UN Cybercrime Convention must be revised to include human rights safeguards
Date: January 10, 2023Source: Computer Crime Research Center
The Convention’s confidentiality provisions (Articles 43(3), 47(3), and 48(3)) should only apply to the extent necessary to prevent any threats to investigations that might ensue in the absence of confidentiality.
We respectfully recommend that the CND be revised to ensure that:
The scope of the Convention should be limited to issues within the realm of the criminal justice system and should be limited in both its substantive and procedural scope to core cyber crimes.
The proposed crimes under Articles 6 and 10 should be revised to include, at minimum, a standard of both fraudulent intent and harm, to protect journalists, whistleblowers, and security researchers [CLUSTER 1].
The criminalization chapters should be restricted to offences against the confidentiality, integrity, and availability of computer data and systems.
Crimes where ICTs are simply a tool that is sometimes used in the commission of an offence should be excluded from the proposed Convention. [CLUSTERS 2-10]
Should other non-core cybercrimes be included, we recommend that those cyber-enabled crimes are narrowly defined and consistent with international human rights standards, and, in any case, no speech offences should be included.
Any criminal offences that restrict activity in a manner that is inconsistent with human rights law should be excluded. The risk that an overbroad list of online content, speech, and other forms of expression may be considered a cybercrime under the proposed Convention is a major concern that should be addressed, particularly through the removal of any content offences [See CLUSTERS 4, 7, 8, and 9].
Investigative powers in Criminal Procedural Measures and Law Enforcement Chapter III should be carefully scoped so that they remain closely linked to investigations of specific criminal conduct and proceedings and should only be available for investigations of crimes specifically covered by the Convention (Article 41(2)).
Secrecy provisions should only be available where disclosure of the information in question would pose a demonstrable threat to an underlying investigation (Articles 43(3), 47(3), and 48(3).
When it comes to criminal procedural measures, any proposed obligations that enable investigation and prosecution should come with detailed and robust human rights safeguards and rule of law standards, including a requirement for independent oversight and control and the right to an effective remedy.
General provisions authorizing interception and real time collection of data should be amended to clarify that they do not authorize intrusion into networks and end devices. These provisions lack sufficient safeguards to address the threat to the security and integrity of networks, data, and devices posed by state hacking, and State Parties should not be able to rely on ambiguities in the text to justify hacking activities (Articles 47 and 48).
The text should not authorize any indiscriminate or indefinite retention of metadata.
Negotiating an international cybercrime Convention with Member States is not an easy task. But it is paramount that this Convention, which has the potential to profoundly impact millions of people around the world, makes it crystal clear that fighting global cybercrime should reinforce and not endanger or undermine human rights.
[1] These instruments are the International Covenant on Civil and Political Rights (ICCPR), the International Covenant on Economic, Social, and Cultural Rights (ICESCR), the Convention on the Elimination of All Forms of Discrimination against Women (CEDAW), the Convention on the Elimination of All Forms of Racial Discrimination (CERD), the Convention on the Rights of the Child (CRC), among other international and regional human rights instruments and standards).
Add comment
Email to a Friend
