On August 8 2024, the United Nations Ad Hoc Committee reached agreement on the “Draft United Nations convention against cybercrime; strengthening international cooperation for combating certain crimes committed by means of information and communications technology systems and for the sharing of evidence in electronic form of serious crimes” (United Nations Convention against cybercrime, or UNCC for the purposes of this article).
The UNCC is closely supported by numerous international bodies, including the Council of Europe and the European Commission. It complements the Budapest Convention on Cybercrime
The Electronic Frontier Foundation has been closely following this topic and has voiced several concerns about the current wording of the agreement, despite some of the issues the organization previously raised about past iterations having been at least partially addressed. Current issues, broadly speaking, are:
- unclear, broad definitions
- insufficient respect for human rights, and too few safeguards against abuse of the treaty for human rights and privacy violations
- excessive leeway for authoritarian states to require unacceptable information sharing from other signatory states
- disproportionate deference to national law when defining safeguards, creating major opportunity for abuse
Without downplaying the other objections, the surveillance and encryption provisions of the proposed treaty should be particularly strong causes for concern. While there exist international legal protections for encryption, the treaty would give signatory states a very open-ended and permissive framework for breaking encryption and engaging in mass surveillance. For residents of the European Union, this should be a major red flag in the context of the proposed “Chat Control” regulation currently (October 2024) making its way through the European lawmaking process.
The 2015 Report of the Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, David Kaye (PDF) specifies 3 conditions that must be met (Section IV) for “restrictions on encryption and anonymity” to be acceptable. Even if we assume that the concept of “public morals” as a legitimate reason for restricting use of encryption is open to significant interpretation and abuse, these conditions are a fairly high bar for governments to meet.
Chat Control is a seriously flawed piece of legislation. In June 2024, CyAN published its opposition to the regulation for a number of reasons. Significant among these are worries about mandatory client-side scanning undermining encryption. While my views do not necessarily represent those of the CyAN community, I firmly believe that if the Cybercrime Convention is approved by the UN General Assembly, it will provide additional wind to Chat Control and its damaging effects on encryption – and all that these would entail as outlined in the CyAN position paper.
This is, of course, in addition to the various other questionable elements of the UNCC. If the Convention cannot be amended to defang or even remove the elements that threaten to weaken protections for individual freedoms, I hope that it is shot down in the General Assembly. It does not matter whether it is flawed due to lazy policymaking and law enforcement, or because of the cynical opportunism of authoritarian states that want to use international treaties with nominally laudable goals to undercut the rights of not only their own citizens, but also those in more liberal signatory countries – the outcome will be the same.
John Morgan Salomon is a CyAN member and independent information security consultant