Features 27.02.2024
UN Cybercrime Treaty: Harmful to Research?
What if, in order to try to deter cybercrime, the result is to deter cybersecurity researchers?
Features 27.02.2024
What if, in order to try to deter cybercrime, the result is to deter cybersecurity researchers?
The controversial cybercrime treaty proposal, called the Convention on Countering the Use of Information and Communications Technologies for Criminal Purposes, would not be the first international cybercrime treaty. The 2001 Budapest Convention, which now has 69 participating countries, already wears that badge. However, several countries, including China and Russia, were not involved in creating the Budapest text, and several countries (including Ireland and South Africa) have signed but not ratified it, putting them in ‘observer’ status.
Russia first presented a resolution for the new treaty to the UN General Assembly in 2017. The argument in its favour is that it will offer a more inclusive, and therefore more authoritative, international agreement that will enable countries to work together on combatting cybercrime.
The UN passed a resolution to set up a Convention based on Russia’s submission in late 2019. It subsequently created an Ad Hoc Committee (AHC) to steward the process and began the first of six negotiating sessions among member states in February 2022.
Since then, all has not gone smoothly for the Convention. Along the way, there has been a constant struggle between all states over what constitutes cybercrime. Some states have called for sweeping interpretations that spilt over to include posting content about everything from religion to government. Conversely, human and cyber rights groups have consistently called for a narrowing of cybercrime definitions to avoid the potential use of the Convention as an oppressive tool.
Cut to New York in early February, in what was supposed to be the AHC’s final negotiating session. Seven years after the idea was first raised, there were still plenty of concerns. Over 100 NGOs signed a joint statement a week before the negotiations began, outlining their worries. Others followed suit. Over 120 experts signed another statement on February 7, with the negotiations set to wrap two days later. Yet another letter from worried signatories arrived the following day.
The language in Article 6, which deals with illegal access, is too ambiguous, the Feb 7 letter said. As it stands, the Article says:
Each State Party shall adopt such legislative and other measures as may be necessary to establish as a criminal offence under its domestic law, when committed intentionally, the access to the whole or any part of [a computer system] [an information and communications technology device] without right.
The worrisome term here is ‘without right’, which experts worry could render them liable to criminal prosecution simply for poking around in a system without explicit permission – something which ethical hackers do all the time.
“Although it is positive to have laws that deter cyber criminals, this broad language can criminalise beneficial, innovative, and ordinary activities,” warns Michael Woolslayer, Policy Counsel at bug bounty company HackerOne, which was a signatory to the open letter. “This potentially includes good-faith security testing, where independent parties identify vulnerabilities in digital systems and disclose them so that they can be fixed.”
“The Article 6 phrasing could be interpreted to mean that any security testing without such explicit pre-approval is banned” Katie Moussouris
Woolslayer also worries that the language may make terms of service violations a criminal act, which it currently isn’t in many jurisdictions.
Article seven of the Convention’s proposed text focuses on the interception of non-public network traffic, again rendering this a criminal offence and using the term ‘without right’. “Analysis of network traffic is also a common practice in cybersecurity,” says the statement to the UN.
Both articles allow governments to limit such offences to those with dishonest intent. This could make it harder to prosecute someone who was, say, looking for vulnerabilities in IoT firmware with the intent of reporting them to the vendor. However, this definition is optional. Experts want it to be mandatory.
The final worry centres around Article 28, section four, which orders governments to legally compel individuals to give up security information about products and services.
Woolslayer isn’t that worried about search and seizure, which many jurisdictions already have. It’s the effect on end-to-end encryption that concerns him. “The language does leave room for a country to implement a law that requires employees to install backdoor access into encrypted systems to facilitate government searches,” he says.
Katie Moussouris, the founder of bug bounty programme management consultancy Luta Security and former chief policy officer at HackerOne, also signed the Feb 7 letter. She doesn’t believe that Article 6 will deleteriously affect bug bounty companies and those contributing to them, but it could adversely affect others.
“Bug bounties by nature have a defined scope where security research testing is explicitly permitted, whereas the Article 6 phrasing could be interpreted to mean that any security testing without such explicit pre-approval is banned,” she says. “This would harm internet security and the greater good, since many organisations without defined vulnerability disclosure programs or bug bounties would be off limits to security research.”
Woolslayer thinks the Treaty will be particularly dangerous to jurisdictions with immature legal frameworks around cybercrime. “It risks over-criminalising cybersecurity professionals, technology tinkerers, and ordinary consumers,” he says. “An additional risk is that the Treaty will cover authoritarian governments to implement UN-endorsed cybercrime laws broad enough to suppress dissent and enable surveillance.”
“We all want to stop cybercrime and protect people, but this is not the way to do it” Michael Woolslayer
It’s worth noting that the original resolution created in 2019 was sponsored by some countries with the worst records in human and online rights: Russia, Belarus, Cambodia, China, Iran, Myanmar, Nicaragua, Syria, and Venezuela. None of these were listed as ‘free’ in the latest annual report on internet freedom from democracy-tracking NGO Freedom House.
“The UN Cybercrime Treaty was deliberately crafted to be expansive, despite the concerns raised by civil society, technical experts, industry, and representatives from the US, EU and other nations,” Woolslayer says. “By now, several hundred stakeholders have urged the UN to take a more targeted approach that focuses on malicious criminal action and does not expand surveillance processes. We all want to stop cybercrime and protect people, but this is not the way to do it.”
There was some good news for those stakeholders. The AHC couldn’t get the two-thirds consensus it needed to approve the Convention (Russia had initially asked for a simple majority consensus but was refused).
This failure left Michael J .Kelly, Senator Allen A. Sekt Endowed Chair in Law Professor at Creighton University, dismissive of the whole thing.
“My understanding is that this is going nowhere. They couldn’t even produce a draft coming out of the NYC round a couple of weeks ago,” he says. “One of the main reasons I wouldn’t be too worried about it is that the secretariat at the Budapest Convention is now not too worried about it – whereas five years ago they were more so.”
As it stands, the NYC session was effectively suspended pending further consideration of the language around cybercrime. The AHC is now pondering an additional negotiating session in New York this summer to try and sort through the whole tangled mess and find language that enough people can agree upon. If that proves unfruitful, it would have to get an extension from the UN General Assembly, which would embed it in more bureaucracy. For now, at least, NGOs nervous about legal overreach can breathe a sigh of relief at the UN’s failure to get this over the line in its current form.