We need to fight cybercrime, not increase state surveillance

By Amy Hogan-Burney, Associate General Counsel, Cybersecurity Policy & Protection at Microsoft

As cybercrime becomes more effective, damaging, and widespread, addressing the attacks requires collaboration between law enforcement, government agencies, international partners, and private corporations. The challenge? Not everyone agrees on what is or what should be considered a cybercrime, hindering meaningful cross-border coordination and collaboration.

This week marks the second week of the 6th round of negotiations at the United Nations where states have the opportunity to address this issue by adopting a Cybercrime Treaty that creates common definitions to encourage global cooperation in countering cybercrime and shaping international law.

However, the broad scope of the draft UN treaty released in May leaves too much to interpretation.

The risk is that the treaty will not be a tool for prosecuting criminals but rather a weapon that allows for intrusive data access and surveillance instruments. The result could be an international agreement granting authoritarian states the power to suppress dissent under the guise of fighting cybercrime.

States need to adopt a treaty that strengthens the fight against cybercrime. It should not provide an avenue for authoritarian states to criminalize online content, introduce new surveillance powers, expand cross-border government access to personal data, or potentially criminalize common security practices because of ambiguity in the text.

The draft introduces expansive provisions for government access to personal data, including intrusive measures for real-time surveillance, providing wide discretion to request data on any “crime” – not just cybercrime – enshrined in domestic laws. The draft treaty also does not contain transparency safeguards to allow data custodians to notify targets of surveillance – or even the country in which the target resides – of an ongoing investigation. Surveillance could unfold in total secrecy, undermining human rights and national security. Such a broad expansion of state surveillance powers will inevitably clash with existing data protection standards around the world, lead to significant jurisdictional disputes, and ultimately undermine rather than boost global efforts to fight cybercrime. 

The text also does not contain language protecting lawful cybersecurity work that keeps the digital ecosystem secure. We need to ensure that ethical hackers who use their skills to identify vulnerabilities, simulate cyberattacks, and test system defenses are protected. Key criminalization provisions are too vague and do not include a reference to “criminal intent”, which would ensure activities like penetration testing remain lawful.

In other words, unless these issues are addressed, the treaty could create the ideal conditions for cybercrime to thrive.

So far, progress at this 6th session has been slow as countries continue to debate the content of the treaty and it remains to be seen what the outcome will be by the end of the week. As the UN member states convene to discuss the next treaty draft this week, they should follow clear standards that balance human rights with efforts to fight cybercriminals:

• Align the treaty with existing data protection standards to avoid conflict of laws, confusion, delays, increased costs, and potential cooperation breakdown.

• Criminalize core cybercrime offences such as illegal access to computer systems.

• Limit the scope of key treaty provisions, particularly those on data access, to a narrow set of crimes clearly defined in this convention.

• Avoid expanding the definition of cybercrime to broadly encompass online content, undermining human rights, including freedom of expression and the right to privacy.

• Incorporate human rights safeguards, such as independent oversight, right to appeal, and effective redress mechanisms to minimize conflicts with international human rights law.

• Avoid criminalizing the work of ethical hackers and cybersecurity researchers, i.e., only prosecuting acts with “criminal intent.”

• Streamline requests for e-evidence, limiting government access to data that is necessary for specific public safety and national security needs and by directing demands to “data custodians” – i.e., the most proximate data source and rights holders.

• Preserve the right of technology providers to challenge government demands for data on behalf of their customers.

• Increase transparency by allowing technology providers to give notice to users when their data is requested, unless doing so might compromise a criminal investigation.

• Clamp down on “safe havens” by strengthening extradition measures within the convention to ensure cybercriminals cannot evade prosecution and accountability.

Microsoft’s work around the world shows the impact that can be achieved when governments, the private sector, and civil society come together to fight cybercrime. A carefully balanced treaty that clearly defines what cybercrime is and retains a strong focus on human rights has the potential to significantly improve the ability to keep the Internet secure. Too much is at stake to contemplate any other, less constructive outcome.