[Air-L] UN Cybercrime AHC Meeting #11 Notes

[Joly MacFie]

(I am running the sessions of the 6th and Concluding meeting of the UN
Cybercrime Ad Hoc Committee into Otter, for easier comprehension -
https://joly.substack.com/p/51969f5d-7820-4672-9bec-0df5dd5cf3ef )

So, after 9 or so meetings hacking the treaty draft text run by Vice
Chairs, Monday morning on week two, Chair Mebarki returned for a session on
the actual proposed UN Resolution
<https://daccess-ods.un.org/access.nsf/Get?OpenAgent&DS=A/AC.291/25&Lang=E>.
The main bone of contention, which many weighed in on, was the actual name
of the convention, Russia wanted the existing “Countering the Use of
Information and Communications Technologies for Criminal Purposes”, while
the U.S. favored the simpler “Countering Cybercrime”. Here is how they
lined up.


[image: Screenshot of text]
<https://substackcdn.com/image/fetch/f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F827da195-dde3-4428-a703-310f613a24b6_1920x1080.png>

One would think “Cybercrime’ wins.

===

Article 9 of the resolution is a kind of afterthought:

9. Decides that, in order to raise awareness of cybercrime and of the role
of

the [name of the Convention] in combating and preventing it, [date] should
be

designated International Anti-Cybercrime Day.

The only country to offer support for this was Russia, who referred to it
as “International Cybercrime Day” (Anti- possibly lost in translation). One
wonders how many zero days would be timed for this!

===

So, after two hours of this, the session was notable as being the first one
with multistakeholder input. Access Now and EFF were called earlier last
week, but were no shows, as they were also on this day. However several
others stepped up to the plate for 30 mins of statements.

First up, Romanian NGO eLiberare <https://www.eliberare.com/> emphasized
the needs of victims of trafficking and sex abuse, suggesting the treaty
contained “the bare minimum when it comes to safeguards… … to avoid
retraumatization”, including adult victims.

Specifically, by the suggestion of putting the burden of proving victimhood
on those who have faced enormous and significant trauma, the classification
of victimization grant someone access to the rights and protections,
therefore, the thresholds this convention establishes have to be very well
thought out.

also, on sex abuse material:

We express the concern regarding vagueness or a broad scope, as it could
allow even for the targeting of mandatory reporters or service providers. A
more narrow focus is needed for any such provision to be effective.

*Privacy International* <https://privacyinternational.org/> also expressed
scope concerns.

Privacy international welcomes the opportunity to intervene at this
session. While we recognize the cyber crimes can pose a threat to the
enjoyment of human rights, my organization has long documented that human
rights violations committed under the guise of combating cybercrime. We
have also consistently recommended that the UN cyber crime treaty should be
narrow in scope, and should contain robust safeguards to mitigate the risk
of these violations. Regrettably, the latest draft fails to address many of
our significant concerns. I would like to address three of these concerns.

Firstly, the scope of application of investigative powers is very broad.
Indeed, there is a disconnect between the chapter on criminalization and
the scope of procedural measures. Under the current tax the powers afforded
to law enforcement agencies apply to the investigation of criminal offences
committed by means of a computer system, as well as the collection of
evidence in electronic form of any criminal offence. Consequently, the
scope of application of Article four appears to be expanded well beyond
cyber dependent crimes. Arguably, it will make the treaty one of the most
far reaching in criminal matters. These over broad scope gives rise to the
danger that the convention will be used to justify the prosecution of the
legitimate exercise of human rights.

Secondly, we believe that the draft text is unbalanced. It gives sweeping
privacy and basic powers to law enforcement agencies without robust human
rights, limitations and safeguards. Article 29 and 30, for example, provide
for real time collection of traffic data interception of content data.
These are extremely intrusive measures that required a set of stringent
limitation and safeguards. Unfortunately, article 24 does not include some
key safeguards, well established in international human rights law, such as
such as the principles of legality and necessity, prior independent
authorization of surveillance measures, further leaves too much to
discretion of State Parties in the scope of application of the human rights
safeguards.

Thirdly, the chapter of international cooperation is also very broad in
scope of application, and with no detailed human rights safeguards. For
example, in relation to sharing of personal data, the wording of article 36
fails to provide effective protection.

Privacy International joined over 100 civil society organizations and
experts to recommend that the convention should only move forward if it
pursues a specific goal of combating cybercrime. The present draft falls
far short of this goal and Privacy International recommends to
comprehensively revise…

At which point the mic was cut off at the 3 minute mark.

The *Atticus Foundation *took up the cudgel:

I would like to once again highlight our particular concerns about the
latest draft of the convention, and narrow scope of the whole convention to
cyber dependent crimes specifically defined and included in this text as
necessary — any broader application gives rise to the danger that the
convention will be used to criminalize legitimate online expression, which
is likely to create discriminatory impacts and deepen gender inequality.

To include a language or specific provisions against excessive
criminalization to ensure that security researchers, whistleblowers,
journalists and human rights defenders are not prosecuted for the
legitimate activities, and that other public interest activities are
protected.

To strengthen data protection and international human rights standards
throughout the entire convention is required. This means removing
references to domestic standards, and including the principles of non
discrimination, legality, legitimate purpose, necessity and
proportionality, as well as introducing explicit references to safeguards
such as prior traditional authorization for, for accessing or sharing data,
as well as for conducting cross border investigations, and cooperation in
accordance with the rule of law, a right to notification as soon as
investigations allow, and the right to effective remedy.

The two are connected and one makes no sense without the other.

Finally, to mainstream gender across the convention, so as to ensure the
convention is not used to undermine people's human rights on the basis of
gender. Furthermore, to limit the scope of application of procedural
measures and international cooperation to cyber dependent crimes,
established in the criminalization chapter of the convention, in order not
to undermine trust in secure communications, and infringe on international
human rights standards.

And finally, Madam Chair, avoiding endorsing any surveillance provisions
that can be abused to undermine cybersecurity and encryption, so as not to
allow for excessive information sharing for law enforcement cooperation
beyond the scope of specific criminal investigations. Madam Chair, the
final outcome of the treaty negotiation process should only be deemed
accessible if it effectively incorporates strong and meaningful safeguards
to protect human rights ensures legal clarity for fairness and due process
and fosters international cooperation under the rule of law,

International Chamber of Commerce <https://iccwbo.org/> had concerns:

We are very worried that the latest drafts and amendments continue to
include deficiencies that could end up jeopardizing cybersecurity,
compromising data, privacy, and eroding online rights and freedoms,

Let me just highlight one major point of concern for international business
across regions and industry sectors, and this is access to data held by the
private sector. As it currently stands, the Convention does not
sufficiently limit access to data to what is necessary and proportionate to
law enforcement needs. The convention should include provisions to ensure
clarity and predictability in government access, and embrace transparency.
Furthermore, real time collection of traffic data and interception of
content data are considered a significant invasion of privacy and
references to such practices should be removed from the convention. In
addition, provisions are needed to ensure that states cannot demand access
to data in third states without the third state's explicit consent.

*Cybersecurity Tech Accord* <https://cybertechaccord.org/> was brutal:

First, the treaty would weaken cybersecurity globally by facilitating the
compromising of critical security measures and the criminalization of
penetration test. testing in cybersecurity research that keeps the digital
ecosystem resilient against cyber criminals.

Second, the convention would slow down sharing of electronic evidence
without a specific narrow scope and clear a dual criminality provisions.
Data custodians will be asked to break the law in one state to comply with
data requests from another frustrating cooperation.

Third is just mentioned, the convention would generate serious conflicts of
laws. Just one example is the new italicized language and articles 42, 44
and 45. That would force service providers to hand over data in secret
irrespective of where it is located, and without the knowledge of the state
that it is in. This violates the law in many countries, Article 4, and the
UN Charter.

Fourth, the text would allow any state party to obtain the personal
information of other states citizens without sufficient safeguards and
perpetual secrecy, forcing service providers to hand over data with no
ability to notify users or object even when those requests are manifestly
unlawful.

Fifth by leaving it completely in the hands of individual states to define
the breadth and type of subject matter that comes under its scope. The
convention facilitates human rights violations and put lives at risk.

Finally, allowing for secret access to secured systems, extraterritorial
exfiltration of data and secret real time surveillance with no transparency
safeguards presents grave risks to States national security as well. Abuse
of key provisions could result in real time surveillance of an access to
the secret data of state officials without the knowledge of the impacted
state.

We don't support the adoption of the convention or ratification of it
unless all six of these issues are meaningfully addressed, and we can't
support the compromise package either. It continues to allow states to
decide what crimes the convention would cover if even the most incidental
use of ICTs was involved, and e-evidence for all serious crimes. The
limitation to serious crimes is not meaningful for all the reasons
previously stated in our submissions, and the link to unspecified other
instruments creates more ambiguity.

Madam Chair, our concerns are not theoretical. They're based on what is
happening right now two firms globally. Regrettably, this negotiation is
going in the wrong direction. What we have before us is a bad treaty that
has united civil society and industry opposition, in a way I've never seen
in decades working in international relations.

*Microsoft* <https://www.microsoft.com/> pulled no punches:

Having listened carefully to the deliberations last week, and having
consulted extensively with member states as well as with other
stakeholders, we are even more concerned going into the second week. As
currently drafted, neither the zero draft now the seventh session draft,
nor the various compromised proposals, adequately addressed the concerns
industry and civil society have raised. Each version that we have seen
could have profound negative impact on the digital ecosystem, including the
severe risk of creating a digital surveillance treaty in the guise of a
Cybercrime Convention.

Again, nothing of what I say should come as a surprise to anybody. The
position of stakeholders, both from industry and civil society has been
remarkably aligned on these concerns. As I've said before, in my now 20
plus years of working in multilateral and multi stakeholder negotiations,
I've never witnessed industry and civil society to be as aligned in their
concerns as I've seen during this process. By and large, we could all swap
and read each other's statements, and frankly, that alone should give pause
to member states.

Looking at the current state of play, Microsoft is disappointed that our
key concerns on the various draft texts, that we and other industry and
civil society entities broadly and continuously shared with member states,
have not been adequately addressed. And, frankly, looking at the trajectory
of the draft text that appears that each compromise practice is becoming
more problematic.

Microsoft urges states to use the remainder of this week to clearly and
narrowly define the scope of this treaty, improve safeguards throughout the
convention, specifically as it pertains to covert surveillance and
strengthen protections for cybercrime researchers.

Otherwise this convention could not only gravely harm fundamental rights
and create a confusing cooperation landscape for states and providers, but
it could allow cybercrime to thrive and make cyberspace considerably less
secure. And we could not support its ratification.

*Ambivium Institute* <https://www.facebook.com/AmbiviumInstitute/> raised a
good point about the GDC possibly conflicting with this Convention.

A world that is striving to become digitally connected will need that it is
connected with the landscape of each country. Those who desire to close the
gaps lack the capacity to effectively implement most of the item being
advocated here. It will be important for government and civil society to
clearly push for domestic rule of law that align with existing law that
guarantees political rights and safety n the area of privacy. Keeping in
mind, as member states are advancing these conventions, the Summit of the
Future is also drafting language that calls for a Digital Compact that will
be different from the language of these conventions.

Digital cooperation is necessary for countries to protect the safety of
individual when online. The data infrastructure should not negate the
definition of crime in online space. This convention is still the beginning
stage for a long negotiation between the global north and global south
wherever the exchange of new technology will need and will continue to be
the problem. I urge countries that are developed to be open and to share
their knowledge, and to also make open technology available for countries
and stakeholders that are still lacking money to fund it.

and, finally, *DB Connect* advocated capacity building.

Cybercrime knows no boundaries, criminals can orchestrate attacks from
anywhere in the world targeting victims across different jurisdictions
without international cooperation. Law enforcement agencies are limited in
their ability to investigate, collect evidence and apprehend perpetrators
operating abroad.

Different countries possess unique strengths and expertise in combating
cybercrime, therefore, here today, as multistakeholders, I'm diligently
asking member states to understand that sharing knowledge, best practices,
and resources, allows for a more comprehensive and effective response.
Joint operations and training programs can enhance the capabilities of law
enforcement agencies worldwide.

*VIDEO* <https://webtv.un.org/en/asset/k1f/k1fiyqkyay>* | **OTTER*
<https://otter.ai/u/D8tnkZ9pM9x6WyG5dSN46hB5oFI?utm_source=copy_url>

-- 
--------------------------------------
Joly MacFie  +12185659365
--------------------------------------
-

-- 
--------------------------------------
Joly MacFie  +12185659365
--------------------------------------
-