Recent reporting reveals that the United Nations (UN) will soon hold their final negotiation meeting on its new Cybercrime Treaty.  Having met seven times since 2022, the UN appears poised to present the final draft the second week in August.  The treaty is a much-needed update to the European-led Budapest Convention on Cybercrime, the original framework that has been in place since 2001 and has served as the first meaningful international treaty addressing Internet and cybercrime.  However, the speed with which activities such as crime evolve in cyberspace coupled with states sluggish abilities to respond to them and implement change, enough time has elapsed that necessitated a new blueprint to combat the larger and globally interconnected cybercrime ecosystem that now thrives in today’s environment.  Similar to the Budapest Convention, the UN Cybercrime Treaty is expected to focus on the tenets of strengthening international cooperation, which makes sense given how cybercrime had demonstrated its ability to cross state boundaries and form partnerships across the globe.

Criticism has been levied against the current draft for its “broad” language that would ostensibly enable states to leverage substantial surveillance and data collection authorities against those deemed to be using the Internet and Internet-related technologies for criminal purposes.  While on the surface, such power seems reasonable given the complexities associated with some of the more prominent and advanced cybercrime gangs, critics are quick to point out that broad authorities without specific restrictions could invariably be used against anyone who uses such technology to commit any crime, with “crime” being defined by the government.  The fear is that such provisions further empower authoritarian regimes to censor and control information, and punish those it deems are a threat, which could extend to political opponents, human rights organizations, journalists, or any group misusing technology in the opinion of a particular government.  The crux of their argument is clear:  the current language is insufficient and does not successfully balance the need for increased security with individual data privacy. 

According to one article, Chinese and Russian input influenced the inclusion of broad language, which makes sense given both governments’ consistent position that cybercrime extends beyond just conventional hacking, malware distribution, or theft of money or data, and includes the potential harms that information could cause.  As the article points out, Russia advocated that the “use of computer system to defraud or abuse trust” as part of the treaty’s definition of cybercrime.  Interpretation of what constitutes defraud or abuse of trust is left up to those governments signing onto the treaty.  Per the article, the treaty appears to permit states to act based on “justifiable reasons,” which in and of itself is a subjective criterion, and likely would not be interpreted the same by states.  Moreover, as signatories would be treaty bound, they could be compelled to aid the investigation, tracking, arresting, and prosecution of individuals perpetrating crimes.  This sounds promising against groups like ransomware gangs, but not as good against political critics located in other geographic regions.

But perhaps the bigger concern is not that these provisions will likely encourage states to increase their surveillance and collection activities against marginalized groups, but to use these capabilities against any target of their choosing.  The current treaty draft stipulates that states can collect any electronic data – which would include any type of data traversing via electronic channels and devices.  That is exceptionally disconcerting given the efforts of governments like those in the European Union to bolster data privacy for its citizens.  Under the current draft of the treaty, states would exercise their own discretion with respect to how they maintained, processed, and protected collected data.  That does not seem very reassuring, especially at a time when granting additional authorities to global governments may not be the optimum approach, given the general lack of trust in governments.  As of April 2024, 22 percent of Americans trusted the government to what was right “just about always” (1 percent) or “most of the time” (21 percent).  But this lack of trust is not unique to citizens of the United States.  In a 2022 report, 66 percent of global respondents believed that their country’s governments were purposefully misleading their constituents with government leaders being the least trusted of societal leaders that were tested.  After all, authoritarian regimes aren’t the only ones suppressing free speech.  There has been a marked decline of free speech in western democracies, notably in Canada, France, and even the United States, calling into question why “free speech” is always a sticking point when it comes to international treaties when it’s not even followed by those always espousing its preservation.

While concerns that governments could use the new UN Cybercrime Treaty to facilitate repression are legitimate, it’s not like governments don’t already take advantage of their own laws and lack of international ones to do that very thing, regardless how they dress it up for public consumption.  Recent reporting revealed that U.S. law enforcement and spies are collaborating as part of a new federal strategy to fight foreign hackers.  The effort emphasizes international partnerships with foreign law enforcement and private Internet companies, ideally improving adversary targeting and prosecution of those conducting attacks, especially from abroad.   Certainly, the UN Cybercrime Treaty would facilitate such efforts.  The fact that the United States has purposely stated that it opposes a treaty that allows for broad language points more to Washington not wanting to be compelled to help others’ investigative efforts (perhaps with respect to its own cyberspying efforts) than any concern that such terminology presents a problem to freedoms.  After all, the U.S. government’s position on disinformation suggests that it is favorable to broad and vague interpretive definitions when it suits its interests, even amid fervent criticism from the public and civil liberties groups.

Clearly defining terminology and criteria would make such an ambitious treaty more palatable to critics, but the fact remains that it would be an almost impossible endeavor.  The global community does not share the same thoughts with respect to how cyberspace should be governed, no less defined, and how countries should operate responsibly in that space.  But what can be agreed upon is that the malicious acts committed in cyberspace and the abuse of cyber-related technologies are rampant without any meaningful response from governments to stem the volume of criminal activity.  It’s time for governments to take a step forward and make a commitment to combating cybercrime, and that starts with formally throwing their hats into the ring.  Otherwise, they’re just serving up lip service without any real merit because they have neither the inclination nor the desire to do so, especially at the expense of their own cyber interests.