The UN's last cybercrime protocol was the 2001 Budapest Convention, which many countries did not sign. (Image: Pixabay)
A global effort to frame legislation tackling cybercrime cleared a major hurdle earlier this month, despite stiff opposition from tech companies, industry coalitions, academic institutions, human rights activists, and other stakeholders.
The draft of the United Nations Cybercrime Convention which has been under negotiation for the past three years, was unanimously approved by UN members at the end of a two-week session in New York, US, on August 9.
You have exhausted your monthly limit of free stories.
Read more stories for free with an Express account.
The first-ever, 41 page-long draft UN cybercrime treaty proposes a legislative framework to boost international cooperation among law enforcement agencies and offer technical assistance to countries that lack adequate infrastructure for combating cybercrime. It also contains provisions addressing illegal interception, money laundering, hacking, and online child sexual abuse material.
“The finalisation of this Convention is a landmark step as the first multilateral anti-crime treaty in over 20 years and the first UN Convention against Cybercrime at a time when threats in cyberspace are growing rapidly,” Ghada Waly, the executive director of United Nations Office on Drugs and Crime (UNODC), said in a statement.
Now, the draft cybercrime treaty is headed to the United Nations General Assembly (UNGA) for a vote that could take place next month. If adopted, the treaty will have to be signed and ratified by at least 40 countries in order to take effect; even as its detractors call for UN member States to abandon the legally-binding agreement altogether.
What does the UN cybercrime treaty entail?
Based on the outline of the draft text, the treaty requires member States to bring in legislation that criminalises certain activities as cybercrimes while giving them flexibility to narrow down the application of the law.
By signing the draft treaty, countries would be agreeing to introduce a law that makes the interception of non-public data transmissions illegal. Similarly, it paves the way for the unauthorised damage, deletion, deterioration, alteration, or suppression of data to become illegal.
Story continues below this ad
UN member States are further required to bring in laws that prohibit the production, import, sale, or purchase of devices that are primarily built or used to commit cybercrimes. The sale or purchase of passwords and login details to hack into information and communications technology (ICT) systems shall also be made illegal, as per the treaty.
Governments are required to classify as a cybercrime essentially any attempt to spread, store or view child sexual abuse material, which is defined as written, audio, or visual material that “depicts, describes or represents any person under 18 years of age engaging in real or simulated sexual activity; in the presence of a person engaging in any sexual activity; whose sexual parts are displayed for primarily sexual purposes; or subjected to torture or cruel, inhumane or degrading treatment or punishment and such material is sexual in nature.”
Making online arrangements to commit a sexual offence against a child and sharing intimate images or videos of a person online without their consent are also required to be treated as cybercrimes.
What are the proposed powers for authorities?
Under conditions and safeguards laid out in Article 24 of the treaty, governments are required to ensure that the powers granted to law enforcement agencies are in accordance with international human rights obligations and are proportional in nature.
Story continues below this ad
Some of these powers would allow authorities to preserve data if they believe that it can be modified or lost, order people to preserve data up to 90 days, and ask service providers to share sufficient traffic data so that they can trace the path of a transmitted communication.
Traffic data is defined as any data from an ICT system that “ formed a part in the chain of communication, indicating the communication’s origin, destination, route, time, date, size, duration or type of underlying service.” Images, text messages, voice messages, audio recordings, and video recordings are defined under content data and subscriber information entails “any information that is held by a service provider, relating to subscribers of its services.”
Article 30 of the treaty requires States to legally empower authorities to collect and record content data in relation to a range of serious criminal offences. The treaty defines serious crime as conduct constituting an offence punishable by a maximum deprivation of liberty of at least four years or a more serious penalty;”
Meanwhile, Article 36, which deals with protection of personal data, states that governments are required to transfer personal data to other governments only if it is in accordance with its domestic laws. It also states that governments may revise domestic laws in order to fulfill requests from other countries for personal data.
Story continues below this ad
What are the key concerns with the draft treaty?
Digital rights advocacy groups like Access Now and Electronic Frontier Foundation (EFF) are concerned that the UN cybercrime treaty contains broad definitions of cybercrimes and could end up criminalising legitimate online activity.
“The treaty leaves a lot of loopholes which allow States at the national level to criminalise an entire range of activities as potentially being a cybercrime. And many of those activities that States could criminalise would be protected areas of activities such as journalism or legitimate security research,” said Raman Jit Singh Chima, the Asia Pacific policy director of Access Now.
Back in 2022, the Indian government’s submissions on the UN cybercrime treaty contained measures similar to the controversial Section 66A of the the Information Technology Act, 2000, which was struck down by the Supreme Court as being “unconstitutional”. However, India’s proposal asking countries to make it illegal to share “offensive messages” on social media did not find any support at the global forum.
“The current text of this convention weakens human rights standards protecting privacy in a digital age, undermining rights protected under India’s constitution as proclaimed by our Supreme Court in its Puttaswamy ruling in 2017,” Chima added. Activists are also concerned that the treaty could enable cross-border surveillance leading to human rights abuses by authoritarian regimes.
In a blog post on the treaty, EFF pointed out that member States are not required to scrutinise surveillance requests from other countries to ensure that they do not lead to persecution. “A striking pattern throughout the Convention as adopted is the leeway that it gives to States to decide whether or not to require human rights safeguards; almost all of the details of how human rights protections are implemented is left up to national law,” it said.
Technology on smartphone reviews, in-depth reports on privacy and security, AI, and more. We aim to simplify the most complex developments and make them succinct and accessible for tech enthusiasts and all readers. Stay updated with our daily news stories, monthly gadget roundups, and special reports and features that explore the vast possibilities of AI, consumer tech, quantum computing, etc.on smartphone reviews, in-depth reports on privacy and security, AI, and more. We aim to simplify the most complex developments and make them succinct and accessible for tech enthusiasts and all readers. Stay updated with our daily news stories, monthly gadget roundups, and special reports and features that explore the vast possibilities of AI, consumer tech, quantum computing, etc.
