by Katitza Rodriguez, EFF:
This is the third post in a series highlighting flaws in the proposed UN Cybercrime Convention. Check out Part I, our detailed analysis on the criminalization of security research activities, and Part II, an analysis of the human rights safeguards.
As we near the final negotiating session for the proposed UN Cybercrime Treaty, countries are running out of time to make critical improvements to the draft text. Delegates meeting in New York from July 29 to August 9 must finalize the convention’s text that, if adopted, will expand surveillance laws dramatically and weaken human rights safeguards significantly. This proposed UN treaty is not a cybercrime treaty; it is an expansive global surveillance pact.
TRUTH LIVES on at https://sgtreport.tv/
Countries that believe in the rule of law must stand up and either defeat the convention or dramatically limit its scope, adhering to non-negotiable red lines as outlined by over 100 NGOs. In an uncommon alliance, civil society and industry agreed earlier this year in a joint letter that the treaty as it was currently drafted must be rejected and amended to protect privacy and data protection rights—none of which have been made in the latest version of the proposed Convention.
The UN Ad Hoc Committee overseeing the talks and preparation of a final text is expected to consider a revised but still-flawed text in its entirety, along with the interpretative notes, during the first week of the session, with a focus on all provisions not yet agreed ad referendum. However, in keeping with the principle in multilateral negotiations that nothing is agreed until everything is agreed, any provisions of the draft that have already been agreed could potentially be reopened.
An updated draft, dated May 23, 2024, but released on June 14th, is far from settled, though. Tremendous disagreements still exist among countries on crucial issues, including the scope of cross border surveillance powers and protection of human rights. Nevertheless, some countries expect the latest draft to be adopted.
Earlier drafts included criminalization of a wide range of speech, and a number of non-cyber crimes. Just when we thought Member States had succeeded in removing many of the most concerning crimes from the convention’s text, they could be making a reappearance. The Ad-Hoc Committee Chair’s proposed General Assembly resolution includes a promise of two additional sessions to negotiate an amendment with more crimes: “a draft protocol supplementary to the Convention, addressing, inter alia, additional criminal offenses.”
Let us be clear: Without robust mandatory data protection and privacy safeguards, the updated draft is bad news for people around the world. It will exacerbate existing disparities in human rights protections, potentially allowing increased government overreach, unchecked surveillance, and access to sensitive data that will leave individuals vulnerable to privacy and data protection violations, human rights abuses, or transnational repression. Critical privacy safeguards continue to be woefully inadequate, and there are no explicit data protection principles in the text itself.
In this third post, we explore problems caused by the expansive definition of “electronic data,” combined with the lack of mandatory privacy and data protection safeguards in the proposed convention. This term has a very broad and vague reach. It appears to include sensitive personal data, like biometric identifiers, which could be accessed by police without adequate protections and under weak privacy safeguards. Worse, it could then be shared with other governments. This poses significant risks for refugees, human rights defenders, and anyone who travels across borders. Instead of this race to the bottom, we call for ironclad privacy and data protection principles in the text to thwart abuses.
Key Surveillance Powers Involving Electronic Data
Chapter IV of the draft, which deals with criminal procedural measures, creates a wide range of government powers to monitor and access people’s digital systems and data, focusing mainly on “subscriber data,” “traffic data,” and “content data.” These powers can be broadly described as forms of communications surveillance or surveillance of communications data. Traditionally, the invasiveness of communications surveillance has been evaluated on the basis of such artificial and formalistic categories.
