Update: This analysis is based on an older version of the U.N. Cybercrime Treaty, and outdated.
This is Part III of EFF’s ongoing series about the proposed UN Cybercrime Convention. Read Part I for a quick snapshot of the ins and outs of the zero draft; Part III for a deep dive on Chapter V regarding international cooperation: the historical context, the zero draft's approach, scope of cooperation, and protection of personal data, and Part IV, which deals with the criminalization of security research.
The United Nations Headquarters in New York City is poised to become the epicenter of one of the most concerning global debates affecting human rights in the digital age. Starting August 21, delegates from around the world will gather for an intense two-week session to scrutinize the highly controversial “zero draft” of a UN Cybercrime Convention that could compel states to redefine their own criminal and surveillance laws on a global scale.
Though the first negotiated text of the proposed convention, the “zero draft" is deeply flawed, the principle that “nothing is agreed until everything is agreed” applies here. EFF will be attending the sixth session in New York to participate in those discussions as an observer.
In previous discussions, we addressed concerns over ambiguous surveillance powers and inadequate safeguards. Now we will delve into the heavily debated chapter on international cooperation. For clarity and depth, our analysis of this chapter will span two posts. This first post covers the historical context of international cooperation mechanisms, the zero draft's approach in Chapter V, the scope of cooperation, and protection of personal data. In the next post, we'll continue our analysis of Chapter V of the zero draft, addressing the broad demands of mutual legal assistance, the pitfalls of unchecked and lawless data-sharing, and the challenges of rapid-response mechanisms and jurisdiction for human rights.
What’s going to happen in New York?
EFF holds observer status in these talks, a notable advancement in transparency compared to other treaty negotiations. This participation affords us significant access to main discussions and numerous opportunities to interact with delegations. Yet, asserting influence remains a challenge. With each country having one vote, achieving consensus among more than 140 countries proves daunting. As observers, we also can voice our concerns weekly in front of all Member States. However, particularly contentious topics are moved to "informals" —sessions exclusive to Member States, excluding us and other multi-stakeholders. Though delegations have the option to consult with us outside these sessions, the real-time exclusion remains a serious concern.
Member States aim for total consensus on the draft convention's text. If they don't reach it, the matter could go to a vote where two-thirds of governments have to reach an agreement for a treaty to be adopted. A consensus would demonstrate broader support for the convention's implementation. It remains uncertain whether a final agreement will be finalized or could be reached by January's end or if discussions will extend beyond that. A timeline of the proposed convention can be found here.
Historical context: A look at international cooperation mechanisms
Historically, Mutual Legal Assistance Treaties (MLATs) have served as the backbone for cross-border criminal investigations. This system allows police who need data stored abroad to obtain the data through the assistance of the nation that hosts the data. As we have repeatedly said, the MLAT system encourages international cooperation. It also advances privacy. When foreign police seek data stored in the U.S., the MLAT system requires them to adhere to the Fourth Amendment’s warrant requirements. And when U.S. police seek data stored abroad, it requires them to follow the privacy rules where the data is stored, which may include important “necessary and proportionate” standards. Often bilateral, MLATs typically have faced criticism for their prolonged data request response times. Such delays usually stem from one nation’s lack of familiarity with another’s foreign data access laws. Some nations might not have MLATs, with reluctance often rooted in concerns about inadequate human rights protections. While there are concerns from law enforcement that the MLAT system has become too slow, those concerns should be addressed with improved resources, training, and streamlining. Now, nations are looking to put new rules for MLAT in the upcoming UN convention. Such rules will mostly impact those nations that do not have yet an MLA agreement.
Some states have embraced other international agreements. The Council of Europe’s Second Additional Protocol to the Budapest Convention, which opened for signatures in 2022, offers streamlined cross-border investigative tools at the cost of weakening human rights and safeguards. The Protocol’s tendency to sidestep traditional legal safeguards has drawn our criticism. We have many concerns with the Protocol (read here, here, here, here, including our proposed amendments), particularly how it lets any competent authority—including the police themselves—directly request subscriber information from a foreign company, bypassing any involvement of the other country’s government (or, for the most part, its legal system, which provides various conditions and safeguards). We have classified the Protocol’s problems for undermining rights and safeguards through the direct cooperation mechanism; its flawed understanding of subscriber information, and imbalance between mandatory law enforcement powers and dispensable or optional human rights safeguards; and finally weaker data protection safeguards compared to other settled international standards. One major concern we have raised within this debate is that, when seeking to harmonize safeguards, there is a race to the bottom of human rights protections. As the UN Security Council's Counter-Terrorism Committee Executive Directorate (CTED) recently noted:
"Agreeing on a common standard across States will almost certainly lead to a lower standard than one that would be achieved by identifying a high universal standard and asking States to ‘level up.’ The concern is that, in order to address law enforcement’s jurisdictional problems, the substantive law will become weakened, giving law enforcement too-quick access with too-little due process. The trend towards universalization, in other words, could lead to a lowest common denominator in terms of due process."
Other countries have implemented local laws—such as the Cloud Act in the U.S. and E-evidence in the European Union––each with their own human rights problems (read here and here). Both expanded American and European law enforcement’s ability, respectively, to target and access people’s data across international borders.
Another more forceful approach that some countries have adopted on law enforcement cross-border access to data requires certain service providers to be under the physical local jurisdiction of countries where they have a substantial number of users. While taking jurisdiction based on the significant presence of users could be seen as justified in other contexts, it becomes controversial when companies are forced to comply with an arbitrary or disproportionate data demand, and even get penalized for resisting jurisdiction on human rights grounds, and when international rules for cross-border access already exist. Many laws have been passed requiring companies to “take all necessary measures” to accept local jurisdiction and comply with local laws that are inconsistent with international human rights law (read here about Turkey, India, Indonesia, and many others). This can involve forcing providers to physically store data about a nation’s residents within that country or to open a local office, making it easier for local authorities to access data or pressure staffers into complying with arbitrary or disproportionate requests. Draconian penalties can be enforced for noncompliance, with online services potentially interfered with or banned entirely if companies don’t obey. EFF reproaches these draconian measures on human rights grounds, and when companies are forcibly subjected to jurisdiction, and therefore, to comply with all these draconian laws, without the avenues to challenge it on human rights grounds.
Civil society has been warning that existing international law enforcement cooperation mechanisms are being abused or twisted to allow political repression even beyond forceful data localization mandates that seek to bypass international cooperation rules. INTERPOL, for instance, is an intergovernmental organization of 193 countries that facilitates worldwide police cooperation. But Human Rights Watch has documented numerous allegations of how China, Bahrain, and other countries have abused INTERPOL’s Red Notice system, an international “most wanted” list, to locate peaceful critics of government policies for minor offenses —but really, for political gain.
The zero draft’s approach to international cooperation (Chapter 5)
The zero draft also includes a whole chapter on international cooperation in law enforcement investigations. Countries that accede to the convention would promise to empower their own law enforcement in new ways, but also to allow new kinds of cooperation with foreign government agencies, with shockingly little responsibility to ensure that such cooperation isn’t abused.
Now this draft convention lays groundwork for police cooperation between any two countries, for sharing or collecting evidence with few checks and balances, without any requirement for human rights review or independent oversight. Private data about dissidents could be turned over to brutal regimes simply because they allege those dissidents are cybercriminals.
Scope of international cooperation (Chapter I, Article 5, Chapter II, Articles 17, Chapter IV, Article 24, Chapter V, Article 35)
One might think this convention applies only to investigations of specific cybercrimes, based on the list of offenses at the beginning (Articles 6-16). But then Article 35, in the background rules for international cooperation, opens the door to other crimes, including (via Article 17) those covered by any other international treaty; this includes crimes that already exist (like drug trafficking or trade agreements) as well as those that could become “applicable” in the future.
Limiting this to “serious crime,” as the draft does, isn’t enough. This convention’s powers should apply only to the serious offenses in Article 6 to 16 of the convention: core cybercrimes that target computers and communication systems.
This convention’s scope of international cooperation should focus only on specific and targeted criminal investigations and proceedings. Some of the language on the scope of criminal procedural measures and international cooperation was taken from the Budapest Convention, but one important word—”specific”—was somehow dropped. Without it, the draft convention fails to prevent states from authorizing mass surveillance or fishing expeditions. And while these practices also should be prevented by proportionality principle under Article 24’s conditions and safeguards, the zero draft has removed that article’s application to the international cooperation chapter.
Mandatory dual criminality must be the rule for cross-border cooperation (Chapter V, Article 35)
Dual criminality—the principle that an act regarded as a crime is deemed illegal in both cooperating countries—should be a cornerstone, yet Article 35 currently treats the dual criminality rule as optional. This rule not only safeguards free expression and dissent but also prevents countries from imposing their laws universally. We strongly advocate for making dual criminality a mandatory provision. Free, democratic nations must demand this so that they aren’t forced to adopt other, repressive nations’ definitions of crime, particularly in cases where blasphemy or criticizing public figures are deemed crimes—definitions inconsistent with human rights law.
While democratic nations may trust their own commitment to human rights and their own enforcement of the dual criminality principle, it's essential to reflect on the broader repercussions. If the draft is accepted in its present form without stringent safeguards and a defined scope, it could provide a legal foundation for international collaboration in the prosecution and investigation of content-related crimes, and other crimes that are inconsistent with international human rights law. This could unintentionally strengthen authoritarian regimes, giving them tools for transnational repression when silent dissent under the guise of lesse majeste or criminal defamation. While Articles 5 and 24 offer certain protections, their wording must be refined further to limit the draft convention's scope to crimes consistent with international human rights law, and to ensure its consistent application in international cooperation.
Protection of personal data (Article 36 (1))
Article 36(1) describes conditions under which governments may transfer personal data as part of international cooperation on investigations. The current wording requires governments to comply with their own domestic law and more generally with “applicable international law.” Since this topic sometimes is wrongly addressed more permissively in trade law, we urge including a more precise reference to “international human rights law.” Such a change would underscore the need for human rights-based data protection standards.
Also, we support Article19’s suggestion to strike the word “applicable,” as international human rights standards are universal, binding, and not subjective. In our joint submission with Privacy International, we propose an amendment to Article 36(1) to integrate minimum human rights-based data protection standards, such as the principles of lawful and fair processing, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality, and accountability. Data protection principles rooted in existing international human rights law have gained acknowledgment in the Human Rights Committee General Comment on Article 17 of ICCPR, and the report of the UN High Commissioner for Human Rights on the right to privacy in the digital age. Consequent resolutions by the General Assembly on the right to privacy in the digital age have advocated for data protection legislation aligned with international human rights law.
Conclusion
The proposed UN Cybercrime Convention’s zero draft raises too many alarm bells. While its intent––to foster international cooperation against cybercrime––is seemingly noble, its implications could be catastrophic. The draft in its current state offers vast opportunities for misuse, from political repression to sidestepping legal safeguards. The debates in New York City this month aren't just procedural––they will determine if the convention serves as a tool for true justice or becomes a weapon against it.
Rigorous scrutiny and oversight of the process by civil society and other stakeholders, and Member States’ unwavering commitment to human rights, are both essential. This is a legally binding treaty: It can compel the reform of national laws all around the world, encouraging expansive and lawless surveillance powers and a race to the bottom of privacy protection. We should fight back while we still can.