In February 2024 negotiations at the UN intend to finalize a major treaty to create global rules for law enforcement cooperation on cybercrime. If the negotiations continue their present trajectory, the outcome will increase legal and reputation risks—up to and including arrest of staff and executives—for firms that operate globally that have data of interest to law enforcement, such as financial services, telecommunications, those which host content generated by users (whether public or private) and travel services, to name just a few.
The original objective of this negotiation was to address a widely acknowledged serious problem: globally expanding cybercrime. While there is a successful cybercrime treaty agreed under the aegis of the Council of Europe in 2001, the Budapest Convention UN member states were persuaded by the proponent of this negotiation, the Russian Federation, that a new treaty negotiated by all member states would be more representative of their interests, and the process was launched by the UN General Assembly in January 2020.
Here are just a few of the most critical issues with the draft:
- The current scope goes far beyond cybercrime to facilitate cooperation on any crime that any two countries agree is a criminal offense. In much of the world, this will include offenses that conflict with fundamental human rights—and where cooperation would damage the brands of firms who provided assistance even though the treaty does not allow them to refuse.
- All of the data requests made of providers are to be kept secret without time limitation—though national law can provide differently—and providers have no ability to say no to any request even when it would force them to break the law in one jurisdiction to agree to a request in another.
- Provisions facilitate the real-time surveillance of individuals, including their traffic metadata and the content of their communications.
- There is an almost complete lack of criminal intent requirements on the specific offenses it contains, with no protection against criminal liability for security researchers and penetration testers—in fact, journalists’ sources and whistleblowers activities could be criminalised.
- Provisions facilitate law enforcement in one country forcing individuals to provide access to secure systems, turn over access credentials and otherwise compromise corporate systems and networks and provide the details to law enforcement in another country, all without adequate safeguards or any notification to the owner of the now-compromised systems.
One of the most surprising aspects of this negotiation is that the major Western democracies—with two notable exceptions, Canada and New Zealand—are willing to accept the harmful provisions despite the risks to their own firms and citizens. Moreover, adoption without addressing the harmful provisions would be a major diplomatic and practical win for the Russian Federation at a time when the West’s most senior leaders have made it a cornerstone of national policy to marginalize the Russian Federation across the board in multilateral relations until the conflict in Ukraine is ended. Handing Russia a victory of this scale at the UN during the Ukraine conflict will send a terrible signal. At a practical level, the treaty under negotiation will also make it harder for firms operating internationally to resist extraterritorial requests for data from law enforcement—in fact it will make those problems worse.
You might wonder why. There are several reasons; perhaps the most fundamental is that a large part of the text is a copy and paste of the Budapest Convention itself. Negotiators have said that since that Convention is working well, there’s no reason not to reuse its provisions. However, that ignores two fundamental elements of that instrument, neither of which will apply to the new treaty:
- The Budapest Convention’s text was agreed by the Council of Europe not on its own, but with a 60-page Explanatory Report that specifies the additional checks and balances and rule of law-based environment that parties should have underpinning its provisions. When a new state seeks to ratify Budapest and “join the club” existing Convention parties look not just at how the Convention text itself has been implemented but whether it follows the spirit and objectives contained in the Report too.
- The Budapest Convention has a review mechanism: its Secretariat regularly evaluates whether Convention parties have implemented the provisions as intended with respect to both the text and the Explanatory Report.
The private sector’s representatives to the negotiations—the International Chamber of Commerce, the Cybersecurity Tech Accord, whose delegation I lead, Microsoft, and the US Council for International Business—have made clear all along that a treaty focused on core cybercrime offences with robust safeguards and clear intent requirements would be a global good and something industry strongly supports. All industry representatives to the process are also united in their opposition to the harmful provisions and all major civil society organizations participating in the negotiations—including Article 19 and Human Rights Watch, Privacy International and the Electronic Frontier Foundation—agree with the private sector.
All parties mentioned above believe a new treaty that would enable any government to request and obtain the personal information of citizens of other countries—without robust, explicit jurisdictional limitations or sufficient procedural safeguards—in secret and in perpetuity, is simply not consistent with the rule of law. A change to U.S. and EU negotiating positions is fundamentally important to reducing the harms this treaty will create. Right now, key U.S. allies like New Zealand and Canada need more like-minded states to fix the Convention’s major problems. Companies have a short window—before the final negotiations are convened in late January 2024—to build political pressure on negotiators to take a harder line and ensure the final product reflects U.S. and European values, policy goals, reduces legal and reputational risks for business and actually reduces global cybercrime.
