The Cybercrime Convention, which has already been agreed upon by the United Nations, continues to cause debate. Countries that sign the proposed agreement risk supporting human rights abuses, warned participants at the 19th Internet Governance Forum (IGF) in Riyadh, Saudi Arabia this week. Saudi human rights activists in particular fear the controversial agreement with regard to the Cybercrime Convention of the Council of Europe, without effective guarantees for the rule of law and fundamental rights.
Advertisement
The controversial agreement is expected to be adopted by the plenary session of the UN General Assembly before Christmas without further discussion. The ad hoc committee approved the text of the contract in the summer. The agreement, which was largely initiated by Russia, has been making its way through the UN bodies of the UN General Assembly since September. Observers expect the General Assembly in New York to vote before the end of the year. Once 40 UN member states have signed the text, it will come into force.
Criminalization of hacking
States that subsequently ratify the treaty justify criminalizing a number of computer crimes under national law. These included crimes such as dissemination and possession of child abuse images and fraud, as well as attacks on computer systems or the interception or disruption of data traffic using IT systems, explains Deborah Brown of Human Rights Watch in Riyadh. In addition, the distribution of devices that are used to commit crimes should be banned.
The “hacking paragraph” of the convention is strongly reminiscent of the corresponding provisions of the Council of Europe Cybercrime Convention, but without guarantees of protection for security researchers or investigative journalists, warns Nick Ashton-Hart, who was involved in the negotiations on behalf of an association of affected companies. Assertions by states, security researchers and other hackers acting in the public interest are excluded from the text, he calls it window dressing: “This paragraph simply recognizes the importance of their work. But he doesn’t protect her with a word.”
Global surveillance statute
Suggestions to include even more offenses in the global criminal catalog were rejected. But the legal assistance that signatory states have to provide goes far beyond these crimes. “The convention requires member states to establish expansive surveillance capabilities in the investigation of a long list of crimes, including those that have nothing to do with ICT systems,” explains Brown.
Brown warns that offenses criminalized in other UN agreements will also be included across the board. This will result in a comprehensive, global legal assistance agreement with countries that previously could not hope for it. In the case of “serious crimes”, authorities must fully support their requesting counterparts, allowing access to stored or real-time connection and content data, and carrying out searches and seizures of computer systems.
Anything that can be punished with at least four years in the country requesting help is considered a serious crime. In many countries, judicial orders for surveillance requirements are not necessary. IGF host Saudi Arabia is one such country that has already imposed significantly higher penalties for criticizing the government, says Lina al-Hathloul from the human rights organization ALQST, who was unable to travel to the IGF herself for security reasons.
Example Saudi Arabia
“Article 34 of the proposed UN Cybercrime Convention requires states to support their partners in collecting and storing electronic evidence of serious crimes,” al-Hathoul stressed. “Article 40 obliges States to provide each other with the greatest possible legal assistance in investigations, prosecutions and legal proceedings relating to such acts.”
Without clear restrictions, the provisions would give governments unrestricted power to monitor people under the guise of law enforcement, warns al-Hathoul: “This poses the risk that contracting states will become complicit in the abuses of the Saudi authorities.”
Criticism was also not welcome at the IGF conference. Critical questions, such as whether restrictions on encryption pose risks, especially for Saudi activists, were punished with exclusion from the Zoom sessions, which were apparently closely monitored.
Insufficient exceptions
There are exception clauses that democratic countries such as EU members could rely on, says Irish lawyer Fionnuala Ní Aoláin: “But they seem like Swiss cheese. In Chapter 7, for example Article 35, which regulates international cooperation, it is completely missing.
The critics are now placing all their hope in an additional protocol that has already been planned. “You have to make the guarantees clear here,” emphasizes Ashton-Hart. Until then, his demand to the governments was: “Don’t sign!” However, unlike the USA, the EU Commission had already announced that it wanted to sign the agreement.
Now Ashton-Hart is hoping for resistance from the European Parliament. The refusal to sign is also a means of applying pressure to make improvements to the additional protocol. Like the USA, the EU member states are the target of data streams – and therefore the target of future spying searches.
(vbr)
