The UN's cyber crime treaty could be a privacy disaster

The UN flag image on a blue stone wall

Cyber crime is hard to define and even more difficult to attribute and prosecute, especially given cyber attacks strike regularly across borders. With this in mind, a United Nations (UN) committee has been in negotiations this year to flesh out a new international cyber crime treaty.

Despite multiple measures and laws aiming to tackle cyber crime, attacks of all kinds continue to surge, from ransomware to phishing. The UN's plan has been in the making for months, but the fourth meeting of the committee in January was important because a rough treaty was presented for debate. As part of the process, the committee including delegates from Russia, China and the US has been trying to define cyber crime and form a global response, which includes intelligence sharing, to make the online world a safer place for businesses and consumers.

Among proposals are the criminalisation of cyber crime including illegal access and interception, data and system interference and the misuse of devices. In theory, the treaty is positive, but it's been heavily criticised too, with experts saying its impact will be limited – especially since the 2001 Budapest Convention already in place addresses many of the issues outlined.

Organisations including the Electronic Frontier Foundation (EFF) go even further by slamming the treaty in its current form, saying it’s not flexible enough to adapt to the changing nature of cyber crime and fails to protect the human rights of whistleblowers and journalists. The proposed convention could result in new policing powers for domestic and international criminal investigations, for example. This could include evidence sharing across borders with countries with different levels of human rights protections, says Katitza Rodriguez, EFF's policy director for global privacy.

On its current trajectory, the treaty might even lead to people being imprisoned for legitimate online activities, Rodriguez warns. “Since the articles are drafted in a vague way – overly broad, undefined, and subjective – it could undoubtedly sweep up and criminalise legitimate expression, news reporting, protest speeches and more,” she explains.

In a complex geopolitical cyber landscape, state-sponsored attacks on the West are growing, and they are notoriously difficult to attribute. It remains questionable whether a treaty can address these types of attacks – especially given the aims of the normally adversarial China and Russia. It’s not the end of negotiations, though. The committee will meet again in April and September, with a final draft due to be presented to the UN in early 2024. So, what can the proposed treaty really achieve and what could it mean for businesses?

What does the UN’s cyber crime treaty propose?

Among the proposals, the international treaty aims to establish rules and regulations for state behaviour online, addressing issues such as cyber warfare and espionage. “The treaty could potentially lead to a more secure and stable online environment for businesses to operate in,” says Jake Moore, global cyber security advisor at ESET.

The treaty also outlines proposals for legal assistance between countries in the investigation and prosecution of cyber crimes. “Law enforcement agencies have notoriously incurred cross-border issues in relation to cyber crime across multiple jurisdictions,” Moore explains. “This treaty aims to establish international cooperation among countries to investigate and prosecute cyber-criminals, which could help to deter and disrupt their activities.”

This will help provide a framework for cooperation between the public and the private sector which could be useful for businesses, Steffen Friis, sales engineer at VIPRE says. He says mutual legal assistance, preservation of data and extradition between nations “will be extremely useful for businesses that operate in multiple countries”.


Take control of diverse and rapidly evolving enterprise risks

Effectively manage and report on risk and compliance


Even after the latest negotiations, the treaty is far from perfect and many experts question the impact it can have. As with most treaties, at least some of its purpose is symbolic, says Will Richmond-Coggan, data and cyber disputes expert at law firm Freeths. However, he also points out: “The various national annotations and amendments to the current draft convention demonstrate the extent to which many countries are having to temper the wide-ranging language originally proposed, in order to avoid it extending to encompass their own activities.”

At the same time, echoing issues expressed by the EFF, Mick Reynolds, director of intelligence at SecAlliance, points to the need to measure and balance any new legal powers with the erosion of human rights, particularly those relating to individual privacy.

Privacy concerns centre around the treaty’s proposed provisions on data retention and mutual legal assistance. As Friis adds, there are concerns these could be used to access personal data without sufficient legal safeguards.

The treaty also needs to take into account the nuances of security research, which sees experts using attack techniques in order to find vulnerabilities in software. “Security researchers routinely identify weaknesses and potential exploits in software systems,” Tim Mackey, head of software supply chain risk strategy at Synopsys points out. “While their intent isn’t criminal, those efforts could easily fall foul of statements covering ‘exploitation of a vulnerability’.”

Sovereignty is another problem: “Provisions on jurisdiction, mutual legal assistance and extradition could be used to infringe on the sovereignty of countries and to circumvent domestic laws,” says Friis.

How will the UN measure success?

The UN must certainly work to iron out issues in the proposal, but if the final treaty is to be effective, it will also be important to be able to measure its success. There are two key goals for the cyber crime treaty namely whether cyber criminals are being arrested and whether cyber attacks are decreasing, according to Michael Smith CTO of Neustar Security Services.

Moore, meanwhile, suggests the severity of attacks and the number of successful prosecutions may also be measured. “The treaty could be evaluated based on the extent to which it leads to greater international cooperation among countries in addressing cyber security issues,” he suggests, adding the success of the treaty will “depend on how well it is implemented and enforced by the countries that have ratified it”.

In a complex geopolitical arena, it’s difficult to define what a perfect treaty would look like. However, experts point to the need for a global approach despite borders and political interests; something extremely challenging to achieve.

The ideal situation is an agreement that everyone, including China and Russia, can sign and stick to, says Will Dixon, global head of academy and community at ISTARI. “This is the fundamental flaw in the Budapest Convention. It is entirely possible such a treaty might be drafted, but in the wider geopolitical context, making the necessary concessions may prove unpalatable.”

Kate O'Flaherty

Kate O'Flaherty is a freelance journalist with well over a decade's experience covering cyber security and privacy for publications including Wired, Forbes, the Guardian, the Observer, Infosecurity Magazine and the Times. Within cyber security and privacy, her specialist areas include critical national infrastructure security, cyber warfare, application security and regulation in the UK and the US amid increasing data collection by big tech firms such as Facebook and Google. You can follow Kate on Twitter.