines between 2012 and 2022. In Jordan, the situation is particularly severe for LGBTI individuals, where the cybercrime law prohibits content that “promote, instigate, aid, or incite immorality.” The Jordanian law also bans the use of Virtual Private Networks (VPNs), proxies, and Tor. And this prohibition forces many LGBT individuals to choose between maintaining their identity’s security and freely expressing their opinions online.
Second, the treaty’s provisions for international cooperation (specifically Article 37) does not sufficiently safeguard against the extradition or transfer of individuals to countries where they might face political persecution. Paragraph 15 mentioned ‘substantial grounds’, but it was not clearly defined. Again, this lack of clarity will lead to individuals being extradited for politically motivated reasons. Article 3 of CAT supports the prohibition of extradition to countries where individuals would face serious risks to their life or freedom.
The treaty is also paving a way for states to create a digital autocracy where governments can compel service providers to preserve data and to provide such data to authorities without stringent oversight. A treaty that facilitates international cooperation on data sharing and broadens the scope for surveillance can also become a tool for governments to crack down on minorities. The ability to access and preserve electronic data without robust safeguards (Article 41 and Article 42) can be exploited to target marginalised communities, such as ethnic, religious, and LGBTQ+ groups. In countries like Russia or Uganda, where the state has a history of using legal frameworks to persecute LGBTI individuals, the ability to monitor, intercept, and collect digital communications under the pretense of preventing “cybercrime” could lead to identifying and prosecuting individuals based on their sexual orientation or gender identity. But to these countries, these people will just be collateral damages.
Paragraph 14 and Paragraph 9 of the treaty’s Article 37 presents a contradiction. While paragraph 14 guarantees fair treatment and the enjoyment of rights and guarantees provided by the domestic law of the state party, paragraph 9 encourages states to simplify evidentiary requirements to expedite extradition procedures. Simplifying evidence standards compromise the accuracy and fairness of the proceedings, which in turn erode due process rights. The recently concluded case of Julian Assange exemplifies the issues within Article 37. Another case of Ola Bini exemplifies these risks. Bini was detained at Quito’s Mariscal Sucre International Airport as he was preparing to travel to Japan for a vacation. The arrest occurred without clear or sufficient evidence, and Bini was held in custody without formal charges. While the treaty mentions respecting human rights and fundamental freedoms, it lacks concrete procedural safeguards against the misuse of the powers it grants. The provisions for search, seizure, and interception of data do not clearly require judicial oversight or other independent review mechanisms, potentially allowing for unchecked governmental overreach and violations of due process rights (uhm, can the UN people please refer to Article 14 of the ICCPR–a UN document?).
While the treaty mentioned the words “human rights” seven times, it lacks concrete procedural safeguards against the misuse of the powers it grants to state parties, educing the invocation of human rights to nothing more than hollow rhetoric. The provisions for search, seizure, and interception of data, as defined in Article 28, do not clearly require judicial oversight. This exposes the treaty as a clear conduit for unchecked governmental overreach and egregious violations of due process rights. Take Indonesia as an example. West Papuan human rights defenders often face significant challenges due to heightened surveillance and frequent seizures of their communication devices such as phones, laptops, and hard drives. This practice not only undermines due process but also poses a direct threat to the protection of civil liberties, operating in a legal gray area that facilitates potential abuses.
A specific provision within Article 28(3d) grants the state an alarming authority to “render inaccessible or remove” data within accessed information and communication systems. But this clause is not just about access, it is about granting the state the power to alter or delete data. This raises severe implications for information integrity and individual rights and sets the precedence for data manipulation without stringent oversight mechanisms in place. Such actions could irreversibly affect data integrity and availability and can be misused in a way that would alter evidence. Article 28 is deeply troubling. Clause (4), in particular, mandates individuals with system knowledge to assist in state investigations. If the coercion includes threats of legal penalties including imprisonment for non-compliance, it violates the right to freedom of thought–which is an absolute human right. Article 28, as it currently stands is a serious assault on fundamental human rights and stands as an abomination to these principles. It contravenes long-standing rights protections enshrined in the ICCPR, including 17, 19, 14 and 9.
Given that “cybercrime” can be politically charged, individuals could be unjustly targeted for their online activities that are critical of governments. Saudi Arabia’s sweeping Anti-Cyber Crime and Counter-Terrorism laws have been used to harshly penalise peaceful protesters, such as Nourah al-Qahtani, who was sentenced to 45 years for her social media posts. These laws, enacted in 2007 and 2014, are intentionally vague, allowing the government to arrest individuals under broadly defined charges like “tearing the social fabric” or “violating public order.”
Third, the treaty mentions that it “acknowledg[es] the right to protection against arbitrary or unlawful interference with one’s privacy, and the importance of protecting personal data”. Sure, then we don’t have a problem anymore, right?
No, Padme. You are wrong. The keyword here is the term “unlawful interference with privacy”. And with the recent anti-encryption campaigns and legislations that are sweeping across Europe and the Five Eyes, we know the government will find ways. In fact, Articles 27 and 28 implicitly discourage encryption practices by facilitating access to stored data. The weakening of encryption and anonymity endangers human rights defenders, journalists, and minorities.. As we have seen in the past, vague laws and treaties only mean one thing: governments can do whatever they want. And the only difference with this one is they will have a treaty that protects them. They will justify intrusive surveillance measures under the pretext of national security or fighting cybercrime at the expense of a person’s privacy and freedoms without accountability. The treaty eerily follows the Snooper’s Charter of the UK. The Charter, passed in 2016, allows authorities to retain emails and electronic communications indiscriminately and requires private companies to store this data. The Snooper Charter is having a facelift to expand the government’s access to large personal datasets, potentially allowing broader and more flexible use of personal data.
So what exactly is the point of this blog? What is even the point of criticising this treaty when some governments all over the world are doing it? The point is simple. Just because some governments are openly spying and jailing their journalists and human rights activists doesn’t mean we need a treaty to legitimise it. The UN was established to serve as a global platform where checks and balances can be applied not just within countries but across international borders. For millions of people around the world who are victims of authoritarian regimes, the UN is the only platform where they can advocate for their rights and a platform to air their grievances. And now, they are trying to take that away. The UN Cybercrime Treaty, under the guise of promoting international cooperation against cybercrime, is fraught with potential for abuse and overreach. It infringes on privacy rights, free speech, and the freedoms of activists, journalists, and minority groups.
But more than anything else, this Russia-backed treaty aims to normalise digital autocracy by channeling their efforts through the UN to create an illusion of universality and necessity. By allowing tools and justifications for digital monitoring and data collection, the treaty can aid in the establishment of a digital autocracy, backed by the United Nations. The notion of the internet as a free and open space is already fading, but with this treaty, we are paving the way for a future where every digital action is monitored and controlled by the state.