WS #202 The UN Cybercrime Treaty and Transnational Repression

Summary

This panel discussion at the Internet Governance Forum focused on the UN Cybercrime Treaty and its potential impacts on human rights and transnational repression. Experts from various organizations expressed serious concerns about the treaty’s broad scope and lack of robust human rights safeguards. They argued that the treaty’s vague language and deference to domestic laws could enable authoritarian regimes to abuse its provisions for surveillance and repression of dissent.

Panelists highlighted how the treaty expands investigative powers and international cooperation beyond core cybercrimes to any “serious crime” as defined by domestic law. This could force countries to assist in prosecuting acts that are not crimes in their own jurisdictions. The treaty’s weak privacy protections and potential to undermine encryption were also criticized.

Case studies from Saudi Arabia and Latin America illustrated how existing cybercrime and anti-terrorism laws are already used to target activists and journalists. Panelists warned the treaty could exacerbate these abuses on a global scale. They also noted the treaty’s provisions could endanger cybersecurity researchers by criminalizing their work.

The experts urged policymakers and industry leaders to oppose ratification of the treaty in its current form. They recommended using upcoming protocol negotiations to address human rights gaps and involve civil society voices. Overall, the discussion emphasized the need for stronger safeguards and more precise language to prevent the treaty from facilitating human rights violations under the guise of combating cybercrime.

Keypoints

Major discussion points:

– The UN Cybercrime Treaty lacks adequate human rights safeguards and could enable transnational repression

– The treaty’s broad scope and vague language around “serious crimes” is problematic

– The treaty gives states too much flexibility in implementation, allowing for potential abuse

– Cybersecurity researchers and civil society could be negatively impacted by the treaty

– There are opportunities to improve the treaty through protocol negotiations and by states refusing to ratify

Overall purpose:

The discussion aimed to raise awareness about human rights concerns with the UN Cybercrime Treaty and encourage policymakers and other stakeholders to push for improvements before ratification.

Tone:

The tone was serious and concerned throughout, with speakers emphasizing the gravity of the potential human rights impacts. There was a sense of urgency in calling for action to address the treaty’s flaws before it is too late. The tone became slightly more hopeful towards the end when discussing potential ways to improve the treaty going forward.

Speakers

– Joey Shea: Covers Saudi Arabia for Human Rights Watch

– Deborah Brown: Covers tech and human rights in the tech division at Human Rights Watch

– Lina al-Hathloul: Saudi human rights defender, head of monitoring advocacy at Al-Qist

– Nick Ashton-Hart: Leads the Cybersecurity Tech Accords representation at the UN

– Veridiana Alimonti: Associate Director for Latin American Policy at the Electronic Frontier Foundation

– Fionnuala Ni Aolain: Professor of law at Queen’s University of Belfast and regents professor at Minnesota Law School, former UN Special Rapporteur on counterterrorism and human rights

Additional speakers:

– Khaled Mansour: Member of the Oversight Board for META

The UN Cybercrime Treaty: Human Rights Concerns and Potential Impacts

A panel of experts convened at the Internet Governance Forum to discuss the UN Cybercrime Treaty and its potential implications for human rights and transnational repression. Joey Shea, the moderator, opened the session with a moment of silence for detained human rights defenders, setting a somber tone for the discussion.

Human Rights Concerns and Transnational Repression

The panelists unanimously expressed significant concerns about the treaty’s current form and its potential for abuse. Deborah Brown of Human Rights Watch highlighted that the treaty provides broad surveillance powers without sufficient protections. She noted that while the treaty allows states to refuse mutual legal assistance on human rights grounds, this flexibility could be exploited by repressive regimes.

Veridiana Alimonti from the Electronic Frontier Foundation warned that the treaty could enable cross-border surveillance and data sharing by repressive regimes. This point was powerfully illustrated by Lina al-Hathloul, a Saudi human rights defender, who shared how Saudi Arabia already uses vague cybercrime and anti-terrorism laws to silence dissent. She provided specific examples of how these laws are used to target activists, journalists, and human rights defenders, emphasizing that the treaty could exacerbate such abuses on a global scale.

Nick Ashton-Hart, representing the Cybersecurity Tech Accords at the UN, raised alarm about the treaty’s allowance for secret surveillance and data collection. He also highlighted concerns about the asset seizure and forfeiture provisions in the treaty, which could be used to target individuals and organizations unfairly.

Impacts on Cybersecurity Research and Internet Security

An unexpected consequence of the treaty, as pointed out by Nick Ashton-Hart, is its potential negative impact on cybersecurity research. The treaty’s language criminalizes accessing systems without permission, which could inadvertently endanger the work of security researchers who routinely probe systems to discover vulnerabilities. This lack of protection for researchers could have far-reaching implications for overall internet security.

Recommendations and Future Considerations

The experts offered several recommendations for policymakers and stakeholders:

1. States should refrain from signing or ratifying the treaty in its current form.

2. Upcoming protocol negotiations should be used as an opportunity to address the treaty’s flaws.

3. Civil society voices must be included in treaty discussions to ensure a balanced approach.

4. Governments should engage with domestic stakeholders when making decisions about ratification.

Nick Ashton-Hart emphasized the importance of the US and EU not ratifying the treaty, as this could influence other countries’ decisions. He also suggested that better results could be achieved in future negotiations, given that opponents of safeguards and rule of law protections lack sufficient votes.

Deborah Brown stressed the need for engaging with domestic stakeholders on ratification decisions and highlighted the treaty’s flexibility, which could be both a strength and a weakness depending on how it’s implemented.

Unresolved Issues

The discussion left several important questions unanswered, including how to effectively balance cybercrime prevention with human rights protections and ensure the treaty cannot be misused for political persecution. The panelists agreed that addressing these concerns and strengthening human rights safeguards will be crucial as the process moves forward.

Technical Difficulties

It’s worth noting that the session experienced some technical difficulties, which were briefly mentioned in the transcript. Despite these challenges, the panelists were able to convey their key points and concerns effectively.

Conclusion

The panel discussion highlighted the urgent need for policymakers, civil society, and industry leaders to engage critically with the UN Cybercrime Treaty. The experts’ unified stance against ratification in its current form sends a strong message about the treaty’s potential to facilitate human rights violations under the guise of combating cybercrime. As negotiations continue, it will be essential to address these concerns and ensure that efforts to combat cybercrime do not come at the expense of fundamental rights and freedoms.

Joey Shea: with the headphones on. We’re going to begin the session. My name is Joey Shea. I cover Saudi Arabia for Human Rights Watch. We’re also joined in person by my colleague Deborah Brown, who covers tech and human rights in our tech division also at Human Rights Watch. I want to welcome you today to our session on the UN Cybercrime Treaty and the impacts that it may have on transnational repression. We have a very important and, in fact, historic panel for everyone here today. Before we begin the conversation, I do want to take a moment to acknowledge who is not here. Many human rights defenders are unable to be here on the grounds, including a number from the country in which this conference is taking place. So I do want to take a moment to say a few names of human rights defenders who have been detained arbitrarily across the Middle East, including in the country in which we now reside, and have a moment of silence for them. So I want to speak about Mohammed al-Ghamdi and Assad al-Ghamdi, who are two brothers. And all the names that I’m going to be saying, just to note, are individuals who are detained in relation to expressing themselves online, either through Twitter or X or other platforms. So Mohammed and Assad al-Ghamdi, who are both citizens of the country in which we are now in. Noura al-Qahtani, also a citizen of the country that we are now in. Ahmed Mansour, Alaa Abdelfattah, Abdelhadi al-Khawaja, and Ahmed Hassan al-Zoubi. So again, all these are individuals who have been detained for expressing themselves online. So I want to take a moment, a brief moment of silence, to reflect on these individuals and their contribution to this space. So thank you again to everyone for being here today. The other thing I want to acknowledge in addition to those defenders whose name I just spoke, other folks who are not able to be here in the room with us today. So beside me would have sat Lina Al-Hathloul, who is joining us remotely on the screen. Lina is of course a citizen of the country in which we now reside, but she is unable to be here given security concerns related to her activism abroad. So instead of her physically being here in person, we’ve laid out an empty chair and a name tag here to symbolize not only her absence, but the absence more broadly of the community of civil society members from this country who are not able to be here in person nor to attend due to the rights crisis here. I also want to welcome our other panelists to get to it more concretely, who are joining us remotely. We have Nick Ashton-Hart, who is joining us here on our lower left of the screen. So Nick leads the Cybersecurity Tech Accords representation at the UN and headed their delegation to the Cybercrime Convention negotiations. And the Tech Accord is a global coalition of more than 160 companies that advocates for greater international action to address malicious cyber incidents and their causes. We are also joined by Virginie Almondi, who is an Associate Director for Latin American Policy at the Electronic Frontier Foundation. She is a lawyer. She holds a PhD in Human Rights from the University of Sao Paulo Law School. And her work focuses on the intersection of technology and human rights, such as privacy and freedom of expression. We’re also going to be joined a little bit later. by another colleague, Fionnuala Ny-Alolen, who is a professor of law at Queen’s University of Belfast and a regents professor at the Minnesota Law School, and she’s also a former UN Special Rapporteur on counterterrorism and human rights. So to start off to our discussion here today, I want to turn to my colleague in the room, Deborah Brown, who has been focused on the UN Cybercrime Treaty for many years, and so I first would be super grateful if you could sort of take us through, first of all, what is the UN Cybercrime Treaty, what is its status, where are we today, and what are the main issues with regards to human rights concerning the treaty.

Deborah Brown: Thank you so much, Joey, for the introduction, and hi to everyone on the room and online. I know it’s very early for some of you, so thank you for joining us. Thank you also, Joey, for that moment of silence. I think that really grounds our discussion, why we’re here, to talk about transnational repression and the rights of people who’ve been detained or otherwise had their rights restricted on the basis of cybercrime laws. I’m gonna start off with an overview. I see some familiar faces in the room. I know some of you are intimately familiar with the UN Cybercrime Treaty. Others of you luckily might not be, and so I just want to sort of set a groundwork or grounding the treaty on the basics, where we are, what it does, and what comes next. So this is the first global treaty on cybercrime that we’ll be discussing today. It was first approved to move forward almost five years exactly today by the UN General Assembly. In 2019, in December, the UN General Assembly voted to start negotiations on this treaty. There was not consensus at the time that there should be a global cybercrime treaty or what even the scope or purpose of that treaty would be. The treaty was first proposed by the Russian Federation. Russia circulated a draft treaty two years prior, in 2017 and when it came down to decide whether to move ahead with this The US European Union and a number of like-minded states voted against or abstained from the treaty from the process to start the treaty negotiations since then There’s been a little over three years of negotiations give or take and in August 2024 what’s known as the ad hoc committee, which was the body established to negotiate the treaty text agreed on a treaty They agreed by consensus For the treaty that sits before the UN General Assembly this week. It’s expected to be adopted. I think any day now and At that point it will open for ratification Once 40 governments ratify the treaty 90 days after that point it will go Into effect into force and then soon after within the next two years negotiations on a protocol to be attached to the treaty will also start and That protocol will be adopted once there’s agreement on it and once 60 states have ratified it. We refer to the treaty shorthand today as the UN cybercrime treaty But it’s actually a bit of a misnomer. That’s not the full name. I’ll read out the full name for you, which is strengthening international cooperation for combating certain crimes committed by means of information and communications technology systems and For sharing of evidence and electronic form of serious crimes and that last bit is I think what brings us here today Mostly is to discuss beyond cybercrime beyond attacks on computer networks and systems this treaty is actually a general-purpose treaty to Co-op to investigate and prosecute and cooperate internationally on a much wider range of crimes specifically serious crimes The Treaty just to kind of break down the components. It does actually criminalize certain Certain acts the criminalization chapter if you will and that requires states that ratify the treaty to criminalize in domestic law certain offenses. These range from core cybercrimes like attacks on community, ICT systems, illegal access to data, illegal intercept, things like this, and cyber-enabled crimes, a select number of them, like online child sexual abuse material and non-consensual dissemination of intimate images. I think we’ll hear a bit more from Fanula later on about the compatibility of those offenses and how they’re drawn up with international human rights law, but I just want to flag that in the negotiations there was a lot of disagreement, or negotiation, one might say, on the scope of criminalization. There were some states that really wanted to see a much broader range of acts criminalized, which would include content-related offenses, things that are broadly defined, or not defined, like extremism or terrorism, and then states that wanted to see a much narrower set of crimes included. And we landed somewhere, I would say, in between, but on the flip side of that there’s a much broader scope of crimes on which investigations and prosecutions can happen and transnational cross-border cooperation. So the convention requires states to establish expansive electronic surveillance powers to investigate and cooperate on a range of crimes, even when no ICT systems were used to commit those crimes. It includes specifically international cooperation on anything called a serious crime, which under the treaty says that basically any crime as defined in domestic law that carries a criminal sentence or penalty of four years in prison or more. Now looking around the world, and I think we’ll hear more about this from my colleagues remotely, many countries criminalize acts that are defense of human rights, for example, independent journalism, criticizing one’s government, being LGBT. And under this treaty, states are required to provide mutual legal assistance to prosecute those crimes that might not even be an offense in their own country. And that’s the kind of issues that we’ll be talking about. more about later. I know for this introductory period we’re trying to just cover the high-level points so I think I’ll just move to the human rights safeguards or lack thereof before turning to other colleagues. I think it’s important to recognize that the treaty does include a provision, an article on human rights, and it also includes, so that’s article 6, it includes another article 24 on conditions and safeguards. And this wasn’t a guarantee from the outset and it’s important to recognize where some progress was made. Article 6.2 specifically says nothing in this convention shall be interpreted as permitting the suppression of human rights or fundamental freedoms. And so it’s designed in principle to guard against misuse of the treaty to restrict or violate human rights. Unfortunately that article isn’t actionable. There aren’t really enforceable limitations on the use of the treaty to restrict rights elsewhere. And I will turn to article 24 which is the condition and safeguards article which largely defers to domestic law. It does mention international human rights standards but it does so in a selective and in some cases optional way. It relies heavily on the principle of proportionality but fails to mention legality and necessity, meaning that limitations on human rights that would be permitted by the treaty should be legal like specific and really clear and that they should be necessary, meaning that they’re designed for a specific purpose and the least restrictive measure necessary. Things like judicial authorization are not required, they’re a bit optional in this, and things like independent notice of individual notice to let’s say people who’ve been surveilled or had their data collected for the purpose of an investigation there’s no individual notice and there’s no transparency required that you’d need to know in order to act. actually push back against such requests. And I’d also flag that Article 24.2, as a whole, only applies to Chapter 4, the procedural measures, and to Chapter 5 on international cooperation, when the powers on Chapter 4 are relied on. So there are certain acts like law enforcement cooperation and joint investigations, which may include the sharing of data collected outside of the treaty or domestically, aren’t covered by the human rights provisions. And there were strong efforts from some member states to apply Article 24 and conditions and safeguards to the whole treaty, and those were not successful in the end. So there are certain gaps, and there’s a lot of latitude and kind of flexibility given to governments in how they interpret and enforce the treaty from the human rights perspective. Throughout the negotiations, Human Rights Watch, Electronic Frontier Foundation, industry have been raising these concerns in terms of the gaps and how this treaty can be used to abuse or abuse to violate human rights. We often give examples in our work. These are not hypothetical, and this is why I’m very pleased that Lina will be speaking here to share from her work and her experience on the very real cases of what’s at stake.

Joey Shea: Thank you so much, Deborah, and I think that is a very appropriate note to end on as we turn now to Lina Al-Hathloul, who I didn’t actually probably introduce when we began. But Lina Al-Hathloul is a Saudi human rights defender. She is the head of monitoring advocacy at Al-Qist, which is a Saudi-led human rights organization based in London. She’s also the sister of Loujain Al-Hathloul, one of the most famous Saudi women’s rights defenders who spent over 1,000 days in Saudi prison due to her human rights work. So with that, I’d like to turn to Lina, and Deborah did an excellent job sort of outlining understanding what the cybercrime treaty is and some of the gaps with regard to human rights, particularly as the treaty sort of defers to domestic law on a number of these issues. So I’m wondering if you could speak about your experience as a Saudi human rights defender and Saudi law and how this treaty may sort of interact and lead to further repression inside of Saudi Arabia.

al-Hathloul Lina: Thank you, Joey. Thank you, Deborah. As-salamu alaykum. Good day, everyone. I’ll be reading my speech and we can have a later conversation later on. So I want to begin by expressing my gratitude for the opportunity to address you today, even if I cannot be with you in person. I had hoped to join you directly, but due to safety concerns and the legal travel bans imposed on my family since 2018, that remains impossible for now. That is, I could maybe be trapped in the country should I had come in person. For today, an empty chair will have to represent my voice, a stark symbol of the silencing faced by so many of us. I do hope the situation will change and I can join you in person very soon. My sister’s case is an example of the grim reality that many face. For her women’s rights work, she has been imprisoned, tortured and placed under an illegal travel ban. Her story is not unique and it serves as a powerful backdrop to my remarks today about the proposed UN Cybercrime Treaty and its potential ramifications for countries like Saudi Arabia. The UN Cybercrime Treaty, as it currently stands, is excessively broad and it reduces significant legal uncertainty. It provides states with the tools to leverage high-level, intrusive domestic and cross-border surveillance powers to address a vaguely defined list of criminal offences. This vague framing risks becoming a serious weapon in the hands of governments that are already using cybercrime laws to suppress dissent. The situation in Saudi Arabia is a cautionary tale. Over the past few years, our monitoring and research have revealed the disturbing extent of Saudi Arabia’s surveillance apparatus, both online and offline. Civil society can no longer speak independently, and those who dare to express what the authorities consider dissent are often silenced through imprisonment or worse. One of the most troubling discoveries we made was the existence of a Saudi state security watch list known as Watch Upon Return or Tarqab al-Awda in Arabic. This list monitors social media accounts of Saudis abroad, targeting them upon their return. To give you a stark example, a Saudi citizen was arrested simply for criticising the quality of food provided by the embassy during COVID-19. Another case is Salma Shihab, a PhD student who was arrested upon her return from the UK for social media content supporting human rights defenders. Her initial sentence was six years, which was then later increased to 34 years before being reduced to 27 years. She remains in detention to this day. Even more surprisingly, Saudi state television has laid bar the authorities’ efforts to suppress free speech online. On the Thursday night programme Blindspot, But five imprisoned social media users were interviewed, including one man jailed for a single tweet, a tweet that he hadn’t expected could land him in prison. The message was chillingly clear. No one is safe. No one is safe online. And even what one considers mild criticism can become a crime. We have documented hundreds of cases of individuals in prison solely for their online expression. Among them is Abdelrahman al-Sathan, a man who remains forcibly disappeared to this day. His case highlights the dangers of a poorly constructed cybercrime treaty. Abdelrahman was tweeting anonymously when his identity was allegedly revealed after Saudi authorities corrupted Twitter employees to obtain user data. Under Article 34 of the proposed treaty, states are required to cooperate in collecting, obtaining, preserving and sharing electronic evidence for any serious crime punishable by four years or more. Article 40 requires states provide one another with the widest measures of mutual legal assistance in investigations, prosecutions and judicial proceedings in relation to acts criminalized by the treaty and any serious crime. Without clear and robust limitation, such provisions will give governments unchecked power to surveil, arrest and silence individuals under the guise of law enforcement. It also risks making states part to the treaty complicit in abuses by Saudi authorities. The problem is compounded by differences in judicial systems and their independence. or lack thereof. The treaty largely defers to domestic law in the conditions and safeguards it outlines in Article 24. In Saudi Arabia, laws such as the counter-terrorism law and the anti-cyber crime law define criminal offences in dangerously vague terms. These laws are routinely used to target peaceful activism and free speech. Offences committed are tried in the Specialized Criminal Court, or the SCC, a jurisdiction that has been increasingly weaponized against human rights defenders. Trials are often held in secret, court documents withheld, and witnesses barred from testifying. This lack of due process leaves individuals without any protection against abuse of the law. The cybercrime treaty will only exacerbate these existing abuses, it would provide governments with even more tools to surveil, silence, and detain critiques, undermining fundamental human rights under the pretense of addressing cybercrime. It is critical to address these risks and implement clear safeguards to ensure that such provisions cannot be misused. In closing, I want to emphasize that cybercrime legislation must prioritize human rights and include robust definitions, safeguards, and independent oversight. The price of failing to do so is measured in lives silenced, freedoms lost, and families torn apart, a price that many, including my family and I, know all too well. Thank you for listening, and for holding space for voices like mine. I look forward to a day where I can join you in person, without fear, to continue this vital conversation. Wassalamu alaikum.

Joey Shea: Thank you. Thank you. to hear even further how the cybercrime treaty will impact human rights and freedoms here in Saudi Arabia. I also want to turn now to Veridiana. I just want to make sure that the screen, there we go. I want to turn now to Virjana to speak about another case study, and I just want to make sure that our technical, we’re just going to wait until the Zoom appears on the screen here so that we can see Virjana as we are hearing from her. Hi. Excellent. Virjana, I’m sure you can’t see in the room, but you’re now on our screen. So welcome. So Virjana, I want to sort of turn to you now and ask you about the lack of robust privacy and data protections and the conventions, and specifically how these may be problematic from a Latin American perspective, particularly with regards to the legal frameworks in place and the weak protections in your region. So welcome.

Veridiana Alimonti: Thank you very much, Joey and Deborah. So we at the Electronic Frontier Foundation have engaged with the UN debates on the cybercrime convention from the early stages, and as Joey mentioned, the point I want to highlight is the fundamental imbalance of the proposed treaty between surveillance powers and human rights safeguards and how this is concerning vis-a-vis transnational repression. So EFF has repeatedly stressed that the convention has become a broad surveillance pact. As Deborah mentioned, it establishes intrusive investigative measures at national level and requires international cooperation in accessing and sharing data, even for crimes that do not involve ICTs, and such powers come without adequate safeguards. to prevent their abusive application. Although the treaty text that’s that the implementation of surveillance obligations must comply with state’s commitments before international human rights law, not all states that are UN members and may join the convention have ratified important treaties such as the international covenant on civil and political rights or have domestic legal frameworks that ensure sufficient guarantees. So if we consider Latin American countries within any spectrum of democratic nations, safeguards that we can deem essential are not necessarily present in domestic legal frameworks. Looking only at prior judicial authorization for accessing communications related data for example, Colombia doesn’t require prior judicial order for the interception of communications content. Peru allows real-time location data access without a previous warrant under specific conditions subject only to later judicial review. In Panama, the law authorizes prosecutors to request a considerable amount of communications metadata to telephone providers without previous judicial authorization. Law enforcement authorities in Paraguay also rely on a supreme court’s ruling to require access to metadata without judicial authorization. And in Brazil, there is an ongoing legal debate on whether the disclosure of storage location data requires a previous judicial order. Yet as Deborah mentioned, article 24 of the UN convention sets that the application of the investigatory surveillance powers and procedures provided for in its specific chapter are subject to conditions and safeguards provided for under the country’s domestic law. And that in accordance with and pursuant to the domestic law of each state party, such conditions and safeguards shall, as appropriate in view of the nature of the procedure or power of concern, include safeguards that are absolutely crucial as judicial or independent review, the right to an effective remedy, which is an international human right established in international human rights instruments, grounds just to find the application, and limitation of the scope and the duration of such power or procedure. Also, it’s Article 24 establishes the principle of proportionality, but not legality necessity and non-discrimination. So as such, the text of the UN Cybercrime Convention does not require that surveillance measures have prior judicial authorization, are only carried out in the face of reasonable suspicion, and are necessary for the investigation. Furthermore, the authorities could keep such measures secret indefinitely, according to the law of each country. These surveillance powers that state parties to the convention will have to establish in their domestic law and will be available for international cooperation, include real-time collection of metadata, interception of content data, which are two provisions that could be abused to underpin government use of malicious software, for example, to spy dissidents and human rights defenders. It also includes a provision that can force individual tech employees working at service providers to provide information, possibly including security weaknesses that could be used to bypass system security safeguards. The fundamental imbalance between surveillance powers and human rights safeguards is particularly concerning in Latin American countries, where the lack of adoption of legal safeguards against data, the absence of comprehensive data protection laws in the law enforcement context, and the insufficient mechanisms for transparency, notification, effective remedy, and oversight pose significant risks to human rights and vulnerable communities. This is also particularly concerning on how it can boost transnational repression. The key function- The intention of the convention, if ratified, will be to create a means of requiring legal assistance between countries that do not already have mutual assistance treaties, MLATs, or other cooperation agreements. This could include repressive regimes who may previously have been hindered in their attempts to engage in cross-border surveillance and data sharing. In some cases, because their concerning human rights records have excluded them from MLATs. The Treaties International Cooperation Chapter compels countries to collect and share private data across borders, effectively requiring them to assist each other in electronic surveillance for a wider range of serious crimes, whether or not technology is involved in the crime. The cross-border evidence gathering applies to any crime that a state chooses to punish with at least four years of imprisonment under its national law, subject to certain restrictions. Proposals to define more strictly serious crimes were not accepted. So, this broad discretion granted to states under the UN Cybercrime Treaty is a deliberate design intended to secure agreement among countries with varying levels of human rights protections. This flexibility in certain cases allows states with strong protections to uphold them, but also permits those with weak standards to maintain their lower levels of protection. The Convention’s underlying flaw is the assumption that, in accommodating all countries’ practices, states will always act in good faith. But what the history and patterns of transnational repression teach us is that this does not hold true, and that mandatory human rights safeguards and effective oversight of whether these safeguards are fulfilled are absolutely essential. A key learning that unfortunately and alarmingly is not reflected in the text of the UN Cybercrime Convention. Thank you.

Joey Shea: Thank you for, thank you for Jana for those important remarks. And I think it’s very important that we look at multiple different case studies to see how the rights impacts of this treaty globally. I’d like to turn now to Fanula if we could get her up on screen as well. I’ll just take a moment. Hi everyone. Brilliant. Fanula welcome, you’re on our screen even if you can’t see the room. Thank you so much for joining us. So I’m wondering if you could speak a bit more about the treaty, but specifically how the broader securitization policies and practices by member states may be impacted and the relationship between the treaty and those policies and practices.

Fionnuala Ni Aolain: Sure, everyone I’m delighted to be joining you today albeit remotely and am pleased to offer an assessment I think of what might be described as selective human rights pieces of the UN Convention Against Cybercrime and really to reflect on in some ways the fundamental incompatibility of parts of this treaty with international human rights law. I think it’s also really fair to say that due to the scale scope subject matter of the convention, the convention poses distinct human rights risks that really should have required heightened scrutiny and safeguards rather than lesser scrutiny and safeguards. And here I align my remarks with the views of the U.N. High Commissioner for Human Rights in their submission to the treaty process in July of 2024. And my focus is really to start by looking at the nitty gritty language of the treaty. And I do that because I think it’s really important that we’re not simply abstract in thinking about how this treaty really has failed to grasp with and create obligations for states under human rights law, but the deliberate avoidance and obfuscation of human rights language and human rights requirement. And I think this represents something of a broader challenge that human rights is facing, particularly in the intersection of new technologies and human rights globally, is the way in which human rights language or what I would call human rights light constructions of new treaties really serve to undermine existing treaty language and practice. And the second is the treaty, I think, represents another pattern, which is the failure to address or be acknowledgement of fundamental and existing patterns of abuse by states. And so that the treaties, in fact, almost it’s like the emperor’s new clothes, an unwillingness to address what we know about state behavior in a particular area and address it through treaty law. And the third, I think, is this really important point that that is sort of builds on the point about human rights light standards, is the weakening of existing treaty framework standards, human rights treaty frameworks by creating de facto spaces of opt out or spaces where critic critical spaces where states essentially get to exclude human rights protection. And the broader point is that new technologies have effectively, particularly in this area of security and new technology, have been given a pass on the application of international human rights law, often based on arguments of exceptionality, that these spaces are exceptional, that they require exceptional, fast and particular kinds of responses, creating, I think, enormous disjunction in our. overall protection schemes. But let me go to some of the language. And I want to start with Article four of the treaty that requires states parties to criminalize offenses under, quote, other applicable U.N. conventions and protocols when committed through the use of an information and communications technology system, end quote. And this provision, I think, is the practical effect of extending the scope of the offenses under other conventions to encompass cyber means without formally amending each of those conventions. So it’s quite an important slight of hand, a move that I think is quite significant. Now, there might be reasons to legitimately extend some offenses under earlier conventions and to update earlier conventions. But I think Article four is objectionable for two fundamental reasons. One is because it’s inherently vague and uncertain in scope, and it doesn’t identify the specific conventions or the offenses that will be updated. And there are dozens of instruments and many more offenses within them that might be affected. And when those treaties were negotiated, each of those offenses was carefully negotiated, giving due legal scrutiny to the particular elements of each substantive and incoherent offense under the convention. And so as a fairly doctrinal lawyer, I think I’m really concerned that Article four requires wholesale and indiscriminate potential extension of every offense under every convention without close drafting scrutiny of whether it’s appropriate or possible or even necessary. And what more particularly what the human rights implications of that are adverse consequences of doing that would be. So this haphazard extension of a wide range of criminal offenses seeking a variety of really different purposes is just not good practice on drafting critical criminal instruments, and I think gives rise to not just inconsistency and unpredictability, but is at odds with the sort of a fundamental tenet of human rights law. And I think the second challenge we see in Article four is the criminalization of offenses and this criminalization. of offenses committed through information and communication technology systems is ambiguous. It’s just ambiguous. And it doesn’t really tell you in which circumstances cyber means should actually be unlawful. And this idea of commission through the use of information could encompass just a whole range of conduct and interactions. And that some of those could be intentional. Some of them might not be. Some of them might be unconscious, indirect, or even offline connections with information and communication systems. And I think this is really, really problematic from a fundamental criminal law perspective and a human rights perspective, because it undermines that absolute obligation in international human rights law of legal certainty. If you are to be made the subject of a criminal offense, you need to know what offenses, they have to be clearly defined in advance in a way that you could regulate your conduct so you don’t end up being in violation of the law inadvertently. And I think that’s just simply not the case here. Individuals may end up being in violation, not just because the law is not clear, but because it suits states to have the law unclear, because that actual level of uncertainty actually puts individuals, and I would say particularly human rights defenders and other civil society actors, on the defensive and therefore preemptively regulating their conduct for fear that they might run afoul of something that’s not clear. And I think what we might end up with is considerable variance at national level about what kind of offenses are produced at national level, a kind of a way that you get double criminality. And when we get to the parts of the treaty that deal with extradition and mutual assistance, actually you run into even further complicated problems. And I do want to flag that I think between the cyber crime offenses, Articles 7 to 12, are really quite problematic. It’s really not clear. When you look at the nature of these offenses, again, they appear to be overbroad and capitalist. or a range of conduct that not, in fact, that that’s not, in fact, sufficiently serious to warrant criminalization. But actually, these offenses risk targeting a whole range of other actors. And the actors I want to highlight are those actors like whistleblowers being criminalized or those engaged in disclosure of information that expose illegality or fraud. It risks criminalizing those who take action to prevent crime. It risks criminalizing ethical hackers, cybersecurity researchers and those who are in the work in the digital infrastructure ecosystem to actually protect us. And probably the most and most substantial fear that I think previous comments have picked up also is the danger that this kind of criminalization is going to get at protest and freedom of expression online. And I also think I’d want to endorse the comments about the lack of sufficient safeguards and conditions of safeguard and the risks that this pose for civil society actors. I also want to pay attention to the way in which the general human rights safeguards that we find in chapters two, five, six and seven are simply inadequate, because actually, when you look at the treaty, it looks like a Swiss cheese. You get like human rights language in one piece, but not in others. And I think that should provoke our curiosity and reflection on why human rights clauses were put in some places and not in others. And I think the lack of consistency of human rights safeguards throughout the treaty. So, for example, their exclusion in chapter two or the limits on it in chapter seven and chapter six tell us, in fact, that again, there really was a Swiss cheese effort here to not ensure consistent human rights safeguards across the board, but to do a pick and choose a kind of an a la carte menu of human rights protection in the treaty. I also want to highlight. Chapter 7, and I want to particularly flag Article 35, which is the general principle on international cooperation, where there’s simply no mention of human rights. And I think this point that you’re leaving out human rights protection in those places, particularly in the context of transnational repression, where we see the gaps in protection being particularly problematic, their exclusion here underscores this broader problem of an unwillingness by states to address the actual practice of transnational repression, which is increasingly being framed under the language of assistance and cooperation among states. And again, brings us back to this human rights, this sprinkling of human rights, the human rights light approach. Two final comments on human rights lacuna I would include is Article 34, the limits on assistance and protection of victims, where again, the failure of the treaty to implement existing and growing human rights law on the rights of victims is simply not present. We see the same in Chapter 6 on prevention measures, where we see actually a failure to implement the massive advantages that are massive and protections that we’ve seen developed over several decades. And I close by just saying that the one of the parts of the treaty that concerns me most is the focus on technical assistance and capacity building under Chapter 6, which refers to training, exchange of information, technical assistance and technology transfers between states. And again, the striking absence of fundamental human rights activity protections in these activities stress to us the ways in which human rights entirely sat at the margins of the conversations in this treaty, weakening it in fundamental ways, but also having the reverse. effect of weakening back to the fundamental human rights treaties, the absence of their inclusion in this important step by states to regulate the cyber arena. So let me stop there and thank you for your time.

Joey Shea: Thanks very much, Fionnuala, for those important remarks. I want to turn now to Nick, if we could get Nick up on the screen from our technical team. Nick, can you hear me all right? Nick, if you can hear us, we’re working to get you up on the screen, but just as we’re working to do that, Fionnuala had mentioned the impact of the treaty on cybersecurity And I know throughout the course of your work, you work very closely with cybersecurity researchers. So I’m wondering if you could, when we finally get you up on the screen, if you could sort of discuss and give us your thoughts on the importance and value of protecting these researchers and why the convention may be harmful for their work. And just give us one moment as we try to bring you up on the screen. Can you hear me okay? In the meantime. To our technical team, Nick is down at the bottom. There we go. Well, thanks again. We have you up on the screen now, Nick. So again, that question, could you just sort of touch on the importance of cybersecurity researchers throughout the course of your work and how the treaty may be harmful to their work?

Nick Ashton-Hart: Thank you very much. I think that’s actually the very first point. I want to address them. You can spend a long time talking about the problems of the convention, but this is one of the two most important areas for us anyway. And thank you for inviting, thank you for organizing a session on this subject at the IGF and for the invitation to speak on it. I should say out front that the Cybersecurity Tech Accord, along with the global business community very broadly has publicly opposed signature ratification or accession to the convention of the text as it stands, along with a very broad array of civil society and voices. It’s been said more than once that throughout the negotiations, there was such unanimity across the board from business and civil society that none of us had ever seen that level of agreement before, which unfortunately the negotiators did not take really enough of a warning from. As you mentioned, there is considerable additional legal risk from cybersecurity researchers, for cybersecurity researchers in the convention. The article on illegal access requires countries to criminalize accessing computer systems without permission of the system’s owner using the same language that the Budapest Convention uses, but without the context of the explanatory report to Budapest, which makes clear that actions which are in the public interest should not be criminalized, meaning that security researchers, investigative journalists, whistleblowers and others are at risk of criminal prosecution in this convention in a way that is not the case in Budapest. Without the work that security researchers do, criminals and others will find it easier to exploit vulnerabilities, to breach sensitive systems, spread malware and engage in ransomware. other attacks. And those risks become even more important when you consider the red teaming that is needed to test AI systems for bias, but also to to test that guardrails against misuse of those systems work not only in the languages of those of those who develop the systems, but in global language sets, for example. Some member states have said publicly that security researchers are protected because of the reference to them in Article 53, three E of the convention. But this is simply not true. And a plain language reading of that article will tell you that it’s not true. Because all that it does is recognizes the importance of security researchers. It does nothing to protect their work. And you don’t have to take our word for it. The global security research community wrote a letter to the negotiators in February, warning them that the convention endangered their work. Unfortunately, the negotiators did not act in any way to address that problem. It allows authorities to force any personal company to facilitate access to computer systems, or stored electronic data in Article 28.4, which you’ve heard about from others today, in a manner that is far broader than Budapest. The Office of the UN High Commissioner for Human Rights has warned that this would directly threaten the global availability of encrypted communications and encrypted services, which we agree with that assessment. And undermining encryption threatens the safety and security of citizens globally. Government and or private sector technology workers on holiday with access to secure systems could be compelled to provide access to those systems, and system owners would not know until it was too late. On safeguards as they relate to the private sector. Many powers in the convention, as you’ve heard, are from Budapest and other treaties, generally verbatim. The safeguards and protections were copied and generally weakened. Many states, OECD states, have said the convention sets new standards for safeguards because it contains protections that are new to international criminal justice law, which is true but misleading because the foundational protections in the convention are weaker than prior instruments, not stronger, and those foundations undermine the new protections which rely on them. In particular, Article 24.2 is copied from Budapest and is an essential foundation of all other protections. In Budapest, all parties must have these procedural law protections, but in this convention those protections are to be, quote, in accordance with and pursuant to the domestic law of each state party, end quote, meaning they are essentially optional. Procedural law is absolutely fundamental to users and human rights, but also to firms because these are the provisions that allow service providers to go to court to contest requests for user data when we think they’re unlawful or disproportionate. They are what requires a state to ground requests in applicable law and which provides for warrants rather than simply allowing a demand for data without judicial authorization. In many countries, you’ve heard in detail earlier in this session from the previous speakers, warrants aren’t required to demand data from service providers. Requests are kept secret and providers may not object to them. Several UN member states at the committee level and at the third committee, when it was adopted by the first stage of UNGA, stated on the record that they will treat every safeguard provision in this convention as entirely subject to their own discretion. to their existing national legislation. This means we do not have to guess whether this convention will be abused. States have told us that they will do so on the record multiple times before the convention has even been adopted by the UNGA plenary. While the convention requires confidentiality in the operations of its powers in eight articles, it requires transparency in none. States may use the convention’s powers, all of them, in perpetual secrecy. What this means is that firms operating globally will get demands for data which must be kept secret, and there will be no recourse to courts to push back against them, even if the firm knows they’re breaking the law in a different jurisdiction if they grant the request. This will all be legitimized because a treaty with the UN’s name on it allows for it to happen. I wanna talk about something in addition today which we haven’t talked about yet and which doesn’t get enough attention, which is the convention’s provisions on asset seizures and forfeiture. The Budapest Convention does not have these provisions. As said by the Council of Europe in its briefing to Budapest member states on 4th July of this year, and I quote, “‘Risks arising from the current draft text “‘of the convention are stemming from provisions “‘on money laundering and asset forfeiture. “‘In some states, targeting assets is a primary means “‘to target opponents or businesses “‘and to restrict fundamental rights. “‘This entails the risk of abusive criminalization, “‘investigation, or seizure of assets. “‘For example, the combination of broad jurisdiction “‘with low thresholds for liability of legal persons, “‘low threshold and intense standards “‘for participation and attempt “‘could elevate non-criminal and unintentional conduct “‘by service providers to a predicate offense “‘and lead to the.’ freezing of assets. Or for political reasons, individuals and organizations may be targeted for fraud, and their assets may then be confiscated domestically or via international cooperation. All of what you’ve heard today begs a question of, why didn’t these many problems get addressed during the negotiation, especially given stakeholders were in the back of the room consistently raising them? The answer is that the process allowed for voting on the substance. This is a major and terrible precedent. Treaties have been previously decided by consensus. Negotiators on OECD states were always worried that they didn’t have the votes for more robust safeguards. We know this because they told us again and again whenever we proposed fixes to these problems. It turns out that they were wrong. And we know this because Iran demanded several votes to remove safeguards and human rights provisions in August before the convention was adopted. And the most votes they could get in favor of this was 31 when they needed more than 90. In short, we recommend that all states not sign or ratify the convention now. The UNGA resolution adopting it will authorize the current negotiating committee to develop a protocol. And we believe national negotiators should be tasked with fixing the problems in the convention during that negotiation. And if they are successful, then states could join the convention and the protocol together. We know we will get better results this time, or we can, because of Iran with its votes showed that the opponents of safeguards and rule of law protections don’t even have a quarter of the votes that they need. That’s all I have time for. But I look forward to the discussion and the questions.

Joey Shea: Thank you, Nick, for that intervention. We’re nearing the end of our time, so I want to open it up to the floor in the room first. We have at least one question online, but I just want to see from our audience here if there’s any questions to our panelists about the treaty and the rights implications globally and also in the various case studies that were presented today. No, if there’s no questions from the room, I know that we have one question online. So, from Monica through our Zoom call here, Monica asks to our panelists, how would human rights codified in national basic fundamental law prevent authorities from a country to transfer data to another treaty signatory? So, Deborah, do you want to?

Deborah Brown: I can start, and I’m very happy for others to weigh in as well. So the treaty does include an article that allows governments to refuse to provide mutual legal assistance on human rights grounds. I’ll read, I think it’s 4022, I’ll read the text now, it says nothing in this convention shall be interpreted as imposing obligations to a foreign mutual legal assistance if the requested state, meaning the state who receives the request for evidence, has grounds to believe that this request has been made for the purpose of punishing a person based on their sex, race, education, religion, nationality, ethnic origin, or political opinions, and it goes on a bit on that. So there is, as we said, this treaty provides flexibility, and as Fanula put it, it’s like Swiss cheese. You see human rights sprinkled in here and there, you can read into it, if you’re really committed to not allowing the treaty to be abused, there are ways you could use it and justify refusing cooperation. The point is, it doesn’t require states to refuse cooperation. They need to be proactive about it. So there’s both a reality, like from what we heard from Lina and from Virgiana, there’s countries around the world who expressively don’t want to respect human rights and are looking for ways to engage in repression, transnational or otherwise. And there’s no shortage of evidence to provide the negotiators reasons to provide stronger human rights protections. And there’s also a practical issue here. This essentially creates mutual legal assistance treaties globally. So rather than on a bilateral level or multilateral level, it’s basically would, for all signatories, require mutual legal assistance, and not for a specific set of crimes, but for crimes based on domestic law with a prison sentence of four years or more. So effectively, you’re going to have a massive number of requests coming in. And to be able to find the requests that one can interpret as posing an obligation of providing substantial grounds for belief that the intention of the request was to repress human rights is a lot of ifs. Firstly, to find the case, to be looking for the case, the purpose of punishing or prosecuting a person on the basis of these protected classes is a high threshold. And it’s all voluntary. Again, it provides flexibility to do so, but no requirement to do so. And so between the high volume of requests that will be incoming to already overloaded mutual legal assistance authorities, and just the reality that a lot of governments are looking for ways, there’s been numerous reports in recent years on transnational repression by Human Rights Watch, by Citizen Lab, by Freedom House that are showing clear trends. So rather than responding to those trends and creating a stronger threshold, this treaty essentially gives a lot of latitude for governments to find ways to cooperate. So I think I answered the question as to how one could find a way in the treaty, but I think the reality is that those are going to be the exceptions, not the rule.

Joey Shea: Deborah, I’m wondering if any of our panelists online would like to weigh in, and perhaps our tech team, who seem… To no longer be here could help them help us get them on the screen But to our online panelists we can hear you so if you want to intervene Please go ahead while we try to get you up on the screen So as we’re So we do have one more question from Yeah, so we have one question from from the audience here, but we’re I’m gonna pass the mic

Audience: It’s an internet governance forum that beleaguered by lots of technical challenges, that’s very not funny anyway Basically all of the speakers. My name is Khaled Mansour. I serve as a member of the Oversight Board for META And my question is all of you paint a very bleak picture that the train has left the station. It’s racing Basically a 40 countries Sign or ratify this treaty. It’s done. It’s a done deal. So what can be done to convince?

Joey Shea: Oh He’s in the IT booth, so I’m gonna take over moderation I’m seeing Nick on the screen, which is convenient because I think Nick has some thoughts on this but also happy to hear from others

Nick Ashton-Hart: But it’s it is like the key question I think the first thing is to remember that in in this in In international judicial cooperation a great deal of the data that most of the country needs is located in a relatively few jurisdictions The u.s. In particular. We have already said that they have no plans to seek ratification or to sign the convention in any reasonable, in any, they’re not going to do it soon, at the very least, they’re going to wait and see what countries do, but the EU has not, the EU commission has said that they want to sign and ratify and the commission, the parliament has to agree to this, so there’s an opportunity for Europe not to do that because Europe is the the next most popular destination to get data from. Throughout the negotiations, we were told by many developing states who genuinely want to cooperate on cybercrime, on actual cybercrime, that the US and the EU member states joining was of fundamental importance because that’s where the data, most of the data they needed is, so were those states to team up and use the protocol negotiations to address some of these issues, they, we know they have the numbers because of the voting situation that I just recounted for you, but we know that they would have support from many other states who need them to join the treaty for it to be a viable instrument, so I think, I think really now is the key is to get, is to get, to get member states to say that they’re not going to sign, they’re not going to sign or ratify the convention as it stands, they supported its adoption, but they’re not going to join it and they’re going to use the protocol negotiations to, to address its flaws. It’s worth pointing out that the reason protocol negotiations exist at all in this is because the many, the many states who are of a more autocratic bent insisted on having protocol negotiations because they want to go and add even more crimes and even more scope to the convention, which makes it doubly important for OECD member states and, and their allies to say well that’s not going to happen, in fact the opposite’s going to happen, we’re going to make this about. about an actual cybercrime and an actually workable result that all states who genuinely want to work on cybercrime will participate in, which I think also goes to the question, Monica, that you asked, or part of the question that you asked. But I don’t see any other, the only other thing that could be done to address the convention is to work through the conference of the parties once it has entered into force, once 40 states have ratified it. And that’s far more, far less likely to have a successful result than the protocol negotiations allow for.

Joey Shea: Thanks, Nick. It’s very concerning to note about how ratification may lead to authoritarian states adding even more crimes to the treaty. I want to go back to Lina for just one moment. We only have a few more minutes left in our session. There’s been a lot of discussion about transnational repression and how the treaty can facilitate and contribute to transnational repression. Could you speak a bit about the sort of history of transnational repression in Saudi Arabia and the gaps in the domestic law here, and how the treaty may interact with those gaps in domestic legislation to perhaps lead to further transnational repression? And also, in case we don’t have time, I’d encourage you to also speak, given that there’s so many policymakers in the room here today, folks from industry and government, what your message is with regard to the treaty on their engagement going forward as ratification comes.

al-Hathloul Lina: Thank you, Joey. That’s a lot to cover, but I’ll try my best. Just maybe, first of all, regarding transnational repression, I mean, what we have been monitoring are different trends. So it’s usually either the government collaborating with other governments in order to commit human rights violations. So, for example, I mentioned the case of my sister who was arrested, but before being arrested, she was actually kidnapped from the UAE with the help of the UAE government, the Emirati government, and brought back to Saudi Arabia and then forcibly disappeared in Saudi Arabia. So we see directly transnational repression with the collaboration of two states. But there are also other kinds of transnational repression, also linked to the digital rights. There’s also the use of spyware technologies, including Pegasus, for example, for numbers. And we have it, I mean, the founder of Al-Qais, has been targeted by Pegasus and is now trying the company and the state in UK courts. So this is also considered as transnational repression. And you also have, I mean, we have to remind this here, but the killing of Jamal Khashoggi in a Turkish consulate, in the Saudi consulate in Turkey, for example. So there are different ways we could describe transnational repression. And it’s mostly done through digital technologies. For Saudi, I mean, when we speak about national laws. What has to be known is, first of all, you don’t have a general penal code. But we do have, for example, two important laws for the topic is the first, the Saudi cybercrime law, and the second one is the anti-terrorism law, which are both used to silence civil society and to criminalize any remaining free speech. For the cybercrime law, we have, it’s problematic in its Article 3 and Article 6. So first, Paragraph 5 of Article 3 punishes any person who publishes defamatory content using various information technology devices with imprisonment for a period of up to one year or a fine of up to $130,000. So we see that usually what consists of what is defamatory is very broad and vague, and can be sometimes also just the comment on someone’s appearance on television, for example. We also have Article 6, so Paragraph 1 of Article 6 punishes any person who produces, prepares, or stores material impeding on public order, religious values, public morals, or privacy through an information network or computer with imprisonment, again, for up to five years and a fine, and or a fine of up to $800,000. And again, here in this definition, everything is very vague, and anything can be considered as impeding public morals, and we’ve seen it in our monitoring. and monitoring work as well. And then, so a person can be charged on the cybercrime law, but also at the same time for the same case on the anti-terrorism law. And what’s very problematic with the anti-terrorism law is really it’s Article 1, the mere definition of what is terrorism. It’s too broad, very vague. We have seen, again, also people getting charged with the anti-terrorism law just for tweets, in which sometimes it’s also commenting social issues that have no link to terrorism whatsoever. And so we have cases where people have been charged with cybercrime law, with the anti-terrorism law. And then, because the judge has so much discretion in Saudi courts, they can add also, for example, two, three years of prison based on the judge’s discretion. So these are the main three laws and, yeah, and use of discretion by the judge in Saudi courts that I would say are the most problematic ones. Thank you. I don’t know, can you maybe just remind me the last part of your question?

Joey Shea: Yeah, the last part of my question, Lina, was any sort of anything you wanted to say to the policy makers here in the audience. We have folks from government and industry here, and any sort of recommendations you would have for them on how they should be engaging with the treaty going forward as it moves towards ratification with respect to human rights?

al-Hathloul Lina: Yeah, I mean, the first thing really is to listen to civil society. I think, I mean, we are discussing now this treaty. Haiti, in Saudi Arabia, when no Saudi civil society can really be present. So I think that the first step is really to be supportive of civil society being present in these spaces in order to really understand what’s at stake. I mean, we cannot just regulate such topics without knowing what’s at stake. And I think that everyone in this room, in your room, Joey, and everyone else, realizes how dangerous it is. It’s not even ratified that I cannot be there in person. So I think that everyone has the duty, really, to push for civil society to be present, to be protected in discussing these topics, and that it should not be seen as a bubble, because it will backfire. I mean, it is against everyone’s interest to have these discussions behind closed doors and not seeing the consequences it could have on everyone.

Joey Shea: Thank you very much, Lina. We just have a few moments left, so I want to actually put that question to the rest of our panelists. Maybe we can start with the rest of our online panelists, Nick or Virgiana, if you have any recommendations for the folks here in the room with how they can engage with the ratification process.

Veridiana Alimonti: I can start, and, well, considering everything that we discussed so far, the way that we see and, of course, EFF also opposes signature ratification and accession to the text as it is now, and have been urging states to vote no when the UNGA votes the UN cybercrime. treaties, so policymakers and industry that are part of this panel and have been listening to our discussion, we would like to extend the call to pay attention to the concerns that we shared here. At this point of the vote in the General Assembly, and nonetheless, if the text passes and we have it, then it’s the process inside each country where policymakers and industry are also to point out these concerns and in another state where this is being discussed internally, if it passes, as it is, what would be a problem in our perspective. To discuss the least harmful way to incorporate this internally, considering the mace and the human rights safeguards a la carte that we mentioned in this panel that should be embraced in each context that this treaty goes on, but what I would like to highlight is that in our position or in our view, we shouldn’t get, in the FF’s view, we shouldn’t get to the point of incorporating this treaty into national law with its current text. We should be able to make its safeguards more robust globally as the investigative powers are robust right now globally. So that’s it. Thank you for the opportunity to be part of this discussion and to share. our thoughts about the cybercrime convention.

Joey Shea: Do you have anything closing to add in terms of advice for the folks in the room? And we just have a few moments, so we’ll keep it short, Nick, and then we’ll close with Deborah. Nick, can you hear us? If you have any closing remarks, please go ahead.

Nick Ashton-Hart: Sorry, I thought it was like a general call. I didn’t hear it was me, because you’re quite faint for some reason on my end. I mean, nothing in particular you haven’t heard. I mean, I hope people who aren’t familiar with this are concerned. You should be. And the best thing that people can do is communicate to their governments what their concerns are and ask that they not be willing to sign this until improvements are made and to engage actively in the forthcoming negotiation process on the protocol to make that possible, because that’s really the only practical way that there is to change the content of the convention. Otherwise, it would be only five years after the convention enters into force could the conference of the parties entertain amendments to it. And I think by then, it would be very difficult to get much support for amending it again. So this is really the time is to not sign it and for states to remain engaged in the process. And this time around. work with civil society and the private sector and come up with proposals in advance that the back of the room can actually support and to be bold, because the states who need the data and the states who have the data are far and away enough to get meaningful changes adopted over the objections of the relatively small number of states who are on the other side of all of the issues that you’ve heard today. That’s the good news. There isn’t a majority for a lot of these provisions. Now we know that, and we should take advantage of that knowledge to change the text.

Deborah Brown: I know we only have three minutes left, so I’ll try to be quick just to build on what Nick was saying. The protocol is an important opportunity. It’s worth mentioning that even if a state hasn’t ratified the treaty, they can participate in those negotiations, as opposed to the conference of state parties. That is an argument both to not ratify, but also to participate in the protocol. This was a relatively open process for a multilateral treaty negotiation, meaning that civil society and industry were in the room, though a lot of these concerns that have been raised today we had proposals to address. I think there’s a gap there also with the UN Office of the High Commissioner for Human Rights, which had very tangible expert advice on how to plug the human rights gaps in this treaty. Moving forward, there’s been ideas floated by the US and an explanation of a position to have a legislative guide or implementation guide. To really lean on the expertise within the UN system would be incredibly important for that. Also, to listen to national stakeholders or in the case of the EU, regional stakeholders. Of course, each member state has a different process to get to ratification, and it’s really important to listen to domestic stakeholders on how to whether they support the treaty and what action to take and within the context of the EU it’d be wonderful if there was an opinion requested by the European Court of Justice and also to listen to request and consider recommendations or opinions from the EU data protection supervisor who had issued an opinion on a draft version of the text which was quite critical. So I think I will end there. I think we’re more or less at time. Joey, any final remarks?

Joey Shea: Just to say thank you to all of our panelists online for participating in this important discussion and especially to Lina who really should be here in the room with us today and again just to emphasize how important her voice is and the voice of Al-Qist and other Saudi human rights organizations are and how unfortunate it is that they are not able to be with us here today. But thank you everyone for joining us and yeah I hope you have a wonderful rest of your IGF. you you you

Agreement Points

The UN Cybercrime Treaty lacks adequate human rights safeguards

Deborah Brown

Fionnuala Ni Aolain

Nick Ashton-Hart

Veridiana Alimonti

Treaty provides broad surveillance powers without adequate safeguards

Treaty lacks consistent human rights protections throughout

Treaty allows for secret surveillance and data collection

Treaty could facilitate cross-border surveillance and data sharing by repressive regimes

Multiple speakers agreed that the UN Cybercrime Treaty does not provide sufficient human rights protections and could enable abuse of surveillance powers.

The treaty poses risks to cybersecurity researchers

Nick Ashton-Hart

Deborah Brown

Treaty criminalizes accessing systems without permission, endangering security researchers

Lack of protections for security researchers threatens discovery of vulnerabilities

Speakers highlighted the potential negative impact of the treaty on cybersecurity research, which could hinder the discovery and reporting of vulnerabilities.

Similar Viewpoints

These speakers advocated for not ratifying the treaty in its current form and suggested using future negotiations and stakeholder engagement to address its flaws.

Nick Ashton-Hart

Veridiana Alimonti

Deborah Brown

States should not sign or ratify the treaty as it stands

Use protocol negotiations to address flaws in the treaty

Engage with domestic stakeholders on ratification decisions

Unexpected Consensus

Broad agreement across civil society and business sectors

Nick Ashton-Hart

States should not sign or ratify the treaty as it stands

The speaker noted an unprecedented level of agreement between civil society and the business community in opposing the treaty, which is significant given these groups often have divergent interests.

Overall Assessment

Summary

The speakers largely agreed on the inadequacy of human rights protections in the UN Cybercrime Treaty, its potential for abuse, and the need for significant improvements before ratification.

Consensus level

High level of consensus among the speakers, implying a strong unified critique of the treaty from various perspectives (human rights, cybersecurity, legal). This consensus suggests a need for substantial revisions to the treaty to address these shared concerns.

Different Viewpoints

Approach to addressing treaty flaws

Nick Ashton-Hart

Veridiana Alimonti

Use protocol negotiations to address flaws in the treaty

Treaty lacks consistent human rights protections throughout

Nick Ashton-Hart suggests using protocol negotiations to fix treaty flaws, while Veridiana Alimonti emphasizes the need for more robust global safeguards rather than incorporating the current text into national law.

Unexpected Differences

Overall Assessment

summary

The main areas of disagreement revolve around the specific approaches to addressing the treaty’s flaws and the level of engagement with different stakeholders in the process.

difference_level

The level of disagreement among the speakers is relatively low. They largely agree on the fundamental issues with the treaty but have slightly different emphases on how to address these issues. This general consensus implies a strong united front in opposition to the treaty as it stands, which could be significant in influencing policy decisions and future negotiations.

Partial Agreements

All speakers agree that the treaty has significant flaws and should not be ratified as is, but they differ on the specific actions to take. Nick Ashton-Hart suggests using protocol negotiations, Veridiana Alimonti opposes incorporation into national law, and Deborah Brown emphasizes engaging with domestic stakeholders.

Nick Ashton-Hart

Veridiana Alimonti

Deborah Brown

States should not sign or ratify the treaty as it stands

Treaty lacks safeguards against misuse for political persecution

Engage with domestic stakeholders on ratification decisions

Similar Viewpoints

These speakers advocated for not ratifying the treaty in its current form and suggested using future negotiations and stakeholder engagement to address its flaws.

Nick Ashton-Hart

Veridiana Alimonti

Deborah Brown

States should not sign or ratify the treaty as it stands

Use protocol negotiations to address flaws in the treaty

Engage with domestic stakeholders on ratification decisions

Key Takeaways

The UN Cybercrime Treaty provides broad surveillance powers without adequate human rights safeguards

The treaty could facilitate transnational repression by authoritarian regimes

The treaty poses risks to cybersecurity researchers and their work

There are significant concerns about the treaty’s vague language and deference to domestic laws

Civil society and industry groups broadly oppose ratification of the treaty in its current form

Resolutions and Action Items

Policymakers are urged not to sign or ratify the treaty in its current form

States are encouraged to use upcoming protocol negotiations to address flaws in the treaty

Governments should engage with domestic stakeholders and civil society on ratification decisions

Unresolved Issues

How to effectively balance cybercrime prevention with human rights protections

How to ensure the treaty cannot be misused for political persecution

How to protect cybersecurity researchers while criminalizing malicious hacking

How to address the treaty’s broad scope and vague definitions of crimes

Suggested Compromises

Use the protocol negotiations to strengthen human rights safeguards while maintaining core cybercrime provisions

Develop implementation guidelines with input from UN human rights experts to mitigate potential abuses

Allow states to opt out of certain provisions that may conflict with domestic human rights protections

The UN Cybercrime Treaty, as it currently stands, is excessively broad and it reduces significant legal uncertainty. It provides states with the tools to leverage high-level, intrusive domestic and cross-border surveillance powers to address a vaguely defined list of criminal offences. This vague framing risks becoming a serious weapon in the hands of governments that are already using cybercrime laws to suppress dissent.

speaker

Lina al-Hathloul

reason

This comment succinctly captures the core problem with the treaty – its vagueness and potential for abuse by repressive governments.

impact

It set the tone for much of the subsequent discussion about the treaty’s flaws and dangers, particularly for human rights defenders and dissidents.

Article four requires wholesale and indiscriminate potential extension of every offense under every convention without close drafting scrutiny of whether it’s appropriate or possible or even necessary. And what more particularly what the human rights implications of that are adverse consequences of doing that would be.

speaker

Fionnuala Ni Aolain

reason

This comment highlights a specific and critical flaw in the treaty’s drafting that could have far-reaching consequences.

impact

It deepened the analysis by moving from general concerns to specific legal issues, prompting more detailed discussion of the treaty’s text and implications.

We know we will get better results this time, or we can, because of Iran with its votes showed that the opponents of safeguards and rule of law protections don’t even have a quarter of the votes that they need.

speaker

Nick Ashton-Hart

reason

This comment provides a strategic insight into how the treaty could potentially be improved, offering a glimmer of hope in an otherwise bleak discussion.

impact

It shifted the conversation towards potential solutions and next steps, rather than just focusing on the problems with the current treaty.

The protocol is an important opportunity. It’s worth mentioning that even if a state hasn’t ratified the treaty, they can participate in those negotiations, as opposed to the conference of state parties. That is an argument both to not ratify, but also to participate in the protocol.

speaker

Deborah Brown

reason

This comment offers a practical strategy for engagement with the treaty process, even for states with concerns.

impact

It provided a concrete action item for policymakers and stakeholders in the audience, shifting the discussion from analysis to potential action.

Overall Assessment

These key comments shaped the discussion by first establishing the serious flaws and dangers of the UN Cybercrime Treaty, then delving into specific legal and procedural issues, and finally exploring potential strategies for improvement and engagement. The conversation progressed from outlining problems to proposing solutions, providing a comprehensive overview of the treaty’s implications and possible ways forward for concerned stakeholders.

How can the protocol negotiations be used to address flaws in the UN Cybercrime Treaty?

speaker

Nick Ashton-Hart

explanation

Nick suggested using the upcoming protocol negotiations as an opportunity to fix problems in the convention, which is important for improving human rights protections.

What are the potential impacts of the UN Cybercrime Treaty on cybersecurity researchers?

speaker

Joey Shea

explanation

Joey asked about this specifically, highlighting the importance of understanding how the treaty could affect the work of those who help protect digital systems.

How can civil society be more effectively included in discussions about the UN Cybercrime Treaty?

speaker

Lina al-Hathloul

explanation

Lina emphasized the need for civil society participation to fully understand the treaty’s implications, which is crucial for developing balanced policies.

What steps can be taken to prevent the UN Cybercrime Treaty from facilitating transnational repression?

speaker

Joey Shea

explanation

Joey asked about this in relation to Saudi Arabia, highlighting the need to address potential misuse of the treaty for human rights abuses.

How can policymakers and industry engage with the ratification process to address human rights concerns?

speaker

Joey Shea

explanation

Joey asked this to all panelists, indicating the importance of finding ways to improve the treaty during its implementation phase.

What are the implications of the treaty’s provisions on asset seizures and forfeiture?

speaker

Nick Ashton-Hart

explanation

Nick raised this as an area needing more attention, suggesting it could be used to target opponents or businesses and restrict fundamental rights.

How can states effectively use the human rights provisions in the treaty to refuse cooperation on abusive requests?

speaker

Monica (audience member)

explanation

This question addresses the practical application of human rights protections in the treaty, which is crucial for preventing misuse.