The adopted text of the UN Cybercrime Convention is a win for digital authoritarianism, which European and like-minded countries must fight, writes Tobias B. Bacherle.
Studying the Convention on Cybercrime I realise that all my worries have been confirmed. During one of the most effective attacks by digital authoritarianism, internet freedom, and human rights in the digital space did not win anything in the negotiations.
The reactions to the adoption of the convention were even more puzzling, where unconcealed joy accompanied the first reports of a deal, followed by happy tweets from diplomats. After three years, the ad hoc working group has agreed on a Cybercrime Convention. Hooray!? Unfortunately not.
The convention seems to be about creating an international set of rules, which at first glance appear to complement the fight against crime, in the digital space and translate it into international law. However, the content of the agreed document has very little to do with the decent goals one might associate with its title.
What happened so far
Ever since Moscow first pushed for a Cybercrime Convention in 2017, it has been clear, that the autocratic dream team of Russia and China would use the negotiations, to present themselves as relevant negotiating partners on the international stage. Worst of all, they could use the convention to legitimise their ideas of mass surveillance and digital repression.
Though the negotiations failed in February, an extension to the schedule was added last week, when an agreement was reached. Many voices, including myself, had already warned of this outcome, saying better no agreement than a bad one. Better the status quo than a massive deterioration. For all our love of international cooperation, no single agreement should be reached just for the sake of agreeing.
Few safeguards, more surveillance
Human rights organisations, the tech community, and companies have pointed out that the conditions and safeguards listed in Article 24 are insufficient. Commitments to the right to anonymity, digital privacy, secure communications, encryption, the autonomy of internet self-governance, and the exclusion of mass surveillance are absent. Beyond that, the safeguards are vague: They only apply in the third chapter and not throughout the whole convention.
However, anyone following the debate in Germany about the so-called “hacker provision”, will see that there is more to be concerned about. The discussion is essentially about how to deal with hackers and IT experts who discover vulnerabilities and publish them. This work is vital, as the discovery of vulnerabilities is the prerequisite for their solution – ideally before they are exploited. Unfortunately, Articles 7 and 11 of the Cybercrime Convention does not distinguish between a hacker’s intention and handling of a discovered vulnerability.
Article 35 creates possibilities for data exchange without major security precautions, which is a threat to human rights, especially privacy and freedom of expression. For example, it is feared that Russia will be able to request data stored abroad, to use as electronic evidence in criminal proceedings. They could therefore invoke the convention to prosecute members of the opposition under the pretense of extremism. We should avoid this role as a digital assistant to authoritarianism at all costs.
Fundamental issues at stake
Warnings from civil society, the tech community, politicians, and affected companies apparently have gone unheeded. A critical debate is now urgently needed, both on the upcoming vote in the UN General Assembly and on a possible ratification.
Some might argue that almost every international convention has flaws and that reaching an agreement in geopolitically difficult times, is a success of multilateralism. I would object.
On the contrary, it shows that attacks on freedom from authoritarian states are successful. The tug-of-war over our freedom and human rights has long since shifted to the digital space. Authoritarian states are aware of our lack of vigilance in this area and are exploiting it.
This recognition gives rise to a mandate that goes far beyond upcoming UN negotiations, such as the Global Digital Compact. It also applies to standardising processes and Europe’s own regulations. After the agreement on the Cybercrime Convention, which is clearly a victory for digital authoritarianism, this mission must be recognised urgently. Freedom, self-government, and self-determination in the digital space must be defended. These values must not be lightly undermined or surrendered for the sake of some agreement. In the digital world of the 21st century, they are the foundation of our democracy and liberal order.