cybercrime treaty – Techdirt (original) (raw)
UN Delegates Cheer As They Vote To Approve Increased Surveillance Via Russia-Backed Cybercrime Treaty
from the why-are-we-even-doing-this? dept
For years now, the UN has been trying to strike a deal on a “Cybercrime Treaty.” As with nearly every attempt by the UN to craft treaties around internet regulation, it’s been a total mess. The concept, enabling countries to have agreed upon standards to fight cybercrime, may seem laudable. But when it’s driven by countries that have extremely different definitions of “crime,” it becomes problematic. Especially if part of the treaty is enabling one country to demand another reveal private information about someone they accuse of engaging in a very, very broadly defined “cybercrime.”
The UN structure means that the final decision-makers are nation-states, and other stakeholders have way less say in the process.
And, on Thursday, those nation-states unanimously approved it, ignoring the concerns of many stakeholders.
Some history: two years ago, we warned about how the proposed treaty appeared to be perfect for widespread censorship, as it included considering “hate speech” as a form of cybercrime it sought to regulate. Last year, we checked in again and found that, while updated, the proposed treaty was still a total mess and would lead to both the stifling of free expression and increased surveillance.
No wonder certain governments (Russia, China) loved it.
While the final treaty made some changes from earlier versions that definitely made it better, the end product is still incredibly dangerous in many ways. Human Rights Watch put out a detailed warning regarding the problems of the treaty, noting that Russia is the main backer of the treaty — which should already cause you to distrust it.
The treaty has three main problems: its broad scope, its lack of human-rights safeguards, and the risks it poses to children’s rights.
Instead of limiting the treaty to address crimes committed against computer systems, networks, and data—think hacking or ransomware—the treaty’s title defines cybercrime to include any crime committed by using Information and Communications Technology systems. The negotiators are also poised to agree to the immediate drafting of a protocol to the treaty to address “additional criminal offenses as appropriate.” As a result, when governments pass domestic laws that criminalize any activity that uses the Internet in any way to plan, commit, or carry out a crime, they can point to this treaty’s title and potentially its protocol to justify the enforcement of repressive laws.
In addition to the treaty’s broad definition of cybercrime, it essentially requires governments to surveil people and turn over their data to foreign law enforcement upon request if the requesting government claims they’ve committed any “serious crime” under national law, defined as a crime with a sentence of four years or more. This would include behavior that is protected under international human rights law but that some countries abusively criminalize, like same-sex conduct, criticizing one’s government, investigative reporting, participating in a protest, or being a whistleblower.
In the last year, a Saudi court sentenced a man to death and a second man to 20 years in prison, both for their peaceful expression online, in an escalation of the country’s ever-worsening crackdown on freedom of expression and other basic rights.
This treaty would compel other governments to assist in and become complicit in the prosecution of such “crimes.”
EFF also warned of how the treaty would be used for greater governmental surveillance:
If you’re an activist in Country A tweeting about human rights atrocities in Country B, and criticizing government officials or the king is considered a serious crime in both countries under vague cybercrime laws, the UN Cybercrime Treaty could allow Country A to spy on you for Country B. This means Country A could access your email or track your location without prior judicial authorization and keep this information secret, even when it no longer impacts the investigation.
Criticizing the government is a far cry from launching a phishing attack or causing a data breach. But since it involves using a computer and is a serious crime as defined by national law, it falls within the scope of the treaty’s cross-border spying powers, as currently written.
This isn’t hyperbole. In countries like Russia and China, serious “cybercrime” has become a catchall term for any activity the government disapproves of if it involves a computer. This broad and vague definition of serious crimes allows these governments to target political dissidents and suppress free speech under the guise of cybercrime enforcement.
Posting a rainbow flag on social media could be considered a serious cybercrime in countries outlawing LGBTQ+ rights. Journalists publishing articles based on leaked data about human rights atrocities and digital activists organizing protests through social media could be accused of committing cybercrimes under the draft convention.
The text’s broad scope could allow governments to misuse the convention’s cross border spying powers to gather “evidence” on political dissidents and suppress free speech and privacy under the pretext of enforcing cybercrime laws.
That seems bad!
EFF also warned how the Cybercrime Treaty could be used against journalists and security researchers. It creates a sort of international (but even more poorly worded) version of the CFAA, a law we’ve criticized many times in the past for how it is abused by law enforcement to go after anyone doing anything they dislike “on a computer.”
Instead, the draft text includes weak wording that criminalizes accessing a computer “without right.” This could allow authorities to prosecute security researchers and investigative journalists who, for example, independently find and publish information about holes in computer networks.
These vulnerabilities could be exploited to spread malware, cause data breaches, and get access to sensitive information of millions of people. This would undermine the very purpose of the draft treaty: to protect individuals and our institutions from cybercrime.
What’s more, the draft treaty’s overbroad scope, extensive secret surveillance provisions, and weak safeguards risk making the convention a tool for state abuse. Journalists reporting on government corruption, protests, public dissent, and other issues states don’t like can and do become targets for surveillance, location tracking, and private data collection.
And so, of course, the UN passed it on Thursday in a unanimous vote. Because governments love it for all the concerns discussed above, and human rights groups and other stakeholders don’t get a vote. Which seems like a problem.
The passage of the treaty is significant and establishes for the first time a global-level cybercrime and data access-enabling legal framework.
The treaty was adopted late Thursday by the body’s Ad Hoc Committee on Cybercrime and will next go to the General Assembly for a vote in the fall. It is expected to sail through the General Assembly since the same states will be voting on it there.
The agreement follows three years of negotiations capped by the final two-week session that has been underway.
And then they gave themselves a standing ovation. Because it’s not them who will get screwed over by this treaty. It’s everyone else.
cybercrime treaty adopted. diplomats give a standing ovation.adopted over objections of most human rights orgs. little good will come out of this. all risk. russians get their dream treaty.democracies will regret their spinelessness when countries demand new crimes of 'extremism' &tc.
— David Kaye (@davidkaye.bsky.social) 2024-08-08T21:07:36.751Z
For the treaty to go into force, 40 nations have to ratify it. Hopefully the US refuses to, and also pushes for other non-authoritarian countries to reject this treaty as well. It’s a really dangerous agreement, and these kinds of international agreements can cause serious problems once countries agree to them and they enter into force. Terrible treaties, once ratified, are nearly impossible to fix.
Filed Under: cfaa, computer crimes, cybercrime, cybercrime treaty, data access, russia, surveillance, un
Abusive Governments (And The Criminals They Employ) Are Going To LOVE The UN’s Cybercrime Treaty
from the baby-and-bathwater-trebuchet dept
Various treaties and multi-national proposals to combat cybercrime have been around for years. I’m not exaggerating. These have been floating around for more than a decade. (Do you want to feel old? This cybercrime treaty proposal would be old enough to legally obtain a social media account in the United States if it were still viable.)
The UN has been pushing its own version. But its idea of “crime” seems off-base, especially when it’s dealing with a conglomerate of countries with varying free speech protections. The “Cybercrime Treaty” proposed by the UN focuses on things many would consider ugly, distasteful, abhorrent, or even enraging. But it’s not things most people consider to be the sort of “crimes” a unified world front should be addressing — not when there’s plenty of financially or personally damaging cybercrime being performed on the regular.
As Mike Masnick noted last year, the UN’s proposal aims to regulate speech, even if its stated ends are making the internet safer for everyone. The treaty would target “hate speech,” an often ill-defined term that encompasses everything from targeted attacks to shitposting to honest criticism that just happens to criticize things the government likes: things like preferred religions, citizens, ceremonies, holidays, or political figures.
It’s built for abuse. A year has passed and the UN’s “Cybercrime Treaty” doesn’t appear to have improved. While there’s stuff in there targeting actual criminal activity, there are still plenty of mandates just waiting to be abused by governments to target people they don’t like.
The EFF has an extensive rundown on the treaty’s modifications, most of which just make things worse for everyone if they’re enacted. And that begins with the treaty’s beginnings. The priorities have been disrupted.
Rather than focusing on core cybercrimes like network intrusion and computing system interference, the draft treaty’s emphasis on content-related crimes could likely result in overly broad and easily abused laws that stifle free expression and association rights of people around the world.
For example, the draft U.N.Cybercrime Treaty includes provisions that could make it a crime to humiliate a person and group, or insult a religion using a computer. This potentially makes it a crime to send or post legitimate content protected under international law.
Even computer-focused criminal laws have been regularly abused by governments (holla back CFAA!). This one sidesteps this focus to target computer users who aren’t trying to engage in criminal activity. They’re just being assholes. But give a questionable government a tool like this to use, and it will ensure it treats any criticism as a form of hate speech if it can, silencing dissent and preemptively silencing those who might have been considering speaking up. As the EFF points out, most human rights abusers come from countries with state religions and this law would allow them to ramp up the oppression they already offer to residents they don’t care for.
Sure, the UN has attached a caveat warning countries considering abusing the treaty from abusing the treaty. But if we’ve learned nothing else about the United Nations during its nearly 70-year run as a Manhattan property owner, it’s that it’s pretty much incapable of deterring any government from doing anything it truly wants to do.
That’s why this is a problem. Like anything else with horrendous unintended consequences, the treaty is well-meaning. But it’s also a toolbox for autocrats and oppressive regimes. And they know it. There are enough dissenters who love everything bad about the proposal to derail the treaty unless even the most minimum of protections for the governed are removed.
[T]he draft U.N.Cybercrime Treaty introduces vague provisions that will compel states to pass laws authorizing the use of overly broad spying powers without these safeguards—placing people at an increased risk of harm, and curtailing civil liberties and defendants’ fair trial rights. Even worse, during draft treaty negotiations, countries including India, Russia, China, Iran, Syria, and Tonga proposed amendments to remove Article 5, a general clause that emphasizes respect for human rights and references international human rights obligations. Rubbing salt into the wound, Egypt, Singapore, Malaysia, Pakistan, Oman, Iran, and Russia requested the deletion of even the most modest limitations on government spying powers, Article 42, on conditions and safeguards.
Going hand-in-hand with the partial stripping of rights in many nations around the world is the mandated expansion of surveillance nearly everywhere in the free world. To keep an eye on people saying mean things to each other, governments will need more access to more internet communications, something the UN is apparently cool with mandating. And the proposal is open-ended, preemptively blessing surveillance techniques that haven’t even been designed, much less brought to market.
The draft treaty also oddly refers to allowing authorities to use “special investigative techniques,” again without ever defining what those are. The current language, indeed, could allow any type of surveillance technology—from malware to IMSI catchers, machine learning prediction, and other mass surveillance tools—as well as any tool or technique that may exist in the future.
If the UN wants oppressive countries to stop pretending it’s only now they’re taking their gloves off, this Cybercrime Treaty is exactly what’s needed. If it really wants to stop cybercrime, it should focus more on universally recognized computer crimes, rather than speech that, while terrible, is still protected. And it definitely should rewrite the proposal with an eye on the unintended consequences, because it’s those consequences that will contribute the most to the inevitable abuse of this treaty.
Filed Under: cybercrime, cybercrime treaty, free speech, humilation, information security, insults
Companies: un
Policymakers Need To Realize How Any Internet Regulation Will Impact Speech
from the censorship-comes-in-many-forms dept
The internet is about speech. That’s basically all the internet is. It’s a system for communicating, and that communication is speech. What’s becoming increasingly frustrating to me is how in all of these attempts to regulate the internet around the globe, policymakers (and many others) seem to ignore that, and act as if they can treat internet issues like other non-speech industries. We see it over and over again. Privacy law for the internet? Has huge speech implications. Antitrust for the internet? Yup, speech implications.
That’s not to argue that all such regulations can’t be done in ways that don’t violate free speech rights, but to note that those who completely ignore the free speech implications of their regulations are going to create real problems for free speech.
The latest area where this is showing up is that the UN has been working on a “Cybercrime Treaty.” And, you can argue that having a more global framework for responding to internet-based crime sounds like a good thing, especially as such criminal behavior has been rapidly growing. However, the process is already raising lots of concerns about the potential impact on human rights. And, most specifically, there are massive concerns about how a Cybercrime Treaty might include speech related crimes.
So it is concerning that some UN Member States are proposing vague provisions to combat hate speech to a committee of government representatives (the Ad Hoc Committee) convened by the UN to negotiate a proposed UN Cybercrime treaty. These proposals could make it a cybercrime to humiliate a person or group, or insult a religion using a computer, even if such speech would be legal under international human rights law.
Including offenses based on harmful speech in the treaty, rather than focusing on core cybercrimes, will likely result in overbroad, easily abused laws that will sweep up lawful speech and pose an enormous menace to the free expression rights of people around the world. The UN committee should not make that mistake.
As we’ve been noting for years, “hate speech laws” are almost always abused by governments to silence dissent, rather than protect the marginalized. Indeed, one look at the countries pushing for the Cybercrime Treaty to include hate speech crimes should give you a sense of the intent of the backers:
For example, Jordan proposes using the treaty to criminalize “hate speech or actions related to the insulting of religions or States using information networks or websites,” while Egypt calls for prohibiting the “spreading of strife, sedition, hatred or racism.” Russia, jointly with Belarus, Burundi, China, Nicaragua, and Tajikistan, also proposed to outlaw a wide range of vaguely defined speech intending to criminalize protected speech: “the distribution of materials that call for illegal acts motivated by political, ideological, social, racial, ethnic, or religious hatred or enmity, advocacy and justification of such actions, or to provide access to such materials, by means of ICT (information and communications technology),” as well as “humiliation by means of ICT (information and communications technology) of a person or group of people on account of their race, ethnicity, language, origin or religious affiliation.”
It’s like a who’s who of countries known for oppressing dissent at every opportunity.
Once again, it’s reasonable to argue that there should be some more regulations for the internet, but if you don’t recognize how those will be abused to stifle speech, you’re a part of the problem.
Filed Under: cybercrime treaty, free speech, hate speech, speech, un
Could Cybercrime Treaty Already Push Through Some Of The Worst Of ACTA?
from the international-obligations dept
One of the important aspect of the leaked copy of the ACTA draft a little while back was that it also included what each of the different parties was pushing for in terms of language choices. This part of the draft was conveniently missing from the “official” draft that was released recently. But, if you looked through the different changes being pushed for by different countries, you quickly realized that definitions mean everything. The different wording seemed to only differ slightly, but depending on how you defined different terms, the actual meaning could be night and day. And, indeed, supporters of ACTA have been working overtime to make reading the draft seem innocuous, while making sure that the definitions make ACTA much more powerful.
Among the concerns is how “criminal copyright infringement” is defined — specifically, what counts as “commercial scale.” In ACTA, there’s been an attempt to define commercial scale as broadly as possible, including copying for personal use.
Richard points us to some news down in Australia, where there’s some concern that Australia’s recent decision to sign on to a European cybercrime treaty, could force it to define criminal copyright infringement extremely broadly, along the lines of ACTA — effectively getting that part of ACTA agreed to with or without ACTA. In other words, as plenty of folks interested in this stuff have been focused on ACTA, was the entertainment industry able to back door this really bad aspect of ACTA into many countries via the Cybercrime treaty already?
Filed Under: acta, australia, commercial scale, copyright, criminal copyright, cybercrime treaty