A landmark convention on cybercrime is being prepared at the UN. This is a major step forward in ensuring justice and security in cyberspace. However, some experts express concerns about its potential misuse by states for human rights violations and repressive measures.
The convention is being drafted based on the General Assembly resolution 74/247 from 2019. It established an intergovernmental ad hoc committee to develop an international convention on combating the use of information and communication technologies for criminal purposes. Back in 2017, the Russian Federation presented a draft convention to the General Assembly on cooperation in the prevention of cybercrime. Then, Moscow, supported by other non-democratic regimes such as China, Belarus and Syria, presented their own resolution on cybercrime in the General Assembly in November 2019. However, the US, the European Union, and other countries opposed it. Despite this, the resolution was adopted in December of that year. It is precisely the fact that the initiative comes from authoritarian regimes that causes concerns about the possible abuse of international law to take repressive measures.
Another round of negotiations took place in April 2023. The subject of the discussion was the possible form of a convention. The first draft was presented to the committee, which would then be presented to states and other concerned groups in August. Therefore, it seems that the negotiations are gradually but surely coming to an end, despite a few disagreements. US federal prosecutor Jane J. Lee is talking about the possibility of reaching a consensus in the committee that would be based on the protection of human rights while providing a tool for better investigation and punishment of cybercrimes. The most likely scenario is to find a compromise and back down from the original demands of both sides.
However, the new definitions of cybercrime have been met with suspicion by the United States and human rights organisations. In their view, the previous Convention on Cybercrime (the so-called Budapest Convention) already provides a sufficient legal framework to punish cybercriminal activities. In contrast, the Kremlin has rejected the Budapest Convention, explaining that it interferes with Russia’s sovereignty. The Cybercrime Convention defines nine criminal offences, while the one currently under discussion distinguishes 34 types of offences. Concerns about the new legal document have been raised because of the potential restriction of freedom of expression. In addition to the aforementioned violation of freedom of expression, Article 19 is primarily problematic, as it also threatens the right of access to information. The convention prohibits the dissemination of personal information for financial gain without consent. However, newspapers that write about public figures make a profit and often do not have the consent of the data subject also fall under this definition. The same problem applies to other articles.
Moscow’s intention in initiating a convention that would help increase cybersecurity remains questionable. After all, there are a number of well-known hacker groups, such as Fancy Bear and Winter Vivern, linked to the Kremlin. They regularly launch campaigns against Ukraine or NATO and EU Member States. The support for the convention by other authoritarian regimes, such as Iran, also raises questions. Teheran is known for a number of critical cyber-attacks against other countries. One example is the large-scale attack on Albania. It is precisely because of these facts that the convention is being approached with the utmost caution, and intensive efforts are being made to mitigate any potential negative impact.
Although there are many negatives and potential risks of the new convention, there is also the other side of the coin. The convention can deepen international cooperation in preventing and combating cybercriminal activities. It could particularly help countries with more limited resources that are unable to deal effectively with cyber incidents and the subsequent investigation and punishment of the perpetrators. Moreover, with the increasing rate of digitalisation, the number of transnational cyber-attacks is growing in direct proportion to the number of cyber-attacks, which poses significant security risks to states. The need for better regulation of cyberspace at the international level has been discussed for years, but so far, no new legal framework has been adopted that would reflect the current situation. The convention may be a step in the right direction, which has the potential to stimulate a deeper debate and efforts to take further legal measures to guarantee cyber security. It is not possible to assess unequivocally that the proposed legal framework will serve as a useful tool for authoritarian regimes. The convention has its strengths and weaknesses, but everything will depend on the final version and how it will be implemented. The legislation is, therefore, neither good nor bad, but it depends on how countries will use it.
Photo credit: Canva.com