(New York) – A possible global treaty to address cybercrime risks legitimizing abusive practices and could be used as an excuse to silence government critics and undermine privacy in many countries, Human Rights Watch said today. Governments will kick off the process for a global cybercrime treaty, first proposed by the Russian government, at the United Nations on May 10, 2021.
Several national cybercrime laws in various parts of the world already unduly restrict rights and are being used to persecute journalists, human rights defenders, technologists, opposition politicians, lawyers, religious reformers, and artists. Instead of a treaty, governments should prioritize reforming these abusive laws to conform with international human rights standards. Any effort to address cybercrime needs to reinforce, not undermine, freedom of expression and other human rights.
“Cybercrime poses a real threat to people’s human rights and livelihoods and efforts to address it need to protect, not undermine, rights,” said Deborah Brown, senior digital rights researcher and advocate at Human Rights Watch. “Governments should oppose overbroad and aggressive cybercrime measures that threaten rights.”
The negotiating process for a possible treaty should be open and transparent, and human rights groups should be consulted every step of the way, Human Rights Watch said.
The term “cybercrime” is typically used to describe both actions taken against the confidentiality, integrity, and availability of computer data or systems and traditional offenses committed through the internet and communications technology. In recent years, there has been a surge in cybercrime laws around the world, some of which are overly broad and criminalize online expression, association, and assembly.
Pakistan’s Prevention of Electronic Crimes Act, as just one example, authorizes blocking websites deemed critical of officials and requires service providers to retain or provide authorities with access to copious amounts of people’s data, which is open to abuse. Other laws, like Egypt’s Anti-Cyber and Information Technology Crimes Law, have been used to prosecute people for using secure digital communications, which are crucial to keeping people safe online.
If UN member states choose to pursue a global treaty, they should bolster protections for freedom of expression and other fundamental rights, Human Rights Watch said.
The upcoming UN meeting will focus on key procedural matters, such as who can participate in future negotiations, where negotiations will occur, and whether the process will be based on consensus.
Ahead of the treaty negotiations, Human Rights Watch analyzed the key risks to freedom of expression and privacy posed by national legislation and international cooperation to address cybercrime, based on Human Rights Watch reporting on cybercrime for at least a decade. In March and April of 2021, Human Rights Watch also conducted phone and email interviews with cybercrime experts.
Governments have obligations under international human rights law to protect people from harm resulting from criminal activity carried out through the internet. For example, part of governments’ obligation to protect women’s human rights includes combating gender-based violence online, such as the nonconsensual distribution of intimate images online. But government responses to cybercrime are often ineffective or disproportionate, and can undermine rights.
Investigating and prosecuting crime increasingly requires international cooperation. Data is physically stored and processed in multiple countries, often different from where the criminal prosecution takes place, even when referring to data in the “cloud.” Governments try to access data stored outside their jurisdictions through legislative, informal, and coercive measures that can erode the right to privacy. Governments, sometimes with the support of major companies, have tried to speed up cooperation to share data for criminal investigations through measures that can bypass or weaken due process protections.
So-called morality clauses have led to arrests and prosecutions of women and LGBT people for expressing themselves online. A new treaty risks legitimizing and normalizing these practices. The UN General Assembly has expressed grave concern that cybercrime laws are “in some instances misused to target human rights defenders or have hindered their work and endangered their safety in a manner contrary to international law.”
Cybercrime laws have also been used to crack down on critical voices. For example, the prominent Philippines journalist Maria Ressa was convicted of “cyber libel” in 2020 and faces up to seven years in prison. The renowned Emirati human rights defender Ahmed Mansoor is serving a 10-year sentence for cybercrimes and other vague offenses related to his human rights work.
The risks of proceeding with a global treaty – particularly one that has been championed by some of the world’s most repressive governments – are considerable, Human Rights Watch said. A global treaty would set the standard for countries around the world that are still developing their approaches to addressing cybercrime at the national level. It could also significantly influence how law enforcement shares data across borders.
A treaty is most likely unnecessary, and efforts would be better spent improving mutual legal assistance processes and providing more resources and training for law enforcement officials engaged in cross-border requests for data to ensure timely responses that do not infringe on people’s rights.
“Delegations should think long and hard about whether the world actually needs a cybercrime treaty,” Brown said. “They should also ensure that nongovernmental groups have a seat at the table, as so many advocates have been targeted by abusive cybercrime laws and have relevant expertise on what safeguards are needed.”
For more information on the impact of measures to address cybercrime, please see below.
Cybercrime and Rights
Digital technologies play an increasing role in people’s everyday lives. Cybercrime, and abusive measures aimed at fighting it, are growing and present significant human rights challenges. Cybercrime can undermine rights, including the rights to privacy, freedom of expression, and nondiscrimination, and can affect people’s livelihoods.
Malicious hacking of personal data can reveal intimate aspects of people’s lives. Blackmail facilitated by phishing attacks can restrict people’s freedom of expression and cause psychological harm. Capturing or sharing intimate images without consent can cause lifelong impact for people targeted, most of them women and girls. Online scams, and the use of malware to obtain bank login credentials can cause severe financial distress.
Older people tend to be hit disproportionately in some contexts because they are perceived to have significant financial resources and to lack the tools and experience to identify attacks and fraud. Governments may not consistently support older people with information and skills to protect themselves online. Cybercrime is on the rise and will most likely grow, as data breaches and leaks at companies like Facebook, LinkedIn, and Clubhouse expose the sensitive personal data of hundreds of millions of people and leave them vulnerable to attacks.
There is no consensus on how to tackle cybercrime at the global level or a common understanding or definition of what constitutes cybercrime. Most definitions include a limited number of acts, often referred to as “cyber-dependent crimes,” against the confidentiality, integrity, and availability of computer data or systems. Cybercrime laws also often include criminalization of what is often referred to as cyber-enabled crimes, traditional offenses committed through the internet and communications technology. These include acts for personal or financial gain or harm, such as identity-related crime, and computer content-related acts, like child sexual exploitation and copyright infringement. Cybercrime laws also typically contain procedural powers that enable specialized investigative and international cooperation, which law enforcement in one country can use to obtain electronic evidence in another country for any criminal investigation.
National Cybercrime Laws that Unduly Restrict Rights
In his 2019 report, the UN special rapporteur on the rights to freedom of peaceful assembly and of association, Clément Nyaletsossi Voule, observed, “A surge in legislation and policies aimed at combating cybercrime has also opened the door to punishing and surveilling activists and protesters in many countries around the world.”
The following analysis is not comprehensive, but identifies trends observed in reporting on cybercrime laws in various regions. It focuses primarily on cybercrime laws, but cybercrime provisions that are used to restrict rights can also be found in laws governing information and communications technologies (ICTs), telecommunications, and cybersecurity, and in penal codes. Additionally, cybercrime laws are often used in conjunction with other laws, like counterterrorism laws, to restrict rights.
Criminalization of Expression
Many governments are putting into place cybercrime laws with provisions that directly violate freedom of expression, or that are overbroad and vague, lending themselves to crackdowns on freedom of expression.
Pakistan’s Prevention of Electronic Crimes Act (PECA) criminalizes anyone who “prepares or disseminates” information through any information system or device with the intent to praise a person “accused of a crime,” or to “advance religious, ethnic or sectarian hatred,” or with intent to praise terrorism or proscribed organizations. These provisions on their face violate free expression rights.
Cambodia’s proposed cybercrime law prohibits acts that vaguely constitute “disturbing, frightening, threatening, violating, persecuting or verbally abusing others by means of computer.” The United Arab Emirates’ Federal Legal Decree No. 5/ 2012 on combating cybercrimes broadly criminalizes the use of information technology “with the intent of inciting to actions, or publishing or disseminating any information, news, caricatures, or other images liable to endanger state security and its higher interests or infringe on the public order.”
Many countries have made spreading “false” information online a cybercrime. But what is “false” is often highly contested, and criminalizing “false” statements opens the door to broad criminalization and chilling of speech. Human rights experts at the UN and regional bodies have long condemned governments for using vague and ambiguous terms such as “false news” and “non-objective information” to outlaw disseminating certain types of information.
In October 2020, Nicaragua’s Congress adopted a cybercrime law that criminalizes “publication” or “dissemination” of “false” or “distorted” information on the internet “likely to spread anxiety, anguish or fear.” It also punishes anyone who publishes “false or distorted information” that “promotes hate and violence, [or] endangers economic stability, public order or health, or national security,” terms that are not defined.
In March 2020, Russia introduced Article 207.1 into the criminal code for “public dissemination of knowingly false information in circumstances threatening the life and safety of citizens,” punishable with up to three years of liberty restriction. A proposed cybercrime law in Eswatini outlaws publishing a statement or “fake news” through any medium, with the intention to deceive anyone else or any group of people.
Thailand’s 2016 Computer-Related Crime Act (CAA) criminalizes publishing content that is “likely to cause damage to the public,” including “false or partially false” data, “distorted or partially distorted” data, or data likely to “cause public panic” or harm “maintenance of national security, public safety, national economic security, public infrastructure serving the public interest.” Rwanda’s Law on Prevention and Punishment of Cyber Crimes prohibits the publication of “rumors.”
Some countries also use cybercrime laws to criminalize conduct viewed as harming morality or religious values. Such provisions pose a particular threat to the free speech of women’s rights advocates and LGBT people.
Saudi Arabia’s 2007 Anti-Cybercrime law criminalizes “producing something that harms public order, religious values, public morals, the sanctity of private life, or authoring, sending, or storing it via an information network.” Egypt’s 2018 Anti-Cyber and Information Technology Crimes Law restricts online content deemed to “undermine family values” or violate “public morals.” Nigeria’s Cybercrimes Act criminalizes a broad range of offenses, including insult of people based on their religion.
These restrictions are inconsistent with international human rights law, which requires any regulation of freedom of expression to be necessary for a legitimate purpose, such as the protection of national security, public health, or the rights of others, and to be strictly proportionate to that end. Even when a law has a legitimate purpose, governments are obligated to specifically identify the nature of the threat being addressed and how the measure proposed is both a necessary and proportionate means of addressing it.
Restrictions on Investigative Journalism, Research, and Whistleblowing
A core element of cybercrime laws is usually the criminalization of unauthorized or illegal access to and interference with computer systems and data. These provisions can provide important safeguards against privacy violations and generally strengthen cybersecurity. However, these laws can undermine human rights when they are overbroad, such as by criminalizing mere access to computer systems and data, regardless of intent and without allowing a public interest defense.
Such laws can easily be used against whistleblowers who may access systems and data to expose government or corporate wrongdoing, or security researchers, who may do so to disclose vulnerabilities in information systems, to allow companies to improve infrastructure and software security for the public’s benefit. Such overbroad laws can also be used against activist groups or media outlets that publish information that was obtained without authorization. Publishing such data is key, for example, to Justice for Myanmar’s work to expose international businesses with financial ties to Myanmar’s military with the release of sourced evidence.
Pakistan’s PECA prohibits unauthorized access to, copying, or transmission of “critical” information with intent to create a sense of fear or insecurity in the government or the public or to advance religious, ethnic, or sectarian hatred. These vague definitions create a serious threat to whistleblowers who may seek to reveal intelligence that shows abuses by government officials or agencies.
Cambodia’s proposed cybercrime law criminalizes “unauthorized access” to a computer system, or transferring data from a system without authorization, with no protections for journalists or whistleblowers. The provisions could be used to prosecute whistleblowers and investigative journalists who use leaked materials in their work.
Nicaragua’s cybercrime law punishes the use of communications technology to disclose classified information as well as information considered “personal.” Article 232 of Ecuador’s Criminal Code broadly criminalizes a range of activities, including destruction of, damaging, erasing, altering, or blocking computer data or systems, or even designing or developing programs that could be used this way. The law does not require malicious intent and can be interpreted broadly by prosecutors.
In the United States, the Computer Fraud and Abuse Act (CFAA) prohibits unauthorized access to computers but does not explain what “without authorization” actually means. Along with contradictory court decisions, this has created uncertainty and confusion for security researchers and ordinary internet users.
The ambiguity of “unauthorized access” has opened up researchers to legal risk from platform companies claiming that “scraping” violates their sites’ terms of service. Scraping is using a computer to automatically load and read the pages of a website for later analysis.
The CFAA is also cited in the US indictment of Julian Assange, the founder of Wikileaks, which constitutes a threat to media freedom because much of the conduct it describes is routinely used by journalists. Journalists at major news publications regularly speak with sources, ask for clarification or more documentation, and receive and publish documents the government considers secret.
Interference with Privacy
Cybercrime laws often establish new investigative powers, including allowing authorities to intercept, retain, and access people’s data. Obtaining data from internet service providers and other online services such as social media platforms or cloud storage services can be essential for prosecuting cybercrime. But some laws require disproportionate data collection and retention without judicial oversight and basic due process protections. In some cases, law enforcement may be able to obtain stored subscriber data, traffic data, and even content data, directly and in real time. Laws also often impose harsh sanctions on companies for failure to retain data and provide access to law enforcement.
The Philippines’ Cybercrime Prevention Act authorizes police to collect computer data in real time without a court order or warrant. Thailand’s CCA expands the government’s data collection and other investigatory powers, allowing their use in response to any criminal offense under other laws that involve the use of computer systems, computer data, or devices. Service providers may be required to retain user data for up to two years. Authorities are able to access “traffic data” and other user-related data without a court order when investigating an offense under the CCA or other laws. With a court order, the authorities are also potentially able to compel service providers to assist with decrypting encoded data, raising concerns that the law could undermine the use of encryption tools that protect cybersecurity and users’ privacy. Undermining encryption compromises the security of everyone’s communications, exposing people to a range of threats online, including from cybercriminals.
Palestine’s Law on Electronic Crimes permits the authorities to “seize” information systems and information technology tools “which may help uncover the truth” for investigative purposes without demonstrating the necessity or proportionality. The law also obligates service providers to make available subscriber information “at the request of the prosecution or the competent court” and retain that information for at least three years without clarifying what that entails or setting out restrictions or sufficient safeguards against abuse. This requirement disproportionately infringes on the right to privacy of all users whose data is collected regardless of whether they are suspected of wrongdoing.
Egypt’s cybercrime law requires internet service providers to collect and store customer usage data for 180 days. That includes data that enables user identification, and data related to all user activities, including phone calls and text messages, websites visited, and applications used on smartphones and computers. The National Telecommunications Regulatory Authority can also issue an administrative decision obliging telecommunications companies to save “other data” without specifying what kind. Service providers are also required to provide their “technical capabilities” to national security entities and grant them access to review retained data.
The UN Office of the High Commissioner for Human Rights has criticized governments for imposing mandatory obligations on service providers to retain communications data for extended periods because such requirements limit people’s ability to communicate anonymously, create the risk of abuses, and may facilitate disclosure to third parties, including criminals, political opponents, or business competitors through hacking or other data breaches.
Misuse of Cybercrime Laws
In a devastating blow to freedom of the media in the Philippines, Maria Ressa, the founder and executive editor of Rappler, and Rappler researcher Reynaldo Santos, Jr., were convicted in June 2020 of criminal libel under the Cybercrime Prevention Act. The conviction came after Ressa and Santos published a piece accusing then-Supreme Court Chief Justice Renato Corona of impropriety for using a vehicle owned by a businessman. The prosecution was one of several instigated by President Rodrigo Duterte’s government to stifle Rappler’s critical reporting, particularly on the government’s murderous “war on drugs,” which has killed tens of thousands of people since July 2016. © 2020 AP Photo/Aaron Favila Saudi Arabian blogger and editor Ra’if Badawi was sentenced to 1,000 lashes and 10 years in prison in 2014 after he was prosecuted on various vague charges, including under the country’s anti-cybercrime law. The court convicted Badawi of undermining general security and ridiculing Islamic religious figures. It followed allegations that his blog was “infring[ing] on religious values” by providing a platform for open debate of views on religion and religious figures. Badawi remains in prison despite international calls for his release. © 2016 Dinendra Haria/Alamy Stock Photo On June 3, 2020 Mauritanian authorities arrested Eby Ould Zeidane, a journalist and member of the Advertising Regulatory Authority, over a Facebook post calling for the Muslim holy month of Ramadan to be observed on fixed dates according to the Gregorian calendar, contrary to Muslim tradition. He was charged with blasphemy under penal code article 306, which carries the death sentence, and for “publishing leaflets that undermine the values of Islam” under article 21 of the Cybercrime Law. Zeidane was released shortly after his arrest and publicly repented his remarks after meetings with religious scholars and the minister of Islamic affairs. © Private Jordanian journalist Tayseer al-Najjar was sentenced to three years in prison in the United Arab Emirates (UAE) in March 2017 under article 29 of the UAE cybercrime law for “insulting the state’s symbols on Facebook.” The conviction violated al-Najjar’s rights to free expression and to a fair trial. He was released on December 13, 2018 and returned to Jordan, but in early 2021 he passed away from health complications exacerbated by his experience in prison in the UAE. © Private Mauritanian activist Abdallahi Salem Ould Yali was jailed in January 2018 on charges of incitement to violence and racial hatred for WhatsApp messages calling on Haratines, the ethnic group to which he belongs, to resist discrimination and demand their rights. Authorities accused Yali under the penal code, the 2015 cybercrimes law, and the 2010 counterterrorism law of incitement to racial hatred and violence. Authorities dropped charges and released Yali in February 2019. © 2017 Private Prominent Saudi women's rights activist Loujain al-Hathloul was sentenced in December 2020 to nearly six years in prison for several offenses tied to her peaceful activism, including under the country’s cybercrime law, which prohibits “producing something that harms public order, religious values, public morals, the sanctity of private life, or authoring, sending, or storing it via an information network.” She was released in February 2021 but is banned from travel and has a suspended sentence, which allows the authorities to return her to prison at any time for any perceived criminal activity. © Abaca Press/Alamy Stock Photo In August 2019, a Ugandan court convicted and sentenced academic and activist Stella Nyanzi to 18 months’ imprisonment for “cyber harassment” under the Computer Misuse Act for a poem she published on Facebook in 2018 criticizing President Yoweri Museveni. The court ruled that the poem violated prohibitions on “obscene, lewd, lascivious or indecent” content. In February 2020, a high court judge ruled that Nyanzi’s right to a fair trial was violated and revoked her sentence. Nyanzi fled to Kenya to seek asylum in February 2021 citing several abductions of people close to her as the reason for her decision to flee. © 2019 AP Photo/Ronald Kabuubi In August 2019 Nigerian Department of State Security operatives arrested Omoyele Sowore, a 2019 presidential candidate and publisher of the New York-based Nigerian news website Sahara Reporters, accusing him under Nigeria’s Cybercrimes (Prohibition, Prevention) Act of planning an insurrection aimed at a forceful takeover of government through his calls for nationwide protests tagged “Revolution Now.” © 2019 Reuters/Afolabi Sotunde Mubarak Bala, president of the Nigerian Humanist Association, was arrested on April 28, 2020 and held incommunicado for a comment on his Facebook page that compared the Prophet Muhammad to a Nigerian Evangelical preacher. The authorities contended that he had violated Nigeria’s cybercrimes law, which criminalizes insult of people based on their religion. They also alleged that the posts were contrary to the Kano State penal code, which sets punishments of up to two years in prison for public insults or contempt of any religion likely to lead to a breach of peace. Bala is in police custody but was only allowed access to his lawyers in October 2020. A petition challenging his detention and prosecution in Kano State is currently before a Federal High Court in Abuja, Nigeria’s capital. © 2021 Kola Sulaimon/AFP via Getty Images Fahad al-Fahad was recently released from prison after serving a five-year prison sentence in Saudi Arabia. In April 2016 he was arrested and subsequently convicted on charges tied solely to his peaceful social media activity. Al-Fahad’s charges included violating the Saudi cybercrime law via tweets criticizing the Saudi criminal justice system and government corruption and “inciting hostility against the state, its structure, and its justice systems.” He is one of many prominent Saudi activists serving long prison terms on charges such as “breaking allegiance with the ruler” or “inciting hostility against the state” that do not constitute recognizable crimes under international law. © 2018 Raif Badawi Foundation Waleed Abu al-Khair is a lawyer and the founder of the group Monitor of Human Rights in Saudi Arabia. In 2009 Abu al-Khair acted as defense lawyer for a member of the "Jeddah reformists," a group of 16 men, including political and human rights activists, whom police detained after they met to establish a human rights organization. A judge ordered his detention in April 2014 and a Saudi court eventually sentenced him to 15 years in prison, including for violating a cybercrime law, solely for his peaceful human rights advocacy. © 2013 Human Rights Watch Saudi prosecutors are seeking the death penalty against a Saudi religious reformist thinker, Hassan Farhan al-Maliki, on a host of vague charges relating to his peaceful religious ideas, including an allegation that he defamed a Kuwaiti man by accusing him on Twitter of supporting the Islamic State (ISIS) and violating Saudi Arabia’s cybercrime law. Saudi authorities arrested him in September 2017, brought charges against him in October 2018, and have detained him since. © 2014 Hassan al-Maliki/Youtube Abdulrahman al-Sadhan is a former Saudi Red Crescent employee who was detained by Saudi authorities in March 2018 after his anonymous Twitter account is believed to have been breached by the Saudi government. Authorities held him incommunicado with no contact with the outside world for nearly two years before allowing one brief phone call in February 2020. Saudi Arabia’s Specialized Criminal Court convicted him on a host of vague charges, including violating the country’s cybercrime law, in March 2021, and sentenced him to 20 years in prison. © Private In April 2019, Ola Bini, a Swedish programmer and internet activist, was arrested in Ecuador after that country’s Minister of Government María Paula Romo claimed that a group of Russians and Wikileaks-connected hackers were in the country "cooperating with attempts to destabilize the government." Romo spoke hours after the government had ejected Julian Assange from Ecuador's London Embassy, and accused the hackers of planning an attack in retaliation for the eviction. No further details of this alleged sabotage plot were ever revealed. A court ordered Bini’s release from pre-trial detention 70 days later. He is facing a travel ban, preventing him from leaving Ecuador, as an alternative measure, and authorities are still holding devices that they confiscated from him. Bini was subsequently charged with “unauthorized access to an information system.” His case has not yet been tried and has experienced several procedural irregularities. © 2019 AP Photo/Dolores OchoaCross-Border Data Access
Because of the transborder nature of cybercrime, with data stored and processed in multiple countries, subject to different laws, international cooperation is essential to carrying out investigations and bringing perpetrators to justice. But additional human rights challenges emerge when coordinating investigations and prosecutions across borders.
Law enforcement agencies try to access data stored outside their jurisdictions through a range of legislative, informal, and coercive measures. US providers in certain circumstances share subscriber data voluntarily with non-US law enforcement entities. Governments sometimes extract data or compel companies to “pull” data from servers in other countries, without obtaining the other country’s consent, in ways that can violate the human rights of the data subjects.
Mutual legal assistance treaties (MLATs) are international legal frameworks used to obtain evidence – including communications data – across borders. The process of obtaining such evidence under such a treaty can take months because of administrative legal processes in each country. While frustrations with the process are understandable, and such transnational barriers to cooperation should not undermine accountability, law enforcement sometimes attempts shortcuts to speed up access to data that can undercut human rights protections, like due process.
For example, in the United States, the 2018 Clarifying Lawful Overseas Use of Data (CLOUD) Act, opposed by Human Rights Watch and other civil society groups, transformed the system for cross-border access to data in criminal investigations. It allows the US to enter agreements with other countries to authorize law enforcement in each country to directly serve requests for data like email contents, or to issue a wiretap internationally in the other country, without the oversight of the nation where the interference occurs, even when it involves a citizen or person whom the nation normally offers legal protections.
The subsequent US-UK CLOUD Act Executive Agreement fails to adequately protect the privacy and due process rights of US and United Kingdom citizens. For example, the agreement lowers the bar for law enforcement access to both stored communications contents, such as emails, and live wiretaps in the US, by using vague oversight and notice requirements and by eliminating the stringent probable cause requirement for foreign law enforcement access to stored content data.
Multilateral Frameworks
In the absence of a global cybercrime treaty, there are some multilateral treaties – including among Arab governments, African governments, and the Shanghai Cooperation Organisation – that address aspects of cybercrime. The Council of Europe Convention on Cybercrime (the Budapest Convention) is the most complete international framework, as it seeks to harmonize national laws, improve cybercrime investigation techniques, and promote international cooperation. It also has the broadest support internationally, as it has been ratified by 65 countries, including non-CoE members – 13 in the Americas, 11 in Africa, 4 in Asia, and 2 in Oceania.
The Budapest Convention requires states parties to make certain acts – such as illegal access to computer systems, illegal interception of electronic communications, sending malware, copyright violations, and the production or dissemination of child pornography – criminal under their national law. It makes extensive provisions for international cooperation in fighting such crimes, including mutual legal assistance in investigation and preservation of evidence, extradition and similar matters, and acts as a legal framework for international cooperation on criminal justice issues.
A Second Additional Protocol, on enhanced international cooperation and access to evidence in the cloud, is currently being negotiated. The Electronic Frontier Foundation has said that the Second Additional Protocol seeks to reshape the basis for cross-border law enforcement activities, with far-reaching implications for privacy and human rights. EFF is deeply concerned that civil society is being asked to comment on this momentous text in too limited a time frame.
The Budapest Convention is sometimes referred to as the “gold standard” of international conventions on cybercrime, but human rights experts have long pointed out that it should incorporate stronger safeguards for human rights. Article 15 says that state procedures relating to the investigation and prosecution of the crimes listed must be in accordance with the European Convention on Human Rights (ECHR), for Council of Europe member states, or with other international human rights treaties such as the International Covenant on Civil and Political Rights, for non-European states. However, it doesn’t provide details or guidance on what this entails. Article 15 only applies to procedural matters.
When it comes to substantive criminal articles, the European Convention provides states with flexibility in implementation. The provisions on illegal access and data interference are problematic, as they could be interpreted to allow the criminalization of security research and non-malicious “hacking” that causes no harm and may even have positive effects, for instance by exposing security vulnerabilities. The convention does not include a public interest defense for whistleblowers or journalists. Governments should use the flexibility in implementation to uphold human rights standards.
In CoE states, other binding human rights instruments, like the ECHR, apply and people would have a remedy to the European Court of Human Rights if their rights are breached. But the same cannot be said for non-CoE countries that join the Budapest Convention, countries that are not subject to the ECHR or comparable human rights treaties, where the rule of law is too weak to enforce safeguards against abuse of cybercrime laws.
Recent Developments at the United Nations
Russia, though a member of the CoE, has not joined the Budapest Convention. Instead, it has been promoting the idea of a UN treaty on cybercrime since at least 2010, when its proposal for a new treaty at the UN Crime Congress was rejected. In recent years, as Russia significantly expanded its laws and regulations tightening control over internet infrastructure, online content, and the privacy of communications, it also stepped up its efforts toward a UN cybercrime treaty.
In 2017, it circulated a draft treaty and the following year it introduced a resolution calling for a report from the UN secretary-general on the challenges member states face in countering the use of information and communications technologies for criminal purposes. Governments from the EU, the US, and their allies voted against the resolution, though it ultimately passed.
In 2019, Russia introduced a resolution to establish an Open-ended Ad Hoc Intergovernmental Committee of Experts to elaborate a comprehensive international convention on “countering the use of information and communications technologies for criminal purposes.” Leading digital rights and human rights organizations and experts urged delegations to vote against the resolution, warning that the proposed treaty poses a threat to human rights online.
The resolution passed but with a smaller margin. The resolution potentially opens the scope of the proposed treaty to a broader definition of “cybercrime” that does not correspond to any previously established definition. The resolution also does not explicitly provide for the participation of nongovernmental organizations in the treaty development process.
Recommendations
Governments should increase international cooperation and capacity building around cybercrime in ways that respect human rights and the rule of law, Human Rights Watch said. Proceeding with a proposed treaty risks reinforcing increasingly common restrictions on freedom of expression, privacy, and due process rights.
It is also essential for governments to adopt inclusive and transparent working methods at the organizational session to ensure that any negotiations do not undermine rights. Specifically, Human Rights Watch recommends: