ARTICLE 19 is concerned about the Russian Federation’s proposal for a United Nations Cybercrime Convention, which proposes the criminalisation of a sweeping amount of conduct well beyond that of any current international or regional instruments. The measure adopts an approach that is fundamentally flawed at its core, as it fails to adopt a proportional framework needed to capture the inherently complex issues raised by cybercrime. Instead, it opts for blunt and vague provisions and fails to define critical terms, applying standards in conflict with States’ obligations under existing international human rights and regional cybercrime treaties. As negotiations on the measures are scheduled for the first half of 2022, we urge States to carefully consider any measure’s compatibility with their existing treaty obligations to protect and promote freedom of expression.
In July 2021, the Russian Federation presented a draft to the Chair of the Ad Hoc Committee currently formulating a UN treaty on cybercrime, titled the United Nations Convention on Countering the Use of Information and Communications Technologies for Criminal Purposes (the Proposal). The Proposal is intended to serve as a baseline for developing a comprehensive international convention on cybercrime.
ARTICLE 19 has extensive experience monitoring the impact of emerging cybercrime laws on freedom of expression. Our Regional Programmes have worked with legislatures worldwide on numerous proposed cybercrime measures, and these types of laws have comprised an important component of our submissions in the Universal Periodic Review of UN Member States. For several years, ARTICLE 19 has closely followed the process surrounding the current Proposal, issuing an open letter to the UN General Assembly with a coalition of civil society organisations voicing concerns regarding the measure.
We are concerned about the Russian proposal for the following reasons:
Unnecessary number of offences
First, the Proposal fits into what the UN Special Rapporteur on the rights to freedom of peaceful assembly and of association identified in 2019 as a growing trend of expansive cybercrime laws being utilised as a pretext to stifle freedom of expression and dissent. ARTICLE 19 typically witnesses cyber-legislation containing a large number of criminal provisions when there is ‘mission creep’ beyond cyberspace. The legislation punishes conduct merely because it peripherally involves a computer or digital technologies. For example, a criminal defamation law that punishes defamation on the Internet should not be codified as a ‘cyber offence’ as it is essentially a criminal defamation offence. The UN Global Programme on Cybercrime distinguishes between ‘cyber-dependent’ crimes and ‘cyber-enabled’ crimes. ‘Cyber-dependent’ offences require digital infrastructure for them to be committed, while ‘cyber-enabled’ offences are traditional offences that may be facilitated or aided by information and communications technology (ICT), such as illicit drug purchases online or online money laundering.
The Proposal introduces an unnecessary number of ‘cyber-enabled’ crimes that go well beyond the reasonable scope of a cybercrime convention and are problematic from a freedom of expression standpoint. These include the following, which all share the characteristic that the underlying proscribed conduct does not depend on the use of digital technologies:
- Article 16, encouragement of or coercion to suicide via ICT networks;
- Article 17, involvement of minors in life-threatening acts by means of ICTs;
- Article 18, use of digital data in a way that is misleading and causes substantial harm;
- Article 19, incitement to subversive or armed activities by means of ICTs;
- Articles 20 and 21, terrorism- and extremism-related offences by means of ICTs;
- Articles 22, 23, and 25, distribution of illicit drugs, arms, or medicine by means of ICTs;
- Article 24, dissemination of materials denying Nazism or justifying genocide;
- Article 26, use of ICTs to commit offences defined under international law.
ARTICLE 19 does not believe that these offences as described are compatible with international standards. At any rate, conduct that is merely carried out by means of ICTs would presumably already be dealt with by the national legislation of Member States. Thus, it is unnecessary and inappropriate to address them in a cybercrime treaty.
Criminalising expressive activities
The Council of Europe Cybercrime Convention of 2003 makes clear that its measures must respect the conditions and safeguards for the protection of human rights and liberties, consistent with the International Covenant on Civil and Political Rights (ICCPR) and other applicable international human rights instruments. Similar assurances of respect and safeguarding of human rights do not exist in the Proposal. Under international law, restrictions on freedom of expression must satisfy a three-part test. They must be defined in law, satisfy a legitimate aim, and be necessary and proportionate. If expressive activities are criminalised as part of a cybercrime proposal, those measures constitute restrictions under international law and must satisfy the tripartite test.
Several components of the Proposal punish expressive activities done by way of digital technologies and therefore must be justified under this framework. However, their inclusion in the Proposal is neither justified nor proportionate. Article 18 on ‘the creation and use of digital data to mislead the user’ is open to numerous interpretations and could prohibit dissent or expressions such as parody. The Proposal also includes prohibitions on the use of extremism including a definition of extremism as ‘humiliation by means of ICTs’. The prevention of ‘humiliation’ is not a legitimate basis for restrictions on freedom of expression.
Further, Article 24 punishes the dissemination of materials denying Nazism or justifying genocide using ICTs. Such restrictions are not justified whether or not they are conducted by way of ICTs. The Human Rights Committee has observed that opinions that are ‘erroneous’ and ‘an incorrect interpretation of past events’ may not be subject to general prohibition. Any restrictions on the expression of such opinion ‘should not go beyond what is permitted’ under Article 19(3) of the ICCPR or ‘required under article 20’ of the ICCPR. The Special Rapporteur for freedom of expression also recently articulated the questionability of laws that criminalise the denial of the Holocaust and other atrocities.
‘Unauthorised access’ offences are insufficiently defined
The term ‘unauthorised’ may raise serious issues as a matter of legal precision and has important implications for freedom of expression, particularly for government whistleblowers. On the face of it, the term does not require the bypassing of technical restrictions or engagement in ‘hacking’. Nevertheless, the term is used frequently in the Proposal with no further definition.
The key question for any mention of the term ‘unauthorised’ is who exactly is responsible for providing authorisation, and under what terms it is provided. Further, it is often unclear whether authorisation refers to the access or the use of a system. In other words, is a user who possesses the authority to utilise a system running afoul of that authorisation simply by using information or data in a manner that is not approved? Is access ‘unauthorised’ if a government employee accesses a database in order to provide evidence of waste, fraud, or corruption to a journalist?
This distinction, though it may appear technical, has important implications for freedom of expression. Whistleblowers may have every right to access systems but are using that information in a manner that a government may wish to retaliate. Thus, it is important to require that access be done not only without authorisation, but by infringement of security measures, and with dishonest intent.
Critical information infrastructure should not be a separately-protected category
In ARTICLE 19’s experience, offences punishing interference with categories such as ‘critical information infrastructure’ are often used as a pretext to limit access to the information systems of public authorities. The use of the term ‘critical’ calls to mind systems that are essential to society or defence. However, in reality, the term is often used loosely and subject to abuse in order to protect public authorities from criticism. The Proposal, too, suffers from this flaw, as it defines ‘critical infrastructure facilities’ as any information system of ‘public authorities.’ This would appear to apply to any information system no matter how mundane. If well-defined and precise offences exist in cyberspace, then those offences would seemingly apply no matter the target of the offence. Thus, there should be no need to distinguish between the nature of the targets of an offence.
Weak protection of encryption and anonymity
In 2015, the Special Rapporteur on freedom of expression presented to the General Assembly his report on encryption and anonymity in the digital age. The result of the report was the finding that restrictions on encryption and anonymity must meet the three-part test of limitations to the right to freedom of expression under international law, as these are essential components for the exercise of freedom of expression online. The European Court of Human Rights recently held that digital companies have an interest in keeping their users anonymous so as to help promote the free exchange of ideas and information as covered by Article 10 of the European Convention.
Tools that provide robust rights to privacy should not be met with suspicion, as they are integral to the realisation of human rights online. The danger of provisions such as the definition of ‘malicious software’ that appear in the Proposal is that they may be interpreted broadly to include encryption and anonymity tools. Article 10 of the Proposal, for instance, punishes the use of ‘malicious software’ for the purpose of ‘neutralisation’ of ‘security features’. It is unclear whether anonymity tools such as TOR could be interpreted as neutralising security. Any measures must be read to ensure that they do not infringe on the use of these technologies.
Digital companies should not become extensions of public authorities
Provisions that mandate the assistance of digital companies threaten to be used to circumvent judicial warrant requirements by allowing investigators to simply compel any individual to disclose information they seek. The vagueness of ‘assist’ is especially problematic because it could mean anything from the forced disclosure of records to commandeering service providers to become extensions of law enforcement. That might entail forcing providers to rewrite computer code to insert security ‘back doors’ into their products or engage in active surveillance of users. It may also apply to compelled assistance to decrypt communications. Further, the 2015 report of the Special Rapporteur on freedom of expression stipulated, in the case of orders for compelled assistance to decrypt communications, that such orders should be necessary and the least intrusive means available should be used, based on publicly-accessible law, and be clearly limited in scope focused on a specific target and implemented under independent and impartial judicial authority.
However, Articles 33 and 34 of the Proposal reference this type of language. They require providers who have the ‘technical capacity to do so’ to access content, among providing other assistance.
In conclusion, ARTICLE 19 believes the Proposal is ill-advised. We urge the Ad hoc Committee and all States to carefully consider any measure’s compatibility with their existing treaty obligations to protect and promote freedom of expression.