The United Nations is in the final stages of negotiating a new international cybercrime treaty, which has drawn significant criticism from civil society groups.
These groups argue that the treaty, which follows a surprising 2019 U.N. General Assembly vote authorizing negotiations, could criminalize essential security research and increase police surveillance. Critics, including the U.S. government, question the need for this new treaty, citing the existing Budapest Convention on Cybercrime, which already has over five dozen signatories.
Over 100 civil society organizations have expressed concerns about the proposed treaty’s language, arguing that it would be detrimental to the fight against cybercrime. A major issue raised is the treaty’s vague definition of cybercrime, potentially classifying activities like bug bounty programs and penetration testing as criminal offenses. Tomaso Falchetta of Privacy International highlights that this could lead to the criminal prosecution of security research, negatively impacting the security of digital communications.
Another point of contention is the treaty’s provision for real-time interception of traffic and content data. This could compel internet intermediaries, such as messaging apps, to compromise encryption standards. Groups like the Cyber Peace Institute argue that this measure would undermine privacy protocols established by technology providers, which are crucial for user safety on the internet.
This aspect of the treaty raises concerns about weakening privacy and the potential for abuse by authoritarian regimes. Despite ongoing discussions with civil society groups, the treaty negotiators have largely ignored their recommendations for making the treaty more secure and effective. Stéphane Duguin, CEO of the Cyber Peace Institute, suggests that instead of pursuing a new treaty, countries should strengthen the legal capabilities of their law enforcement and adhere to existing frameworks like the Budapest Convention. Duguin also questions whether the current draft of the treaty effectively provides victims of cyberattacks with greater access to justice and redress, highlighting a fundamental issue with its objectives and implementation.