First Draft of UN Cybercrime Convention Drops Troubling Provisions, But Dangerous And Open-Ended Cross Border Surveillance Powers Are Still on the Table

By Katitza Rodriguez

This is Part I of a two-part post about the first draft of the UN Cybercrime Convention. Part I provides background on treaty negotiations and analyzes our first take on the zero draft and its human rights implications. Part II analyzes the draft’s most problematic provisions.

The much-anticipated official first negotiated draft of the proposed UN Cybercrime Convention—shaped by many months of Member States-led negotiations in which EFF has been deeply involved—is now public.

The convention, if approved, will result in the rewriting of criminal laws around the world dealing with law enforcement access to personal data across borders, the use of surveillance technologies by one country to spy on people in another country, and the extent to which countries can force one another to cooperate in, for instance, real-time interception of people’s communications. EFF and its international partners have been standing up for users since the convention was first proposed several years ago, calling for robust human rights protections, reviewing proposed convention language, submitting recommendations and opposing concerning provisions, and addressing Member States in person at negotiating sessions this year and last.

With the release of this “zero draft,” Member States will start article-by-article negotiations to reach a consensus on a final draft during a two-week marathon session from August 21  through September 1. EFF will be there, continuing our push for robust human rights protections in the treaty.

EFF and Privacy International have been poring over the zero draft, and have sent Member States our first set of amendments. But before we delve into the most concerning features of the text, here is a quick recap of how we got here.

A Quick Recap of the UN Cybercrime Convention

From the very start of the negotiations, EFF has opposed the draft convention as a whole, deeming it unnecessary. Despite our reservations, we’ve actively engaged in good faith at every stage of the negotiation process. We want to ensure that the proposed convention is specific and confined in its scope, and does not incorporate content-related offenses or authorize inherently arbitrary, excessive, or open-ended surveillance powers. Furthermore, any surveillance authorities—including those that are transnational—should be subject to appropriate limitations.

We fervently hope that the proposed convention won’t become an instrument for transnational repression, as has happened with other law enforcement cooperation mechanisms in the past. INTERPOL, for instance, is an intergovernmental organization of 193 countries that facilitates worldwide police cooperation. But Human Rights Watch has documented numerous allegations of how China, Bahrain, and other countries have abused INTERPOL’s Red Notice system, an international “wanted persons” list, to locate peaceful critics of government policies “for minor offenses and most importantly for political gain.” The  UN treaty shouldn’t give governments a legal basis to justify the use of open-ended surveillance powers for ill-defined crimes that could be exploited for political gain, petty crimes, or crimes that are inherently inconsistent with international human rights law—especially when this can lead to horrors such as torture or forced disappearances. We will keep advocating for heightened safeguards to restrict law enforcement’s misuse of surveillance powers.

The proposed convention should represent a minimum standard rather than a maximum limit—it must serve as a baseline, not an upper threshold. And it should not be used to undermine preexisting, robust domestic human rights safeguards.

Become Bulletproof Online Today With ZERO RISK!

The proposed convention is slated for adoption in January 2024. We anticipate that Member States will strive to reach a consensus to encourage widespread adoption of the draft text. A vote may occur if consensus can’t be reached after exhausting all negotiating tactics, as the stakes and threats that this proposed convention addresses are significant. As of now, it is unclear if Member States will arrive at an agreement in January or if the timeline would need to be extended.

These are two posts summarizing our first takeaways after an initial review of the zero drafts; we’ll have more to say leading up to the New York meeting next month. It’s worth reiterating the principle of multilateral negotiations that “nothing is agreed until everything is agreed”— the draft text could shift in future negotiations.

What’s in the Zero Draft?

Most Proposals to Explicitly Include Non-Cybercrime Offenses Are Toned Down, Yet Ambiguous Text Still Persists

Previous texts of non-negotiated provisions contained more than 30 offenses, such as drug trafficking, included only because computer systems were used in the commission of the crime. The new draft drops some of these offenses, and no longer explicitly references non-cybercrime offenses. Effectively, this means that under this convention, only “core” cybercrimes—not crimes where a perpetrator used email, but crimes targeting computer systems, such as using malware to break into a computer system—should be the only ones defined as “cybercrimes.” However, this is a bittersweet victory. The list of crimes in the zero draft has been made shorter, a huge relief, with most non-cybercrime offenses removed, as we advocated. Only 11 of the 30 crimes are explicitly listed in the zero draft. Regrettably, these offenses are not entirely off the table–although they haven’t come back in their original form. States made a tradeoff, trimming down the laundry list of crimes, but allowing more room for cross-border spying powers to investigate and prosecute these laundry lists of crimes.

Moreover, the zero draft preamble (Paragraph 3) still references states’ concerns about the impact of computer systems on the scale, speed, and scope of criminal offenses like  “terrorism,” “trafficking in persons, smuggling of migrants,” “illicit manufacturing of and trafficking in firearms, their parts, components and ammunition,” and “drug trafficking and trafficking in cultural property.”

This suggests an appetite for expanding the scope of evidence collection and sharing, including across borders, beyond the crimes explicitly stated in the text, which may be attempted, for example, by invoking the open-ended Article 17 or the concept of “serious crimes,” “other crimes” or simply illegal acts. The preamble is generally not legally binding or directly enforceable, however, as per the Vienna Convention of the Law of the Treaties, it plays a crucial role in determining the context for interpreting the convention and clarifying the intent of the drafters.

Speech-Related Offenses Are No Longer Explicit in the Treaty, But Concerns Still Remain

Similar to the section above, the earlier versions of the non-negotiated text leading up to the zero draft had proposed dozens of new crimes related to online content. This would have criminalized certain speech as a cybercrime just because it was posted online. It included provisions that we had criticized as overly broad, ill-defined, and subjective; as we have noted before, similar provisions in different countries have been used extensively against journalists, activists, and human rights defenders. These included offenses lacking any universally agreed upon definitions—which many states have abused to suppress free expression or association—such as copyright infringement, “extremism-related offenses,” “terrorism-related offenses,” and distributing materials “motivated by political, ideological, social, racial, ethnic or religious hatred,” and “the spreading of strife, sedition, hatred or racism,” among others.

This laundry list of content-related offenses has been removed from the criminalization chapter. Unfortunately, the zero draft new Article 17 compels States to apply the convention to crimes “established in accordance with other international conventions and protocols,” which could be used as a loophole to reintroduce some of those crimes back on grounds that other treaties target them for the purpose of evidence collection and sharing.

Special Investigative Techniques Have Been Removed Entirely, But Real-Time Collection and Interception Powers Remain

Earlier versions of the non-negotiated text oddly authorized Member States to adopt legislation that will allow the use of “special investigative techniques,” without defining what they are. Such language could have allowed any type of surveillance technology, from malware to IMSI catchers, predictive policing, and other mass surveillance tools. However, there are still other investigative provisions in the zero draft, including very intrusive powers for real-time collection of traffic data and interception of communications.

Those two surveillance powers were sidelined in “informal consultations” in previous sessions, and are now back in the zero draft, and will be discussed for the first time in the August session’s plenary meeting. We have previously asked for the removal of such powers because we have seen a lack of consensus on including robust legal safeguards among Member States. But our concerns go beyond that: there are huge disparities among Member States when it comes to the level of protection over this type of data, including concerns about the rule of law, and lack of impartiality and independence of the judiciary.

Copy, Paste, Repeat: The 2001 Budapest Convention Language Came Back, Now with Diluted Safeguards Against Surveillance Powers

Proposals on law enforcement powers and government cooperation in earlier drafts were often quite draconian, but now such provisions are based directly, almost word-for-word, on preexisting text from the 2001 Budapest Convention on Cybercrime—which has a lot of problems, but which many countries have already signed. Unfortunately, some problematic provisions from the Budapest Convention were imported wholesale, and when modifications were made, they weakened safeguards and limitations to surveillance powers.

Missed Opportunity: Cross Border Police Surveillance Powers Must Have Ironclad Safeguards to Protect Users’ Privacy and Free Speech Rights

The Budapest Convention contains a provision on conditions and safeguards that put checks and balances on the use of surveillance powers, a positive though it’s not as robust as we would want. The zero draft, in one of a relatively small number of deviations from the Budapest language, actually dilutes the safeguards. While it keeps the reference to the principle of proportionality, it fails to explicitly include the principle of necessity. The draft convention, if nothing else, should not only retain the principles outlined in Article 15 of the Budapest Convention but should extend the Article to incorporate additional safeguards.

Notably, it should require a factual basis justifying access or application of surveillance powers; and the obligation to require a valid and substantiated rationale for invoking and applying these procedural powers. These powers should be rooted in objective and verifiable facts and establish clear minimum standards. Without such provisions, the convention could enable arbitrary, biased, or speculative use of surveillance. An independent prior, preferably judicial, authorization of surveillance powers should be mandated. This safeguard serves as an additional layer of protection to prevent potential abuses, bolstering accountability and upholding the rule of law. The article should also require States to publish “periodic disclosure of statistical data on the use of powers and procedures,” to further enhance transparency and accountability. This check provides a layer of accountability to make sure States aren’t overstepping or misusing their powers and allows for public scrutiny and debate.

While maintaining and extending the safeguards is a crucial initial move towards embracing a convention that respects human rights, such safeguards in itself will still be insufficient. As we noted before, there is a conspicuous absence of a robust and efficient system to enforce human rights at the international level, and the majority of Western countries have shown hesitation in controlling their own excessive surveillance powers. Take, for instance, the OECD’s efforts to restore trust in cross-border data flows, following the Snowden revelations. The initiative sets out essential principles that include the principle of proportionality, necessity, and legality. However, the text boldly states that the surveillance practices of the signatories are in line with human rights, albeit numerous counter-examples suggesting otherwise.

Finally, for the convention to genuinely become a human rights-respecting instrument, it should, at the very least, authorize the UN’s human rights bodies to scrutinize the implementation of the Convention and evaluate States’ compliance with the Convention’s safeguards, as well as their human-rights treaty obligations.


In Part II of our analyses, we’ll review troubling provisions of the zero draft text that expand the scope of international cooperation, treat dual criminality as optional, and leave out human rights safeguards. We will continue to provide updates as we develop our positions and prepare to discuss these concerns in person next month in New York.

Source: EFF

Katitza Rodriguez is EFF’s Policy Director for Global Privacy. She concentrates on comparative policy of global privacy issues, with special emphasis on emerging technology, augmented and virtual reality, and cross-border data flows. Katitza’s work also focuses on cybersecurity and government access to data held by the private sector at the intersection of international human rights law and standards. Katitza also supervises EFF’s growing Latin American team. She was an advisor to the UN Internet Governance Forum (2009-2010). KIn 2018, CNET named Katitza one of the 20 most influential Latinos in technology in the United States. In 2014, she was also named one of “The heroes in the fight to save the Internet.” Katitza also seats the board of Article19-Mexicana and Central-American office. 

Become a Patron!
Or support us at SubscribeStar
Donate cryptocurrency HERE

Subscribe to Activist Post for truth, peace, and freedom news. Follow us on SoMee, Telegram, HIVE, Flote, Minds, MeWe, Twitter, Gab, and What Really Happened.

Provide, Protect and Profit from what’s coming! Get a free issue of Counter Markets today.

Activist Post Daily Newsletter

Subscription is FREE and CONFIDENTIAL
Free Report: How To Survive The Job Automation Apocalypse with subscription

Be the first to comment on "First Draft of UN Cybercrime Convention Drops Troubling Provisions, But Dangerous And Open-Ended Cross Border Surveillance Powers Are Still on the Table"

Leave a comment