[Air-L] UN Cybercrime AHC Meeting #11 Notes

[Joly MacFie]

Further to this, the news today is that the whole process has been
punted, somewhat indefinitely.

The General Assembly, recalling its resolutions 74/247 of 27 December 2019
> and 75/282 of 26 May 2021, and taking note of the decision of the Ad Hoc
> Committee
> to Elaborate a Comprehensive International Convention on Countering the
> Use of
> Information and Communications Technologies for Criminal Purposes to
> resume its
> work at a later date with a view to concluding its work and providing the
> draft
> convention to the General Assembly at its seventy-eighth session, decides
> that the Ad
> Hoc Committee shall hold a reconvened concluding session of up to 10 days
> in New
> York on [date], tentatively, and requests the Secretary-General to provide
> the
> necessary support and services for that purpose.


On Fri, Feb 9, 2024 at 8:16 AM Joly MacFie <joly at punkcast.com> wrote:

> (I am running the sessions of the 6th and Concluding meeting of the UN
> Cybercrime Ad Hoc Committee into Otter, for easier comprehension -
> https://joly.substack.com/p/51969f5d-7820-4672-9bec-0df5dd5cf3ef )
>
> So, after 9 or so meetings hacking the treaty draft text run by Vice
> Chairs, Monday morning on week two, Chair Mebarki returned for a session on
> the actual proposed UN Resolution
> <https://daccess-ods.un.org/access.nsf/Get?OpenAgent&DS=A/AC.291/25&Lang=E>.
> The main bone of contention, which many weighed in on, was the actual name
> of the convention, Russia wanted the existing “Countering the Use of
> Information and Communications Technologies for Criminal Purposes”, while
> the U.S. favored the simpler “Countering Cybercrime”. Here is how they
> lined up.
>
>
> [image: Screenshot of text]
>
> <https://substackcdn.com/image/fetch/f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F827da195-dde3-4428-a703-310f613a24b6_1920x1080.png>
>
> One would think “Cybercrime’ wins.
>
> ===
>
> Article 9 of the resolution is a kind of afterthought:
>
> 9. Decides that, in order to raise awareness of cybercrime and of the role
> of
>
> the [name of the Convention] in combating and preventing it, [date] should
> be
>
> designated International Anti-Cybercrime Day.
>
> The only country to offer support for this was Russia, who referred to it
> as “International Cybercrime Day” (Anti- possibly lost in translation). One
> wonders how many zero days would be timed for this!
>
> ===
>
> So, after two hours of this, the session was notable as being the first
> one with multistakeholder input. Access Now and EFF were called earlier
> last week, but were no shows, as they were also on this day. However
> several others stepped up to the plate for 30 mins of statements.
>
> First up, Romanian NGO eLiberare <https://www.eliberare.com/> emphasized
> the needs of victims of trafficking and sex abuse, suggesting the treaty
> contained “the bare minimum when it comes to safeguards… … to avoid
> retraumatization”, including adult victims.
>
> Specifically, by the suggestion of putting the burden of proving
> victimhood on those who have faced enormous and significant trauma, the
> classification of victimization grant someone access to the rights and
> protections, therefore, the thresholds this convention establishes have to
> be very well thought out.
>
> also, on sex abuse material:
>
> We express the concern regarding vagueness or a broad scope, as it could
> allow even for the targeting of mandatory reporters or service providers. A
> more narrow focus is needed for any such provision to be effective.
>
> *Privacy International* <https://privacyinternational.org/> also
> expressed scope concerns.
>
> Privacy international welcomes the opportunity to intervene at this
> session. While we recognize the cyber crimes can pose a threat to the
> enjoyment of human rights, my organization has long documented that human
> rights violations committed under the guise of combating cybercrime. We
> have also consistently recommended that the UN cyber crime treaty should be
> narrow in scope, and should contain robust safeguards to mitigate the risk
> of these violations. Regrettably, the latest draft fails to address many of
> our significant concerns. I would like to address three of these concerns.
>
> Firstly, the scope of application of investigative powers is very broad.
> Indeed, there is a disconnect between the chapter on criminalization and
> the scope of procedural measures. Under the current tax the powers afforded
> to law enforcement agencies apply to the investigation of criminal offences
> committed by means of a computer system, as well as the collection of
> evidence in electronic form of any criminal offence. Consequently, the
> scope of application of Article four appears to be expanded well beyond
> cyber dependent crimes. Arguably, it will make the treaty one of the most
> far reaching in criminal matters. These over broad scope gives rise to the
> danger that the convention will be used to justify the prosecution of the
> legitimate exercise of human rights.
>
> Secondly, we believe that the draft text is unbalanced. It gives sweeping
> privacy and basic powers to law enforcement agencies without robust human
> rights, limitations and safeguards. Article 29 and 30, for example, provide
> for real time collection of traffic data interception of content data.
> These are extremely intrusive measures that required a set of stringent
> limitation and safeguards. Unfortunately, article 24 does not include some
> key safeguards, well established in international human rights law, such as
> such as the principles of legality and necessity, prior independent
> authorization of surveillance measures, further leaves too much to
> discretion of State Parties in the scope of application of the human rights
> safeguards.
>
> Thirdly, the chapter of international cooperation is also very broad in
> scope of application, and with no detailed human rights safeguards. For
> example, in relation to sharing of personal data, the wording of article 36
> fails to provide effective protection.
>
> Privacy International joined over 100 civil society organizations and
> experts to recommend that the convention should only move forward if it
> pursues a specific goal of combating cybercrime. The present draft falls
> far short of this goal and Privacy International recommends to
> comprehensively revise…
>
> At which point the mic was cut off at the 3 minute mark.
>
> The *Atticus Foundation *took up the cudgel:
>
> I would like to once again highlight our particular concerns about the
> latest draft of the convention, and narrow scope of the whole convention to
> cyber dependent crimes specifically defined and included in this text as
> necessary — any broader application gives rise to the danger that the
> convention will be used to criminalize legitimate online expression, which
> is likely to create discriminatory impacts and deepen gender inequality.
>
> To include a language or specific provisions against excessive
> criminalization to ensure that security researchers, whistleblowers,
> journalists and human rights defenders are not prosecuted for the
> legitimate activities, and that other public interest activities are
> protected.
>
> To strengthen data protection and international human rights standards
> throughout the entire convention is required. This means removing
> references to domestic standards, and including the principles of non
> discrimination, legality, legitimate purpose, necessity and
> proportionality, as well as introducing explicit references to safeguards
> such as prior traditional authorization for, for accessing or sharing data,
> as well as for conducting cross border investigations, and cooperation in
> accordance with the rule of law, a right to notification as soon as
> investigations allow, and the right to effective remedy.
>
> The two are connected and one makes no sense without the other.
>
> Finally, to mainstream gender across the convention, so as to ensure the
> convention is not used to undermine people's human rights on the basis of
> gender. Furthermore, to limit the scope of application of procedural
> measures and international cooperation to cyber dependent crimes,
> established in the criminalization chapter of the convention, in order not
> to undermine trust in secure communications, and infringe on international
> human rights standards.
>
> And finally, Madam Chair, avoiding endorsing any surveillance provisions
> that can be abused to undermine cybersecurity and encryption, so as not to
> allow for excessive information sharing for law enforcement cooperation
> beyond the scope of specific criminal investigations. Madam Chair, the
> final outcome of the treaty negotiation process should only be deemed
> accessible if it effectively incorporates strong and meaningful safeguards
> to protect human rights ensures legal clarity for fairness and due process
> and fosters international cooperation under the rule of law,
>
> International Chamber of Commerce <https://iccwbo.org/> had concerns:
>
> We are very worried that the latest drafts and amendments continue to
> include deficiencies that could end up jeopardizing cybersecurity,
> compromising data, privacy, and eroding online rights and freedoms,
>
> Let me just highlight one major point of concern for international
> business across regions and industry sectors, and this is access to data
> held by the private sector. As it currently stands, the Convention does not
> sufficiently limit access to data to what is necessary and proportionate to
> law enforcement needs. The convention should include provisions to ensure
> clarity and predictability in government access, and embrace transparency.
> Furthermore, real time collection of traffic data and interception of
> content data are considered a significant invasion of privacy and
> references to such practices should be removed from the convention. In
> addition, provisions are needed to ensure that states cannot demand access
> to data in third states without the third state's explicit consent.
>
> *Cybersecurity Tech Accord* <https://cybertechaccord.org/> was brutal:
>
> First, the treaty would weaken cybersecurity globally by facilitating the
> compromising of critical security measures and the criminalization of
> penetration test. testing in cybersecurity research that keeps the digital
> ecosystem resilient against cyber criminals.
>
> Second, the convention would slow down sharing of electronic evidence
> without a specific narrow scope and clear a dual criminality provisions.
> Data custodians will be asked to break the law in one state to comply with
> data requests from another frustrating cooperation.
>
> Third is just mentioned, the convention would generate serious conflicts
> of laws. Just one example is the new italicized language and articles 42,
> 44 and 45. That would force service providers to hand over data in secret
> irrespective of where it is located, and without the knowledge of the state
> that it is in. This violates the law in many countries, Article 4, and the
> UN Charter.
>
> Fourth, the text would allow any state party to obtain the personal
> information of other states citizens without sufficient safeguards and
> perpetual secrecy, forcing service providers to hand over data with no
> ability to notify users or object even when those requests are manifestly
> unlawful.
>
> Fifth by leaving it completely in the hands of individual states to define
> the breadth and type of subject matter that comes under its scope. The
> convention facilitates human rights violations and put lives at risk.
>
> Finally, allowing for secret access to secured systems, extraterritorial
> exfiltration of data and secret real time surveillance with no transparency
> safeguards presents grave risks to States national security as well. Abuse
> of key provisions could result in real time surveillance of an access to
> the secret data of state officials without the knowledge of the impacted
> state.
>
> We don't support the adoption of the convention or ratification of it
> unless all six of these issues are meaningfully addressed, and we can't
> support the compromise package either. It continues to allow states to
> decide what crimes the convention would cover if even the most incidental
> use of ICTs was involved, and e-evidence for all serious crimes. The
> limitation to serious crimes is not meaningful for all the reasons
> previously stated in our submissions, and the link to unspecified other
> instruments creates more ambiguity.
>
> Madam Chair, our concerns are not theoretical. They're based on what is
> happening right now two firms globally. Regrettably, this negotiation is
> going in the wrong direction. What we have before us is a bad treaty that
> has united civil society and industry opposition, in a way I've never seen
> in decades working in international relations.
>
> *Microsoft* <https://www.microsoft.com/> pulled no punches:
>
> Having listened carefully to the deliberations last week, and having
> consulted extensively with member states as well as with other
> stakeholders, we are even more concerned going into the second week. As
> currently drafted, neither the zero draft now the seventh session draft,
> nor the various compromised proposals, adequately addressed the concerns
> industry and civil society have raised. Each version that we have seen
> could have profound negative impact on the digital ecosystem, including the
> severe risk of creating a digital surveillance treaty in the guise of a
> Cybercrime Convention.
>
> Again, nothing of what I say should come as a surprise to anybody. The
> position of stakeholders, both from industry and civil society has been
> remarkably aligned on these concerns. As I've said before, in my now 20
> plus years of working in multilateral and multi stakeholder negotiations,
> I've never witnessed industry and civil society to be as aligned in their
> concerns as I've seen during this process. By and large, we could all swap
> and read each other's statements, and frankly, that alone should give pause
> to member states.
>
> Looking at the current state of play, Microsoft is disappointed that our
> key concerns on the various draft texts, that we and other industry and
> civil society entities broadly and continuously shared with member states,
> have not been adequately addressed. And, frankly, looking at the trajectory
> of the draft text that appears that each compromise practice is becoming
> more problematic.
>
> Microsoft urges states to use the remainder of this week to clearly and
> narrowly define the scope of this treaty, improve safeguards throughout the
> convention, specifically as it pertains to covert surveillance and
> strengthen protections for cybercrime researchers.
>
> Otherwise this convention could not only gravely harm fundamental rights
> and create a confusing cooperation landscape for states and providers, but
> it could allow cybercrime to thrive and make cyberspace considerably less
> secure. And we could not support its ratification.
>
> *Ambivium Institute* <https://www.facebook.com/AmbiviumInstitute/> raised
> a good point about the GDC possibly conflicting with this Convention.
>
> A world that is striving to become digitally connected will need that it
> is connected with the landscape of each country. Those who desire to close
> the gaps lack the capacity to effectively implement most of the item being
> advocated here. It will be important for government and civil society to
> clearly push for domestic rule of law that align with existing law that
> guarantees political rights and safety n the area of privacy. Keeping in
> mind, as member states are advancing these conventions, the Summit of the
> Future is also drafting language that calls for a Digital Compact that will
> be different from the language of these conventions.
>
> Digital cooperation is necessary for countries to protect the safety of
> individual when online. The data infrastructure should not negate the
> definition of crime in online space. This convention is still the beginning
> stage for a long negotiation between the global north and global south
> wherever the exchange of new technology will need and will continue to be
> the problem. I urge countries that are developed to be open and to share
> their knowledge, and to also make open technology available for countries
> and stakeholders that are still lacking money to fund it.
>
> and, finally, *DB Connect* advocated capacity building.
>
> Cybercrime knows no boundaries, criminals can orchestrate attacks from
> anywhere in the world targeting victims across different jurisdictions
> without international cooperation. Law enforcement agencies are limited in
> their ability to investigate, collect evidence and apprehend perpetrators
> operating abroad.
>
> Different countries possess unique strengths and expertise in combating
> cybercrime, therefore, here today, as multistakeholders, I'm diligently
> asking member states to understand that sharing knowledge, best practices,
> and resources, allows for a more comprehensive and effective response.
> Joint operations and training programs can enhance the capabilities of law
> enforcement agencies worldwide.
>
> *VIDEO* <https://webtv.un.org/en/asset/k1f/k1fiyqkyay>* | **OTTER*
> <https://otter.ai/u/D8tnkZ9pM9x6WyG5dSN46hB5oFI?utm_source=copy_url>
>
> --
> --------------------------------------
> Joly MacFie  +12185659365
> --------------------------------------
> -
>
> --
> --------------------------------------
> Joly MacFie  +12185659365
> --------------------------------------
> -
>


-- 
--------------------------------------
Joly MacFie  +12185659365
--------------------------------------
-