Prime Minister Narendra Modi, along with hundreds of world leaders, policymakers, envoys, and other representatives are likely to gather in New York, US, next month to attend the 79th session of the UN General Assembly (UNGA).
With the draft text of the treaty being finalised earlier this month, questions arise on what this development means for India. Does the international treaty align with India’s cybersecurity strategy and broader geopolitical interests? Indianexpress.com spoke with Raman Jit Singh Chima, the Asia Pacific policy director of Access Now, a digital rights advocacy group, to understand the potential implications of the draft UN cybercrime treaty for India.
The following excerpts from the interview have been lightly edited for brevity.
What is the significance of a UN treaty on cybercrime? Why is it a big deal?
Till date, there has been no single treaty on the issue of cybercrime that has been agreed upon by all UN member States. The only other treaty that exists that has many countries as signatories on the issue of cybercrime is the Budapest Convention, but that was negotiated by the Council of Europe, and was signed on to mostly by member States within Europe, as well as Turkey, the US, and more recently, Sri Lanka and Brazil.
But there’s been no one treaty that has been negotiated by all UN member States on the topic of cybercrime. In fact, there’s been no treaty on internet issues that has been negotiated and agreed to by the UN in the 21st century. All of the treaties that exist, and might relate to internet matters, are all from before 2000 or don’t relate to broader issues related to how the internet and cyberspace behave.
So, this cybercrime treaty is the first time that the UN’s member States have, essentially, in the 21st century, negotiated and agreed to binding legal provisions regarding how they would criminalise or cooperate with each other on issues relating to cybercrime enforcement. Another reason why it is significant is the way it’s been negotiated given the wide extent of the treaty and the fact that it would deeply impact human rights and cybersecurity.
Story continues below this ad
Do you think parts of the draft UN cybercrime treaty are flawed? Why?
Many people have been concerned about how the Russian Federation has framed the treaty process by operating on the basis that the internet is often used maliciously and is problematic. When this process started, we [Access Now] said we would only support a treaty that is narrowly worded, very clear in terms of what it seeks to criminalise, and would limit procedural powers, namely the powers given to law enforcement, prosecutors, and police actors, to a very narrow set of crimes.
But what we’ve ended up with is a treaty that’s quite overbroad in terms of what it criminalises.
It leaves a lot of loopholes which allow States to criminalise an entire range of activities as potentially being a cybercrime at the national level, and many of those activities that States could criminalise could be protected areas of activities such as journalism or legitimate security research. It doesn’t put in place sufficient safeguards to protect people from overbroad prosecution under cybercrime provisions, and it gives governments an entire range of legal powers.
It says that they must create legal frameworks to intercept or access data, and allow data sharing to take place in a way that is insufficiently safeguarded when it comes to the right to privacy in a digital age. More troublingly, the treaty leaves the door open for more to be added to it because member States of the UN have agreed that a protocol for this treaty will be negotiated now itself. They won’t even wait for the treaty to be fully enforced.
Story continues below this ad
Could you point out a few provisions of the treaty that are particularly concerning?
If you look at Article 6.2 of the treaty, it says that the treaty cannot be used to undermine human rights. This clause was added in despite a vote by Iran to delete Article 6.2 of the treaty. By the way, Iran’s vote was supported by India as well which is quite telling.
Setting that aside, if you look at the criminalisation portion of the treaty and the core cybercrimes listed in Articles 7, 8, 9, 10, and 11, they do not have sufficiently tight language, which means that even in the absence of criminal intent, States can potentially criminalise accessing a computer system as a cybercrime. It is quite likely that countries will create cybercrime laws based on this treaty which will unnecessarily over-criminalise what journalists, security researchers, human rights defenders, and activists generally do.
Another example of a concerning provision are Articles 24 and 35 which talks about the safeguards that should apply for electronic evidence gathering or data gathering powers. The treaty says that such powers should be used in a way that respects the principle of proportionality. That language is a bit odd, because the language used in international human rights law is necessity, legality, and proportionality. Those are the same legal standards set by the Indian Supreme Court in the Puttaswamy judgment.
In a way, the treaty tries to rewind the clock back by 10-15 years to before the Snowden revelations, when we got to know the sort of abuse of data access powers that governments were engaged in.
Story continues below this ad
Another example is from the definition section of the treaty where they have distinguished metadata and content data. If you apply different legal standards to metadata or traffic data (that is who emailed home at what point of time, who logged into what system at what point of time) and content data (the content of the email or the content of the message), it can actually lead to abuse by governments, because they could take very telling amounts of metadata to reveal a very intrusive picture of your daily life.
How does the draft treaty square with India’s domestic laws and cybersecurity strategy?
Firstly, India doesn’t have an updated national cybersecurity strategy. Why I mention that is because four years ago, Prime Minister Narendra Modi, in his Independence Day speech, said that there would be a new cybersecurity strategy for India. However, it has been four years and nothing has taken place. As a result, it is not clear who is in charge of what and who should take responsibility when an incident occurs. In many ways, this treaty process has also been a bit disappointing because I don’t think India has held any national-level consultations on what should be India’s position on the international cybercrime treaty.
Have they even consulted the states on what local police in India want in terms of international cooperation, given that most of the requests on cybercrime come from Indian states based on our constitutional framework?
I also do not think the cybercrime treaty text matches Indian law in terms of the requirements for privacy put in place by India’s Supreme Court in the Puttaswamy judgment. So, it is a legally grey question as to whether India can actually sign and ratify this treaty because unless India puts in place strong voluntary commitments about how to implement the treaty, the current treaty text may not satisfy the Indian Supreme Court’s requirements of the right to privacy.
Story continues below this ad
You attended most of the negotiations on the treaty. How would you describe India’s stance through the proceedings?
India’s position on the cybercrime treaty broadly aligned in many areas with Russia and China, where it pushed for a very broad treaty to cover everything and to provide for data gathering, data collection, and data sharing, not just for core cybercrimes but for all sorts of crimes with no safeguards.
India has also proposed things which have been controversial. It proposed a clause in the treaty that was exactly similar to Section 66A of the Information Technology (IT) Act, 2000, which has been struck down by the Supreme Court.
But it’s not just about what is in Indian law, right? It’s also about: how will other governments send requests to India? So if you criminalise something or if you create a data access path provision, those requests will also come to India from its neighbouring countries like Pakistan, China, and others. In fact, it is unclear whether India negotiated to put in place sufficient safeguards for it to push back on political requests from its neighbours.
Do you think this treaty could lead to legislative changes in India? How will it affect the ground reality of cybercrimes here?
This is exactly what the government needs to state. It needs to tell the Indian public why it voted in favour of finalising this treaty and how would it help improve or not improve India’s cybercrime legal situation. Secondly, it is not clear whether India would have to amend its IT Act or other laws to match with the cybercrime treaty. Parts of what are there in the treaty are beyond what exists in Indian law.
Story continues below this ad
Other parts might be less than what is there in Indian law. So, I don’t think that sort of consultative exercise with the Indian government’s own legal experts has actually happened, especially since most powers to tackle cybercrime are given to state police agencies across the different state governments of India.
Would the treaty help India improve its cybercrime situation? First, India has to sign and ratify the treaty. Secondly, India’s partners or the countries with whom India wants to work with, they also need to sign and ratify the treaty. Given the controversial nature of the treaty text, I don’t think it would be smooth sailing for the treaty to be signed and ratified by the US or the EU. It also makes one wonder, why did India push for such a broad treaty when it won’t actually help with its own domestic cybercrime issues?
What are the chances of the treaty being adopted at the UNGA? How would you expect India to vote?
Based on the indications we have gotten, the treaty will most likely go to the full General Assembly in what’s called the UN High-Level Week in September itself. If it gets the minimum number of votes, it will be opened for States to sign it which may take anywhere between six months to two years. Only then will you start seeing the treaty go into effect.
On India’s desires to sign and ratify the treaty, one needs to ask how would this treaty be useful for it? If India wants data access from, say, Western tech companies, most of whom are headquartered in the United States or the European Union, and if those two geographies don’t sign this because the treaty is weak or because their own domestic political and legal systems prevent signature ratification, then, why would it be useful? That’s a very open question right now.
