Convention on Cybercrime: “There is a risk of the United Nations creating a convention that undermines the Budapest Convention”, says Karine Bannelier

From the criminalisation of « fake news » proposed by China to US calls to remove protection of privacy and personal data from due process safeguards passing by the crime of extremism proposed by Russia, will the draft UN Convention to combat cybercrime become a graveyard for civil liberties? Or will the need to compromise cause the elephant to give birth to a mouse?

States must manoeuvre carefully to avoid these stumbling blocks, explains Karine Bannelier, a representative of the Cross Border Data Forum (CBDF) in the negotiations conducted by the « United Nations Ad Hoc Committee to Elaborate a Comprehensive International Convention on Countering the Use of Information and Communications Technologies for Criminal Purposes ». This Associate Professor of International Law, Director of the Cyber Security Institute (CyberAlps) at Université Grenoble Alpes (UGA), Senior Fellow on Cybercrime (CBDF), and Director of the Master’s degree programme on « International Security, Cybersecurity and Defence » (UGA/Paris ILERI) takes inCyber behind the scenes at these top-level negotiations.

The fourth session of the UN committee tasked with drafting a convention to counter cybercrime ended in Vienna on 20 January. A stormy session…

Indeed. The first three days were spent distinguishing between two groups of articles, those that could be agreed upon and those that were relegated to informal groups in which they were discussed, to see whether some of them could be subsequently reintroduced into the Convention.

But several states also proposed controversial provisions, such as China with the crime of spreading fake news, and the United States, which wanted to delete references to the protection of privacy and personal data along with the principles of proportionality, necessity and legality, which are essential safeguards to counterbalance judicial powers of investigation.

On which articles has a consensus been reached at this stage of the negotiations?

There seems to be a consensus among states about what are referred to as ‘cyber-dependent’ crimes, which can only be committed via the Internet. Broadly speaking, these are the crimes already included in the Budapest Convention on Cybercrime, such as illegal access (Article 6); illegal interception (Article 7), interference with computer data (Article 8), interference with communication systems or devices (Article 9), misuse of devices and programs (Article 10), Computer-related forgery (Article 11) and computer-related fraud (Article 12). The only non-cyber-dependent crimes on which a consensus has been reached are those relating to ‘Offences related to online child sexual abuse or exploitation material ‘ (Article 18).

So, are the controversial articles more closely linked to ‘content’ crimes?

Content crimes, including crimes relating to the notion of extremism, the spreading of fake news, and those related to terrorism, are indeed controversial. Their interpretation is highly subjective and they could be used to undermine the freedom of expression. These content crimes are also part of a controversial category of offences known as ‘cyber-enabled crimes’.

Tell us more about these ‘cyber-enabled crimes’

These are crimes that can be committed in cyberspace, but which already exist elsewhere, such as obstruction of justice, as proposed by the United States, and money laundering. Of these, a consensus has only been reached on child pornography. I have discussed this with some of the negotiators and no one seems to think that there might be a hidden agenda on the part of certain states in relation to this crime, as might be the case with content crimes: it is genuinely a question of combating a universally recognised scourge.

The US proposal to omit the protection of personal data and the preservation of privacy from the safeguards in the context of criminal investigations has also sparked controversy.

This is the famous Article 42: France, EU Member States and others consider that police investigations may be highly intrusive in terms of privacy and personal data, and that safeguards are therefore required concerning the protection of privacy and personal data, and compliance with the principles of necessity, proportionality and legality.

This article was hotly debated in Vienna. Some states, including as Pakistan and Russia, proposed to delete it altogether… Others, such as the United States, while stressing the importance of this article, felt that such references, especially the protection of personal data, should not be included on the grounds that this is not a universal concept in international instruments.

What was your reaction?

A. Trotry, who is currently writing a doctoral thesis on this issue, and I anticipated this argument and presented a submission to the UN ahead of the negotiations in Vienna in order to counter it. We have shown that many instruments around the world genuinely address this issue, especially in relation to the fight against crime. These include the African Convention on Cyber Security and examples in the South American context, but also in ASEAN and APEC countries, and in the United Nations Convention against Corruption, which is one of the models used in the negotiations on the Convention against Cybercrime.

You mentioned the Budapest Convention. What else could the UN Convention add?

In the fight against cybercrime, there is only one instrument in force: the Budapest Convention of the Council of Europe, which involves all the Member States, with the exception of Ireland and Russia, which has been excluded from the Council of Europe since its invasion of Ukraine. This convention also includes more than twenty non-member states, such as the United States, Brazil, Senegal, etc., for a total of 68 states. Some fifteen more could also join it in the short to medium term.

This is a fine example of existing international cooperation, but not all states will join it, for different reasons. A universal instrument would therefore be useful, and this can be achieved within the framework of the United Nations.

Is the UN convention likely to be made redundant or rendered devoid of any substance through compromise?

If the instrument is very weak, it will obviously be a disappointment. However, the real risk is of the United Nations devising a convention that is not properly aligned with the Budapest Convention, which would generate double standards and contradictions. This could be an alarming prospect, because states would be unable to cooperate on certain issues; this would lead to competition between these conventions and ultimately to their mutual weakening, which would be a boon for cybercriminals.

What is the state of play after the Vienna session?

In January, states focused on the first three chapters of the draft convention, comprising 55 articles. Some of them were set aside due to a lack of consensus. States’ negotiations therefore actually concerned the precise wording of some thirty articles. The Chair and her secretariat now need to synthesize all these deliberations and propose articles whose wording can be consensually agreed upon. This is a complex task, as the convention must ultimately be drafted in the six official languages of the United Nations.

This phase of defining cybercrimes is vital, as the international cooperation mechanisms that will be negotiated at the next session in April are heavily dependent upon it.

To what extent will this Convention be binding?

If all goes well, it could be adopted in 2024 and will then be open to state participation. Once it has entered into force, it will be binding on the States Parties, which will then be obliged, inter alia, to incorporate the crimes identified by this Convention into their domestic legal systems, provide their police forces with the means to investigate these crimes, and comply with requests for international cooperation from third states.

Once the Convention has been signed, can it change?

Even it is unlikely we must remain vigilant. Indeed, some States have already suggested that additional protocols could be adopted for certain types of crimes, such as « content crimes » which might be excluded from the Convention. It would be dangerous if certain behaviours were to be criminalised on the international scene when they are content crimes that could be used by authoritarian regimes to undermine the freedom of expression.