Given the broad-based and fundamental concerns from stakeholders, signatory organizations urge governments to consider withholding support for the UN Cybercrime treaty in its current incarnation.
February 8, 2024
Our organizations – spanning civil society, industry, and the technical community – wish to urgently draw your attention to critical flaws in the latest draft of the UN cybercrime treaty. While we have diverse perspectives and often do not agree on a range of other policy issues, we share profound concerns over these critical shortcomings. As members of the multistakeholder community we could only support developing a treaty that would effectively address cybercrime and foster international cooperation in accordance with international human rights law and the rule of law in general. While we understand that the text is an attempt to synthesize the views of negotiating states, the result is a draft treaty that would make cyberspace less secure for everyone. The organizations signing this letter, who come from across the multistakeholder community, are deeply concerned by the adoption of such a flawed treaty without major changes.
Serious flaws of the latest draft include an unclear and overly broad scope, vague criminalization provisions and definitions, lack of meaningful human rights safeguards and effective gender mainstreaming, missing protections for good-faith cybersecurity researchers and others acting in the public interest, and overly broad provisions for real-time interception of content and traffic data that go far beyond what can reasonably be justified to fight cybercrime.
Particularly concerning is that the draft treaty authorizes states to conduct intrusive cross-border data collection without prior judicial authorization, without oversight, and in secrecy. Service providers would be unable to notify users or inform anyone about data collection being ordered. Civil society and individuals would not know when their data is being accessed, making it impossible for them to challenge arbitrary requests and protect their privacy. Given these flaws, this process is at real risk of producing an instrument that can be used to conduct broad data collection on a global scale under the guise of fighting cybercrime.
If adopted without major changes – changes we have consistently advocated for throughout the process – the risks of this treaty far outweigh its potential benefits. Notably, some elements of the treaty do not include any human rights safeguards at all, while other provisions would allow states considerable latitude to implement these safeguards. Allowing individual states to arbitrarily define what activities fall under the treaty’s scope would also inevitably lead to human rights violations and criminalize legitimate activity. Individuals, including political dissidents, journalists, human rights defenders, and those at risk of discrimination on the basis of their personal characteristics would face the risk of being subjected to investigations leveraging the procedural measures of this proposed treaty without notice, potentially resulting in extradition and prosecution for exercising fundamental human rights while using digital technology. Such an outcome – facilitated by an instrument adopted by the UN General Assembly –would damage UN credibility and legitimize state behavior that undermines the rule of law while eroding respect for human rights.
To make matters worse, the proposed treaty would weaken global cybersecurity and make both individuals and institutions less safe and more vulnerable to cybercrime, thereby undermining its very purpose. Expansive concepts of what activity may be subject to this treaty – and its significant procedural powers – create an unpredictable legal environment that will discourage critical security research. It may also subject good-faith security researchers, IT professionals, and journalists to criminal prosecution for cybersecurity work that keeps us all safer. The resulting environment would make it easier for malicious actors to create and exploit weaknesses in the digital ecosystem. This could, in turn, lead to an increase in the common harms suffered in connection with cyberattacks, such as unauthorized disclosure of personal information and the disruption of access to important networks and systems, including critical infrastructure.
Furthermore, the increased risk of this treaty facilitating broad government data collection without strong privacy, due process and human rights safeguards may deter individuals and groups from exercising their rights to free speech and expression. This climate of self-censorship will have a negative effect on democratic discourse and civic participation. In essence, instead of serving one of its goals, the protection of private personal information from cybercrime, the treaty would paradoxically increase the risk of such violations and undermine human rights in the process.
A UN treaty that authorizes broad government data collection, creates an uncertain legal landscape for legitimate cybersecurity research, and facilitates greater online censorship, without sufficient guardrails as a global standard is deeply concerning. Ultimately, such a treaty would significantly erode trust and cooperation among all stakeholders, whose joint efforts are essential to address the growing global scourge of cybercrime.
Given the broad-based and fundamental concerns from stakeholders, we urge governments to consider withholding support for the treaty in its current incarnation.