Cybercrime Ad Hoc Committee
The open-ended Cybercrime Ad Hoc Committee is an intergovernmental committee composed of experts and representatives of all regions, mandated with drafting a new cybercrime convention by 2023. The committee was proposed by the Russian Federation and 17 co-sponsors in 2019 and established by the UN GA Resolution 74/247 under the auspices of the Third Committee of the UN General Assembly.
The committee’s modus operandi
In plain language: The ad-hoc committee is tasked with drafting a new cybercrime convention by 2023. In UN language: the committee is tasked with elaborating a comprehensive international convention on countering the use of information and communications technologies for criminal purposes. The work of the committee will be concluded once it presents a draft convention to the General Assembly at its seventy-eighth session in September 2024.
The organisational session was originally scheduled to take place in August 2020, but was postponed to 10-12 May 2021 in New York due to the impact of the COVID-19 pandemic. There, it was decided that the Ad Hoc Committee shall convene at least six sessions, each lasting ten days. The first session took place 28 February –11 March 2022, in New York, and the second session was held on 30 May and lasted until 10 June 2022, in Vienna, where member states submitted their draft proposals. The third session will be held 29 August – 9 September 2022, in New York.
The Ad Hoc Committee will meet in Vienna and New York. It will hold its first, third, and sixth session in New York and the second, fourth and fifth session in Vienna. The consultations among member states of the committee on the meeting schedule are ongoing among member states of the committee. The UN Secretary-General’s ‘Proposed programme budget for 2022’ estimates that 3 negotiating sessions of the Ad Hoc Committee will be held in 2022, three in 2023, along with the final, concluding session in 2024.
On substantive matters, the committee will first exhaust every effort to reach agreement by consensus. However, should a consensus not be possible, the Bureau will decide that the decisions shall be taken by a two-thirds majority of present voting representatives. The chair will then inform the committee that every effort to reach a consensus has been exhausted.
At its organisational session, the Ad Hoc Committee elected its officers. The committee is chaired by Algeria, while its 13 vice chairs are Egypt, Nigeria, China, Japan, Estonia, Poland, Russian Federation, Dominican Republic, Nicaragua, Suriname, Australia, Portugal, and the USA. Indonesia was appointed the committee’s rapporteur.
The organisational session of the committee was participated by 178 UN member states. Ninety-four countries participated in the first substantive session.
The chair can invite, as observers, global and regional intergovernmental organisations, representatives of United Nations bodies, and representatives of functional commissions of the Economic and Social Council (ECOSOC). Representatives of NGOs with ECOSOC consultative status can attend the sessions.
The chair and the United Nations Office on Drugs and Crime (UNODC) can draw up a list of relevant NGOs, civil society organizations, academic institutions, and the private sector representatives with expertise in cybercrime, and present it to member states who will then decide on who could participate.
The call for applications for stakeholders to participate as observers was 1 December 2021, midnight EST.
The chair is encouraged to hold intersessional consultations with different stakeholders to gather inputs on the draft convention.
Member states are urged to make financial contributions to the UNODC to help representatives of developing countries participate in the committee’s work.
One of the main questions in the negotiations under the UN auspices is how the new draft Convention will interplay with the already existing major instruments – the Budapest Convention in particular.
The Budapest Convention, formally known as the Convention on Cybercrime, is the most comprehensive and widely accepted instrument, adopted by the Council of Europe (CoE) in November 2001 and entered into force on 1 July 2004. The Convention includes a list of crimes that each signatory state must introduce into its law. Put in plain language, it requires the criminalisation of activities such as illegal hacking (including the production, sale, or distribution of hacking tools), acts relating to child pornography, and infringements of copyright and related rights. The CoE is currently working on an additional protocol which would also address the challenges of sovereignty and jurisdiction.
With 68 signatory parties – 20 of which not being members of the CoE (including the USA, Japan, Australia, and, most recently, Argentina, Cabo Verde, Peru, Colombia, and Ghana) – the Budapest Convention is de facto the international agreement on combating cybercrime, which has inspired numerous regional and national cybercrime regulations. Russia objects, some of the articles (namely Art. 32b), believing that they cross the line of state sovereignty, while other major players like China, Brazil, and India do not wish to accept an agreement negotiated by European countries only.
The only draft convention proposed prior to the first session has been submitted by Russia. In its proposal, Russia wishes to see the list of internationally designated cybercrimes – 9 categories as per the Budapest Convention – expanded to 23 cybercrimes. The Russian draft also omits the disputed provision of the Budapest Convention which enables cross-border access to stored computer data during cybercrime investigations.
In preparation for the first session, member states responded to the invitation from the chair of the Ad Hoc Committee to submit their views on the scope, objectives, and structure of the new convention.
In preparation for the second session, member states of the Ad Hoc Committee were invited to submit their drafting suggestions or general comments on the different chapters: ‘Criminalization’, ‘General Provisions’, and ‘Provisions on Procedural Measures and Law Enforcement of the Convention’ to the secretariat.
Argentina submitted its comments and emphasised the significance of the respect of sovereignty and integrity of states, as well as the respect of the principle of non-intervention in domestic affairs. For the procedural law measures and enforcement, Argentina referred to the provisions of the Budapest Convention, namely Art. 21 on the powers and procedures of the state parties on the interception of content data. Additionally, Argentina stated that conditions and safeguards should align with the International Covenant on Civil and Political Rights (ICCPR) and other international human rights law instruments. In the case of the rights and responsibilities of third parties being at stake, such rights may be limited by the powers and procedures of the states, as long as they are in line with Arts. 14 and 15 of the Budapest Convention.
Australia provided two separate documents about the criminalisation of ICTs. The first document focused on the criminalisation of cyber-dependent and cyber-enabled crimes. It stated that the criminalisation of offences should be consistent with the existing international instruments to avoid conflicts. Additionally, it stated that it remains open to broadening the convention beyond cyber-dependent and cyber-enabled crimes, and that it would be better to establish a common standard for cybercrime across all states.
The second document addressed the criminalisation of online child sexual abuse offences and exploitation. This proposal criminalised child abuse material through a computer system; facilitation of child abuse material through a computer system; grooming or procuring of a child for sexual purposes through a computer system; general provisions related to the proposal; child abuse material through a computer system; facilitation of child abuse material through a computer system; solicitation, engagement, and grooming or procuring of a child for sexual purposes.
Brazil provided its draft proposals in which it combined the proposals of Russia, China, the provisions from the Budapest Convention, and provisions from the Expert Group Meeting on Cybercrime of the United Nations Office on Drugs and Crime (UNODC).
The EU and its Member States provided proposals for the collection of electronic evidence, and stated that they remain open to discussing this issue for any type of crime, thus enhancing and promoting international cooperation. States shall be entitled to enforce any future bilateral agreements on the matter of cybercrimes, as long as they do not collide with the objectives and principles of the present convention. Additionally, it emphasised the importance of the protection of human rights and fundamental freedoms, especially the protection of the right to a fair trial, the rights of the defence, as well as the provision of assistance and protection of victims.
Ghana made its proposals based on the already existing international and regional legal instruments, including the UN Convention Against Corruption (UNCAC); the UN Convention Against Transnational Organised Crime (UNTOC); the African Union Convention on Cyber Security and Personal Data Protection (Malabo Convention), and the Budapest Convention. Ghana stated that the convention should harmonise national laws on cybercrime and enhance international cooperation, offer sustainable capacity building and technical assistance, and ensure the protection of human rights when combating cybercrimes.
India stressed the importance of including the criminalisation of cyberterrorism in the convention. The Indian delegation stated that the term cyberterrorism should entail any attack on national security and sovereignty of the state. Additionally, India stated that the denial of access to any person authorised to access a computer resource, any attempt to access a computer resource without authorization, or causing computer contamination which is likely to cause death to a person, should be considered an act of cyberterrorism. Last, India proposed the criminalisation of offensive messages through communications services that include messages that are ‘grossly offensive or have menacing character’ or any message that would cause annoyance, inconvenience, or danger.
Jamaica and CARICOM supported the creation of the new convention on the criminalisation of ICTs and emphasised the importance of international cooperation and technical assistance in preventing such crimes. Protection of sovereignty, territorial integrity, and non-intervention was stressed when combating such crimes. With regard to the illegal access to computer systems or data, Jamaica referred to Art. 2 of the Budapest Convention, while adding that a state party may require that the offence be committed with dishonest intent.
Malaysia emphasised the importance of international cooperation, building technical assistance to enable member states to strengthen their capacity to address cybercrime, and ensuring the balance between the interests of law enforcement and respect for human rights.
South Africa stated that competent authorities should establish joint investigative bodies while ensuring full respect of the sovereignty of the state parties concerned. Additionally, the legislative measures that establish the criminal offences of infringement of copyrights (under the domestic laws of the state parties) should be in line with the International Convention for the Protection of Performers, Producers of Phonograms and Broadcasting Organisations, the Agreement on Trade-Related Aspects of Intellectual Property Rights (TRIPS) and the WIPO Performances and Phonograms Treaty.
Russia submitted its second draft proposal, this time on behalf of Belarus, Burundi, China, Nicaragua, and Tajikistan. The second draft included submissions on the three chapters: ‘General Provisions’; ‘Criminalisation’, which outlined 23 cybercrimes; ‘Criminal Proceedings and Law Enforcement’; and ‘Measures to Prevent and Combat Offence and Other Illegal Acts in Cyberspace’. Russia emphasised the importance of state sovereignty when conducting cross-border investigations. At the same time, the draft proposed that state parties should empower competent authorities to seek access in the territory of jurisdiction of another state party where there are grounds to believe that ICT information is stored.
The UK stated that the purpose of the convention is to promote international cooperation and technical assistance to prevent and combat cybercrime, and that the implementation of states’ obligations should be in accordance with international human rights law. Additionally, the UK believes that the ‘General Provisions’ chapter of the convention should include a commitment to mainstreaming a gender perspective.
The USA, too, emphasised the importance of the protection of state sovereignty during investigation processes. With regard to the search and seizure of stored computer data, the USA provided a similar proposal to that of the EU and its member states. Additionally, the USA stated the importance of defining key terms in broad language, so that they are adoptable in each state party, with respect to human rights, fundamental freedoms, and sovereignty. The USA also proposed to consult the already existing UN instruments for effective models when determining jurisdiction, as well as any other already existing treaties for the offences set under the convention.
Vietnam provided its proposals to the chapters ‘General Provisions’, ‘Criminalization’, and ‘Procedural measures and Law Enforcement’ of the convention. Vietnam proposed the inclusion of the criminalisation of cyberterrorism in the convention, and stated that cyberterrorism should be considered ‘an act of terrorism or financing of terrorism which involves the use of cyberspace, information technology or electronic devices’.
General comments and proposals
Angola stated that the rapid evolution of new technologies led to the existence of legislative gaps. Angola encouraged the harmonisation of domestic legislation on cybercrime and electronic evidence. Additionally, it proposed the adoption of policies and actions to increase the digital literacy of citizens. Safeguarding the principles of equality and reciprocity between states with regard to the practice of collaboration in obtaining electronic evidence, while respecting fundamental rights, freedoms, and guarantees, as well as the protection of personal data, should also be included in the convention. Angola emphasised the importance of creating effective mechanisms and forms of cooperation between the authorities that investigate and prosecute cybercrimes. Last, any crimes that affect critical infrastructure should be considered cyberterrorism.
In its general provisions, Canada took into consideration the already-existing international legal instruments such as: the UNTOC, the UNCAC, and the Council of Europe Convention on Cybercrime. Canada referred to the potential infringement of human rights during investigation processes, and thus stressed the importance of including provisions that would ensure their protection. Regarding the criminalisation of offences, Canada proposed the usage of technology-neutral language in domestic laws to apply substantive criminal law offences to both current and future technologies.
Dominican Republic supported the creation of joint investigation teams, and stressed that each state party should ensure that the establishment, implementation, and application of provisions are subject to ‘conditions and safeguards provided under its domestic law, which shall provide for the full protection of human rights and liberties, incorporating the rule of law, legality, necessity and proportionality.’ With regard to the criminalisation of child exploitation, Dominican Republic stated that the denomination ‘minor’ should include any person under the age of 18, and that in no case the minimum age should be lower than 16. Last, the convention should include the criminalisation of the dissemination of intimate images, including revenge pornography, of a person who did not give their consent to that sharing.
The Islamic Republic of Iran proposed the use of modern technologies in the course of the investigation of cybercrimes, where the judicial authorities would be given reliable technical assistance. Additionally, Iran stood for promotion of moral values and human dignity, as well as international governance based on non-discrimination.
Japan stated that the scope of the convention should be based on the provisions of the UNTOC and UNCAC. Additionally, cybersecurity and internet governance should not be addressed within this convention as it would have a chilling effect on legitimate economic activity and would go beyond the mandate of the Ad Hoc Committee. Japan said that it is necessary to avoid a chilling effect on legitimate operations and activities such as technology development or abuse of power by law enforcement activity. It also referred to international human rights law treaties and emphasised the protection of human rights and, especially, freedom of expression.
Mexico mentioned the two main challenges that the proposed convention is facing. First, it implies an increase in the complexity of the already elaborate existing bodies of international legislation and, second, the rapid evolution of cybercrime as a consequence of exponential technological change. Thus, Mexico proposed that the convention should not ignore, duplicate, reverse, or nullify the already existing international legal instruments. Instead, it would be useful to use general and timeless precepts to cover future cybercrimes.
New Zealand stated that when including the provision on state sovereignty, states should consider that cyberspace does not have a clear territorial link, and any cyber activity may involve infrastructure that operates simultaneously in multiple territories. The delegation of New Zealand also stressed the importance of the protection of human rights, fundamental freedoms, and the rule of law in the convention.
Norway provided a brief proposal concerning the issues that need to be addressed in the new convention. The first is the inclusion of strong protection of human rights and fundamental freedoms, and provision of the necessary safeguards. Second, it proposed the criminalisation of cyber-dependent crimes, stressing the importance of avoiding double offences and keeping a technology-neutral language. Third, Norway mentioned that the committee should take into account the already existing international legal instruments on cybercrime such as the UNCAC and UNTOC. Last, it proposed a specific provision for the protection of human rights that is in line with the Universal Declaration of Human Rights (UDHR), the ICCPR, and other international human rights legal instruments.
Singapore stressed that the convention should be based on the term ‘cybercrime’ to cover current and emerging cybercrime threats, and thus sharpen the focus of the convention. Additionally, Singapore prefered to use ‘prevent and combat’ cybercrimes, in accordance with the previous legal instruments, including the UNTOC. Singapore also focused on procedural measures and law enforcement, and stressed the need to expedite measures for lawful requests for the preservation of data for digital evidence. Last, Singapore proposed the avoidance of prescriptive terms in operational processes, to make the convention easier to harmonise and apply to national legal structures.
Switzerland’s proposals are based on, or inspired by, the existing international criminal law treaties and are aimed at creating a convention that would facilitate and expedite states’ and relevant authorities’ understanding of what cybercrime is. Thus, Switzerland proposed that the future convention should be specifically focused on a limited and clearly defined number of cyber-dependent crimes, and an even more limited number of cyber-enabled crimes. The convention should focus on behaviours, and not technologies, to reflect new technological developments; build upon the already existing international legal instruments; include clear and concise provisions; ensure the protection of human rights, especially the rights to privacy, freedom of expression, freedom of association, and other human rights legal instruments.
Tanzania proposed the protection of whistle-blowers and witnesses in cybercrime proceedings and the right of due process of the defendants. Tanzania also stressed that it is imperative to provide technical support to developing countries, including training, technical assistance, and the exchange of expertise. Last, it proposed the inclusion of joint investigations of cybercrimes in the convention due to the borderless nature of these crimes.
Uruguay stated that the convention should take into account the already existing international legal instruments to combat ICT crimes. It also stated that in cases of overlapping jurisdictions of two or more states, temporal priority in the investigation and complaint should be taken into account. Last, it mentioned that human rights and fundamental freedoms should be taken into account when drafting the convention and that they should be aligned with the UDHR, the ICCPR, and other relevant international human rights legal instruments.
The next steps
The next step in the process would be gathering of the national views on international cooperation, technical assistance, preventive measures, the mechanism of implementation, the final provisions, and the preamble of the new convention. The third session of the Ad Hoc Committee, will be held 29 August–9 September 2022.
What to expect in cybercrime in 2022?
1. The UN Ad Hoc Committee will be in focus as negotiations of the UN Cybercrime Convention advance. The main question will be how to reconcile the text proposed by Russia with the solutions developed by the Budapest Convention.
2. Russia has crossed the rubicon (even if formally) by going after REvil; this may impact the cybercrime milieu.
3. The US-led coalition with ‘defence forward’, information sharing, and prosecution may show some results.
4. UN discussions may raise cooperation awareness among states.
5. UN processes on cybersecurity and cybercrime have an important capacity development component. More and more developing countries are gaining human and institutional capacities to deal with cybersecurity challenges. This trend will intensify in 2022.