In January 2022, the UN will hold the first meeting to negotiate a treaty on cybercrime. While most states are in the process of developing their positions around the scope and the principles of this new treaty, Russia has already submitted a draft proposal to the UN suggesting it to be used as the basis of the negotiations. This draft departs significantly from existing cybercrime frameworks, with far-reaching criminalisation, vagueness and inconsistency in some of its provisions and with restrictions on international cooperation amongst other issues raising concerns around further fragmentation of the global efforts to tackle cybercrime.
In July 2021, Russia presented a draft convention on cybercrime to the Chair of the Ad Hoc Committee tasked with developing a UN treaty on cybercrime, suggesting it be used as the basis of the future treaty. This draft is not the first Russia has developed on the topic. In fact, it published one back in 2018 before the UN process got under way.
Russia’s approach to cyberspace has been one of sovereignty and expanded state control. The recent attempts to isolate the internet within its jurisdictions from the rest of the world are a natural progression of this trend, and the recent proposal is in harmony with this approach, although exhibiting some noticeable differences from the previous draft. When the treaty process starts in January 2022, the draft will be considered as one of the options on the table, albeit an influential one. This post unpacks its key elements and explores how it compares to existing cybercrime frameworks.
The draft covers a range of issues related to substantive law, procedural instruments, international cooperation, mutual legal assistance and preventive measures. Both structure and scope show an ambition to tackle the problem of cybercrime in an overarching and comprehensive way. It addresses the issues covered in existing cybercrime instruments such as the Council of Europe’s Budapest Convention – the most complete international instrument on cybercrime – but in a different way. The 69-page document extends well beyond existing instruments in scope, particularly in the offences that it considers as cybercrime. It also addresses issues around prevention, capacity-building, technical assistance and others.
New, Complex and Inconsistent Terminology
The resolution that established the treaty process back in December 2019 explicitly mentions that existing international instruments should be given full consideration. The Russian draft, however, significantly deviates from widely accepted terminology, such as the terminology in the Budapest Convention, and introduces new terms and definitions. Instead of using well-established language such as ‘computer data’ and ‘computer system’, the Russian draft creates new terms such as ‘electronic information’, which are not defined in the ‘use of terms’ (Article 4) but are used throughout the text of the document. The draft uses the new vocabulary inconsistently along with other terms such as ‘data’, ‘systems’ or ‘digital information’, creating confusion in their scope and application. For example, Article 6 criminalises access to ‘digital information’ but the article is entitled ‘unauthorized access to electronic information’. Article 18 suggests establishing as an offence the ‘creation and use of digital data to mislead the user’ without clarity as to whether ‘digital data’ is the same as ‘digital information’. The lack of precision contradicts the core principles of criminal law, which require certainty and clarity in the definitions of criminal acts and in establishing the borders of criminalisation.
Overreach in Criminalisation
The draft is far-reaching in the scope of its criminalisation. The first Russian proposal of 2018 mainly refers to acts that are already criminalised in the existing legal frameworks, albeit with some divergence. The text abandons some of the offences mentioned in the earlier proposal (e.g. spam and phishing) but suggests a more extensive list of crimes including encouragement of or coercion to suicide, offences related to the involvement of minors in the commission of unlawful acts that endanger their life or health, terrorism and extremism-related offences, and many others. Furthermore, in its Article 86, the proposal does not allow signatories to make reservations concerning offences included in some of its articles including but not limited to child pornography, encouragement or coercion to suicide, offences that endanger the life or health of minors (Articles 15–17) and incitement to subversive activity and terrorism-related offences (Articles 19—, 22-26… the reservations are also not allowed in relation to some extradition related provisions (Article 47 para 11). Many of the suggested crimes are defined vaguely and without establishing proper borders of criminalisation. For example, Article 18 on ‘the creation and use of digital data to mislead the user’ is open to various interpretations and could be used to outlaw dissent, parody and other forms of expression. Vagueness in laws, as seen in a number of countries, has enabled arbitrary interpretation and the use of criminal law for prosecution of political opponents, journalists and human rights defenders. Combined with the suggestion to ban refusal of mutual legal assistance and extradition on the grounds of considering an offence a political offence (Article 46.4), the draft creates the potential for using cybercrime investigations, both nationally and across borders, as an instrument for political oppression.
In addition, the draft both fails in specificity and lacks grounding in international human rights norms and standards. For example, Article 21.1 on extremism focuses on ‘unlawful acts motivated by political, ideological, social, racial, ethnic, or religious hatred or enmity, advocacy and justification of such actions or the provision of access to them’, with no reference to how – or by whom – these acts are defined. It is often the case that extremism is defined by governments to mean political views, ideologies and identities they disagree with. The same article refers to extremism as ‘humiliation by means of ICTs’. Humiliation is a personal and culturally related concept, unsuitable for an international draft instrument and a dangerous enabler of political repression if embedded into a binding treaty.
While some of the provisions are vague and open to various interpretations, others are too narrow. For example, Article 6 suggests criminalising unauthorised access only in cases of blocking, modification, destruction or copying, and doesn’t cover the crime of mere illegal access. Mere illegal access as an offence exists in frameworks such as the Budapest Convention and the EU Directive on Attacks against information systems of 2013, so, again, the draft diverges from these standards. Exclusion of mere access leaves outside the borders of criminalisation activities such as intrusion to study the targeted system or to read confidential information without copying or destroying it.
A Selective Approach to Cyber-enabled Crimes
Several national approaches to tackling cybercrime differentiate between cyber-dependent crimes (i.e. crimes that can only be committed through ICTs and where ICTs are the target) and cyber-enabled crimes (i.e. traditional crimes facilitated by ICTs whereby ICTs are used as an instrument). The latter encompasses a wide range of crimes such as online child exploitation, identity theft, financial scams, content-related offences and practically any crime with an ICT dimension.
The Russian draft is both far-reaching in terms of crimes related to terrorism and extremism and selective in its inclusion of other kinds of cyber-enabled crime. For example, Article 22 talks about offences related to the distribution of narcotic drugs and psychotropic substances, and Article 25 focuses on illicit distribution of counterfeit medicines and medical products. It is not clear why this select group of rather traditional crimes – where ICTs are used as a medium for committing the crime – need to have ‘cyber’ twins that cannot be addressed using existing criminal legislation, such as general offences related to drug trafficking. This selective approach – arbitrarily focusing on some crimes and not others – risks enabling and institutionalising a piecemeal response to general problems: new parallel criminalisation of offences that already exist in current legal systems may undermine the function of criminal law and open the door for exploitation of loopholes and arbitrary application.
Procedural Powers and Safeguards
The draft’s section on procedural instruments includes well-known measures such as production order, collection and partial disclosure of traffic data, interception of content data, search and seizure. However, it lacks the precision and distinction available in existing instruments. While the Budapest Convention provides a clear distinction between various types of data and applicable safeguards, this draft groups them all together. For instance, Article 33 on the ‘collection of information transmitted by means of ICT’ refers to the interception of content and any other data. This lack of precision complicates discussions around necessary safeguards such as limiting interception to serious crimes, commensurate with the intrusiveness of the measure.
The scope of application of investigative frameworks covers, in addition to the offences listed in the draft, investigations of other crimes committed with the use of ICTs. Even if the parties are allowed to make a reservation limiting the broad scope of the articles on investigative measures, a possibility of application of these provisions to any criminal offence raises the question of proper safeguards. Many of the digital investigative measures are seamless and intrusive at the same time, which can violate the right to privacy. So, it is important to guarantee that the intrusiveness of the particular measure is necessary and proportionate to the seriousness of the offence, consistent with human rights standards. This issue is especially crucial for countries that are already parties to the Budapest Convention, which has established a certain level of standards and safeguards.
While the draft includes a provision on conditions and safeguards concerning procedural powers (Article 32), it seems to accord less importance to this than the standards of the Budapest Convention. For example, Article 33 extends interception of data to any offence in the treaty, while the Budapest Convention restricts it to serious crimes. Lastly, but importantly, the Budapest Convention allows the Party to refuse mutual legal assistance when the request concerns an offence that the requested Party considers a political offence. The Russian proposal directly prohibits the refusal of mutual legal assistance and extradition on this ground, forcing parties to provide mutual legal assistance even if the requesting state uses a particular digital investigation as an instrument for political oppression.
Capacity-building and Awareness-raising
The draft makes capacity-building – in particular, the training of personnel and the provision of technical assistance for preventing and combating ICT crimes (Article 76) – prominent in the text. It also places strong emphasis on raising public awareness on cybercrime (Article 44). This is a welcome development, facilitating much-needed collaboration between states at the international level, but also nationally between stakeholders. Linking this to the recent UN processes (OEWG and GGE) that placed a similar emphasis, and that have gathered consensus from all states, would leverage both efforts and provide a more holistic approach to capacity-building in dealing with threats emanating from the use of ICTs.
Global Solution: Harmonisation or Fragmentation?
One of the arguments against a UN treaty on cybercrime has been that it will take a long time for states to agree on its content. Russia’s approach to the UN process – departing significantly from existing international frameworks on cybercrime, with far-reaching criminalisation, vagueness and inconsistency in some of its provisions and restrictions on international cooperation, among other issues – may confirm these fears. In addition, proposing a draft treaty before the start of the process may be seen by many as undermining the spirit of the UN process and the fragile consensus that was achieved on the modalities for the process. Unlike the negotiations in the UN’s first committee on ICTs and peace and international security, the outcome of this process will be binding. This means that states that decide to join the treaty will have to sign and ratify this convention and implement it within their national systems. This makes any agreement that would considerably deviate from common existing practices highly unlikely.
Significant progress has been made in the past few years in developing national laws and policies to address the increasing risks emanating from cybercrime. Hence, a complementary approach rather than a competing one has the potential to garner popular support, not tear down what has already been agreed, and lead to a truly global and inclusive instrument supporting states at different capacity levels to join the global fight against cybercrime. Competing approaches will not help the efforts to address a transborder problem. In fact, if anything, they will achieve the opposite result by further fragmenting global efforts to tackle cybercrime.
About the Author
Joyce Hakmeh is a Senior Research Fellow at the London-based think tank Chatham House and the Co-Editor of the Journal of Cyber Policy. Joyce leads Chatham House’s work on cyber policy issues. She has a background in international law and has worked for the UN and other international organisations.