This month, the world’s governments agreed to a major U.N. treaty for law enforcement cooperation on cybercrime.
That should be a good thing, right? After all, cybercrime is exploding worldwide.
Unfortunately, what was adopted was a data access treaty allowing governments worldwide to exchange citizens’ personal information in perpetual secrecy on any offense any two governments agree is a “serious” crime. This would include the interception of real-time location and communications worldwide and forcing IT workers to divulge passwords or other access keys that would compromise the security of global systems relied upon by billions daily. And not just private-sector systems either — government systems are at risk.
The pact also puts journalists and whistleblowers at risk of criminal prosecution — the International Press Institute is so worried it placed a full-page ad in the Washington Post. Independent security professionals worldwide warned in February that their work protecting IT systems from cybercriminals is threatened with prosecution.
Negotiators refused to fix this despite clear warnings that the risks were not theoretical. According to the U.N.’s human rights watchdog, negotiators were warned that the pact would undermine freedom of expression and international human rights. Negotiators failed to fix even one of the issues the U.N. High Commissioner for Human Rights identified.
Incredibly, the text (in Article 14) specifically allows governments to prosecute children for “sexting” in the same article intended to protect them from sexual predators. That article also puts at risk of prosecution people working in charities to help bring predators to justice because they need to access material produced by predators as part of their work. This glaring flaw was pointed out repeatedly by civil society advocates, to no avail.
Companies that operate internationally will have increased legal and reputational risks, up to and including the arrest of staff. Individuals and vulnerable communities will have their private data exposed to law enforcement agencies worldwide, even where their conduct is not criminal where they live or in cases that raise significant free expression concerns. All of this cooperation may be kept secret, without any transparency into how governments use the treaty or provisions for companies to challenge law enforcement requests even if they are illegal.
By facilitating secret cooperation on any crime that is “serious,” the door is opened to “offenses” like criticism of leaders or persecution of minorities. These violate fundamental human rights and put companies in the position of responding to law enforcement requests that raise significant conflicts of law, human rights and reputational concerns without any mechanism to challenge requests in many jurisdictions.
There are some elements in the pact intended to limit these abuses. Because states can cooperate in perpetual secrecy, those aren’t worth the paper they’re written on in the situations where they would matter the most.
Even when given specific examples of how the treaty puts their citizens at risk, the United States and the European Union refused to address the problems. Their attitude is, “Since it won’t change our laws, and we won’t allow the abuses other countries might, we can’t tell others how to behave.”
That’s not true, of course. The U.S. and EU routinely upbraid countries worldwide for human rights abuses and loudly trumpet their commitment to it. This is doubly short-sided when considering that adopting such a flawed instrument is a major diplomatic win for Russia. This negotiation was its idea, so it gets credit for the success. Since when has it been U.S. or European policy to give Russia victories of any kind?
The United States, EU and many others openly supported the articles on children. They refused to propose solutions to protect journalists and whistleblowers, and defended retaining the provisions allowing IT workers to be forced to undermine encryption and secure systems (Article 28.4).
My organization, the Cybersecurity Tech Accord, addressed these issues in our submission to negotiators. So have all private-sector and civil society organizations and major companies like Microsoft and Google.
The next step is for the text to be adopted by the U.N. General Assembly after the new session opens in September. The only right choice, especially for democratic countries, is not to agree. The International Chamber of Commerce, the largest and most representative global representative of the private sector, openly called on the United Nations not to adopt the convention on August 13. They are not alone.
If governments fail, yet again, to protect the international human rights legal framework they so often vocally support, then new, dangerous norms created in international law will haunt us all for decades to come.