The United Nations Ad-hoc Committee for Development of an International Cybercrime Convention: Overview and Key Observations from Week II of the Fifth Substantive Session

Sukanya Thapliyal

In Part I of the two-part blog series, we briefed our readers on the developments that took place in the first week of the Fifth Session of the Ad-Hoc Committee. In Part II of the series, we aim to capture the key discussion on provisions on (i) technical assistance, (ii) preventative measures, (iii) final provisions and (iv) the Preamble.

1. Provisions on Technical Assistance:

The Chapter on Technical Assistance listed down provisions including, general principles of technical assistance, and provision setting the scope of technical assistance (Training and technical assistance, exchange of information, and implementation of the Convention through economic development and technical assistance). The provisions listed under this Chapter highlight the importance of technical assistance and capacity building for developing countries. Further, the provisions also lay down obligations and responsibilities on the State Parties to initiate, develop and implement the widest measure of technical assistance and capacity-building that includes material support, training, mutual exchange of relevant experience and specialised knowledge, among others. 

All of the Member Countries and non-member Observer States were in agreement on the importance of the Chapter on technical assistance as an essential tool in combating and countering cybercrime. Technical assistance and capacity building helps in developing resources, institutional capacity, policies and programmes that help in mitigating and preventing cybercrime. A number of developing countries including, Iran, China, Nigeria, South Africa provided suggestions such as inclusion of “transfer of technology” and “technical assistance” to the existing text of the provisions in order to effectively broaden the scope of the chapter. 

On the other hand, several developed countries, including the United Kingdom, Germany, Japan, Norway, and Australia emphasised that provisions relating to technical assistance and capacity building should be voluntary in nature and should avoid an overly prescriptive approach. It should rather be based on mutual trust, be demand-driven, and correspond to nationally identified needs and priorities. These State Parties accordingly provided alternative provisions on similar lines for the said Chapter for the consideration of Member Countries and the Chair. 

The fifth session of the Ad-Hoc committee witnessed advanced discussions on technical assistance. Previously, technical assistance was discussed in the third session of the ad-hoc committee where discussions primarily revolved around the submission/ proposals from the Member Countries and non-member observer States. The CND presented ahead of the fifth session was well articulated and neatly organised into various provisions outlining the scope and mechanisms for technical assistance and capacity building to meet the objectives of the Convention.

2. Provisions on Preventative Measures: 

The provisions charted out under the Chapter on the Preventative Measures (Article 91 to 93 of CND) included general provisions on prevention, establishment of authorities responsible for preventing and combating cybercrime, and prevention and detection of transfers of proceeds of cybercrime. The chapter underscores the role of effective preventative measures and substantial impact of these measures in attaining the objectives of the proposed convention and reducing the immeasurable financial losses incurred by the States due to cybercrime. 

Majority of State Parties signalled their support on inclusion of the chapter on Preventative Measures. In addition, non-member observer States and the Member States including European Union, Netherlands, United Kingdom, Australia, New Zealand, Canada, United States of America made interesting proposals on building effective and coordinated policies for prevention of cybercrime. These Member Countries argued in favour of broadening the current understanding of the term “vulnerable groups”, inclusion of the reference of international human rights, and advocated for developing, facilitating and promoting programmes and activities to discourage persons at risk of committing cybercrime.  

There were interesting proposals aimed at strengthening cooperation between law enforcement agencies and relevant entities (private sector, academia, non-governmental organizations and general public) to counter gender-based violence and mitigate the dissemination of children sexual abuse and exploitation material online. The Member Countries also supported the proposal for Offender Prevention Programmes aimed at preventing (repeated) criminal behaviour among (potential) offenders of cyber-dependent crime.

Member Countries such as China submitted in favour of inclusion of classified tiered measures to provide multi-level protection schemes for cybersecurity. They also called for legislative and other measures to require service providers in their respective territory to take active preventive and technical measures. 

The discussions undertaken in the fifth session of the Ad-Hoc committee were based on the text provided under the CND in the form of concrete provisions wherein various participants provided their detailed submissions on the text. The session also witnessed new proposals on technical assistance such as multi-level protection schemes for cybersecurity, 24*7 network, preventive monitoring to timely detect, suppress and investigate crimes by different Member Countries.

3. Final Provisions

The Chapter on Final Provisions (Article 96-103 of the CND) listed crucial provisions namely, implementation of the Convention, relation with protocols, settlement of disputes concerning the interpretation or implementation of the Convention, and the signature, ratification, acceptance, approval and accession to the Convention. The CND also included provisions relating to the date of enforcement and procedure of amendment to the Convention. 

The Member States and non-members observer States unanimously recognised the importance of the provisions listed under the Chapter on Final Provisions. The non-member observer State and the Member Countries, including the United States of America, Singapore, European Union and others, emphasised that the provision listed under the CND should be in conformity with the existing legal instruments and other existing regional conventions. 

Member Countries such as China and Russia also recognised the importance of the existing legal frameworks. However, these countries further reminded the State Parties that comprehensiveness and universality are the twin goals of this Convention. Therefore, these countries stressed on the need for a “harmonious approach” or a “mutually reinforcing approach” regarding the same. 

Beside this, the Member States also showcased divergent opinions on the minimum number of ratification required for the Convention to come into force. Member Countries, including USA, Norway, New Zealand, Singapore and Canada, have opted for at least 90 ratifications. Member Countries, including Russia, Egypt, China, Brazil, India, and Nigeria, have supported thirty ratifications. Beside these, Japan, United Kingdom, European Union, Ghana and others have opted for forty to fifty ratifications as reasonable for the proposed Convention to come into force. 

The Member Countries supporting wider ratification have submitted that the support of a large number of Member States is indispensable for the success of the prospective Convention. On the other hand, the Member Countries supporting 30 ratifications have focused on the urgency of action in respect of cybercrime and therefore have supported a minimum number of ratifications to get the Convention up and running at the earliest.

Aside from this, Member Countries such as Mexico floated an interesting proposal to devise and incorporate Technical Annexes for ensuring that this Convention adapts and responds adequately to new and emerging challenges. The proposal garnered significant support from other State Parties. 

4. Preamble of the Convention

The CND tabled for the fifth session also featured the draft Preamble for the Convention. Member Countries and non-member observer States unanimously agreed on the inclusion of the Preamble to the prospective convention. The Member Countries maintained that the Preamble is an integral part of the convention and features the purpose and intention of the Convention. 

At the same time, several Member Countries stated that the draft Preamble provided under the CND can be improved further in order to bring more clarity. The Member Countries accordingly provided a wide range of suggestions regarding the same. 

Member Countries such as CARICOM, Norway, Dominican Republic, Kenya, Brazil, suggested that the Preamble should highlight the challenges and opportunities (negative economic and social implications) faced by the Countries with regard to information and communications technologies. Member States including Mexico, New Zealand, Singapore and others proposed the inclusion of – promotion of open, secure, stable, accessible and peaceful cyberspace, application of international law and human rights – in the Preamble of the CND. 

Additionally, Member States suggested the inclusion of denying safe havens to those who engage in cybercrime, prosecuting cybercrimes, international cooperation, collection and sharing of evidence, recovering and returning proceeds of cybercrime, technical assistance and capacity building as key objectives of the Convention. The Member States also recognised the seriousness of use of information and communications technologies violence against women and girls and children; consequently, they called for the inclusion of these concerns in the Preamble of the prospective Convention. 

Way Forward 

The intensive discussion between the Chair, Member States and non-member observer States on various agenda items culminated in the text of the CND being revised. The views expressed will be taken into consideration by the Chair in developing a more advanced draft text of the convention, in accordance with the road map and mode of work for the Committee, adopted at its first session (A/AC.291/7, annex II).

High Court of Delhi cites CCG’s Working Paper on Tackling Non-Consensual Intimate Images

In December 2022, CCG held a roundtable discussion on addressing the dissemination of non-consensual intimate images (“NCII”) online and in January 2023 it published a working paper titled “Tackling the dissemination and redistribution of NCII”. We are thrilled to note that the conceptual frameworks in our Working Paper have been favourably cited and relied on by the High Court of Delhi in Mrs. X v Union of India W.P. (Cri) 1505 of 2021 (High Court of Delhi, 26 April, 2023). 

We acknowledge the High Court’s detailed approach in addressing the issue of the online circulation of NCII and note that several of the considerations flagged in our Working Paper have been recognised by the High Court. While the High Court has clearly recognised the free speech risks with imposing overbroad monitoring mandates on online intermediaries, we note with concern that some key safeguards we had identified in our Working Paper regarding the independence and accountability of technologically-facilitated removal tools have not been included in the High Court’s final directions. 

CCG’s Working Paper 

A key issue in curbing the spread of NCII is that it is often hosted on ‘rogue’ websites that have no recognised grievance officers or active complaint mechanisms. Thus, individuals are often compelled to approach courts to obtain orders directing Internet Service Providers (“ISPs”) to block the URLs hosting their NCII. However, even after URLs are blocked, the same content may resurface at different locations, effectively requiring individuals to continually re-approach courts with new URLs. Our Working Paper acknowledged that this situation imposed undue burdens on victims of NCII abuse, but also argued against a proactive monitoring mandate for scanning of NCII content by internet intermediaries. We noted that such proactive monitoring mandates create free speech risks, as they typically lead to more content removal but not better content removal and run the risk of ultimately restricting lawful expression. Moreover, given the limited technological and operational transparency surrounding proactive monitoring/automated filtering, the effectiveness and quality of such operations are hard for external stakeholders and regulators to assess. 

Instead, our Working Paper proposed a multi-stakeholder regulatory solution that relied on the targeted removal of repeat NCII content using hash-matching technology. Hash-matching technology would ascribe reported NCII content a discrete hash (stored in a secure database) and then check the hash of new content against known NCII content. This would allow for rapid identification (by comparing hashes) and removal of content where previously reported NCII content is re-uploaded. Our Working Paper recommended the creation of an independent body to maintain such a hash database of known NCII content. Thus, once NCII was reported and hashed the first time by an intermediary, it would be added to the independent body’s database, and if it was detected again at different locations, it could be rapidly removed without requiring court intervention. 

This approach also minimises free speech risks as content would only be removed if it matched known NCII content, and the independent body would conduct rigorous checks to ensure that only NCII content was added to the database. Companies such as Meta, TikTok, and Bumble are already adopting hash-matching technologies to deal with NCII, and more broadly, hash-matching technology has been used to combat child-sex abuse material for over a decade. Since such an approach would potentially require legal and regulatory changes to the existing rules under the Information Technology Act, 2000, our Working Paper also suggested a short-term solution using a token system. We recommended that all large digital platforms adopt a token-based approach to allow for the quick removal of previously removed or de-indexed content, with minimal human intervention. 

Moreover, the long-term approach proposed in the Working Paper would also significantly reduce the administrative burden of seeking the removal of NCII for victims. It does so by: (a) reducing the time, cost, and effort they have to expend by going to court to remove or block access to NCII (since the independent body could work with the DoT to direct ISPs to block access to specific web pages containing NCII); (b) not requiring victims to re-approach courts for blocking already-identified NCII, particularly if the independent body is allowed to search for, or use a web crawler to proactively detect copies of previously hashed NCII; and (c) providing administrative, legal, and social support to victims.

The High Court’s decision 

In X v Union of India, the High Court was faced with a writ petition filed by a victim of NCII abuse, whose pictures and videos had been posted on various pornographic websites and YouTube without her consent. The Petitioner sought the blocking of the URLs where her NCII was located and the removal of the videos from YouTube. A key claim of the Petitioner was that even after content was blocked pursuant to court orders and directions by the government, the offending material was consistently being re-uploaded at new locations on the internet, and was searchable using specific keywords on popular online search engines. 

Despite the originator who was posting this NCII being apprehended during the hearings, the High Court saw it fit to examine the obligations of intermediaries, in particular search engines, in responding to user complaints on NCII. The High Court’s focus on search engines can be attributed to the fact that NCII is often hosted on independent ‘rogue’ websites that are unresponsive to user complaints, and that individuals often use search engines to locate such content. This may be contrasted with social media platforms that have reporting structures for NCII content and are typically more responsive. Thus, the two mechanisms that are then available to tackle the distribution of NCII on ‘rogue’ websites is to have ISPs disable access to specific URLs or/and have search engines de-index the relevant URLs. However, ISPs have little or no ability to detect unlawful content and do not typically respond to complaints by users, instead coordinating directly with state authorities. 

In fact, the High Court expressly cited CCG’s Working Paper to recognise this diversity in intermediary functionality, noting that “[CCG’s] paper espouses that due to the heterogenous nature of intermediaries, mandating a single approach for removal of NCII content might prove to be ineffective.” We believe this is a crucial observation as previous court decisions have imposed broad monitoring obligations on all intermediaries, even when they possess little or no control over content on their networks (See WP (Cri) 1082 of 2020 High Court of Delhi, 20 April 2021). Recognising the different functionality offered by different intermediaries allowed the High Court to identify de-indexing of URLs as an important remedy for tackling  NCII, with the Court noting that, “[search engines] can de-index specific URLs that can render the said content impossible to find due to the billions of webpages available on the internet and, consequently, reduce traffic to the said website significantly.” 

However, this would nevertheless be a temporary solution, since victims would still be required to repeatedly approach search engines for de-indexing each instance of NCII that is hosted on different websites. To address this issue, the long-term solution proposed in the Working Paper relies on a multi-stakeholder approach that relies on an independently maintained hash database for NCII content. The independent body maintaining the database would work with platforms, law enforcement, and the government to take down copies of identified NCII content, thereby reducing the burden on victims.

The High Court also adopted some aspects of the Working Paper’s short-term recommendations for the swift removal of NCII. The Working Paper recommended that platforms voluntarily use a token or digital identifier-based approach to allow for the quick removal of previously removed content. Complainants, who would be assigned a unique token upon the initial takedown of NCII, could submit URLs of any copies of the NCII along with the token. The search engine or platform would thereafter only need to check whether the URL contains the same content as the identified NCII linked to the token. The Court, in its order, requires search engines to adopt a similar token-based approach to “ensure that the de-indexed content does not resurface (¶61),” and notes that search engines “cannot insist on requiring the specific URLs from the victim for the purpose of removing access to the content that has already been ordered to be taken down (¶61)”. However, the judgment does not clarify if this means that search engines are required to disable access to copies of identified NCII without the complainant identifying where they have been uploaded, and if so, then how search engines will remove the repeat instances of identified NCII. The order only states that it is the responsibility of search engines to use tools that already exist to ensure that access to offending content is immediately removed. 

More broadly, the Court agreed with our stand that proactive filtering mandates against NCII may harm free speech, noting that “The working paper published by CCG records the risk that overbroad directions may pose (¶56)” further holding that “any directions that necessitates pro-active filtering on the part of intermediaries may have a negative impact on the right to free speech. No matter the intention of deployment of such technology, its application may lead to consequences that are far worse and dictatorial. (¶54)” We applaud the High Court’s recognition that general filtering mandates against unlawful content may significantly harm free speech. 

Final directions by the court

The High Court acknowledged the use of hash-matching technology in combating NCII as deployed by Meta’s ‘Stop NCII’ program (www.stopncii.org) and explained how such technology “can be used by the victim to create a unique fingerprint of the offending image which is stored in the database to prevent re-uploads (¶53). As noted above, our Working Paper also recognised the benefits of hash-matching technology in combating NCII. However, we also noted that such technology has the scope for abuse and thus must be operationalised in a manner that is publicly transparent and accountable. 

In its judgment, the Court issued numerous directions and recommendations to the Ministry of Electronics and Information Technology (MeitY), the Delhi Police, and search engines to address the challenge of circulation of NCII online. Importantly, it noted that the definition of NCII must include sexual content intended for “private and confidential relationships,” in addition to sexual content obtained without the consent of the relevant individual. This is significant as it expands the scope of illegal NCII content to include instances where images or other content have been taken with consent, but have thereafter been published or circulated without the consent of the relevant individual. NCII content may often be generated within the private realm of relationships, but subsequently illegally shared online.

The High Court framed its final directions by noting that “it is not justifiable, morally or otherwise, to suggest that an NCII abuse victim will have to constantly subject themselves to trauma by having to scour the internet for NCII content relating to them and having to approach authorities again and again (¶57).” To prevent this outcome, the Court issued the following directions: 

1. Where NCII has been disseminated, individuals can approach the Grievance Officer of the relevant intermediary or the Online Cybercrime Reporting Portal (www.cybercrime.gov.in) and file a formal complaint for the removal of the content. The Cybercrime Portal must specifically display the various redressal mechanisms that can be accessed to prevent the further dissemination of NCII; 
2. Upon receipt of a complaint of NCII, the police must immediately register a formal complaint in relation to Section 66E of the IT Act (punishing NCII) and seek to apprehend the primary wrongdoer (originator); 
3. Individuals can also approach the court and file a petition identifying the NCII content and the URLs where it is located, allowing the court to make an ex-facie determination of its illegality; 
4. Where a user complains against NCII content under Rule 3(2)(b) of the Intermediary Guidelines to a search engine, search engines must employ hash-matching technology to ensure future webpages with identical NCII content are also de-indexed to ensure that the complained against content does not re-surface. The Court held that users should be able to directly re-approach search engines to seek de-indexing of new URLs containing previously de-indexed content without having to obtain subsequent court or government orders;
5. A fully-functional helpline available 24/7 must be devised for reporting NCII content. It must be staffed by individuals who are sensitised about the nature of NCII content and would not shame victims, and must direct victims to organisations that would provide social and legal support. Our Working Paper proposed a similar approach, where the independent body would work with organisations that would provide social, legal, and administrative support to victims of NCII;
6. When a victim obtains a takedown order for NCII, search engines must use a token/ digital identifier to de-index content, and ensure that it does not resurface. The search engines also cannot insist on requiring specific URLs for removing access to content ordered to be taken down. Though our Working Paper recommended the use of a similar system, to mitigate against the risks of proactive monitoring, we suggested that (a) this could be a voluntary system adopted by digital platforms to quickly remove identified NCII, and (b) that complainants would submit URLs of copies of identified NCII along with the identifier, so that platform would only need to check whether the URL contains the same content linked to the token to remove access; and
7. MeitY may develop a “trusted third-party encrypted platform” in collaboration with search engines for registering NCII content, and use hash-matching to remove identified NCII content. This is similar to the long-term recommendation in the Working Paper, where we recommend that an independent body is set up to maintain such a database and work with the State and platforms to remove identified NCII content. We also recommended various safeguards to ensure that only NCII content was added to the database.

Conclusion 

Repeated court orders to curtail the spread of NCII content represents a classic ‘whack-a-mole’ dilemma and we applaud the High Court’s acknowledgement and nuanced engagement with this issue. Particularly, the High Court recognises the significant mental distress and social stigma that the dissemination of one’s NCII can cause, and attempts to reduce the burdens on victims of NCII abuse by ensuring that they do not have to continually identify and ensure the de-indexing of new URLs hosting their NCII. The use of hash-matching technology is significantly preferable to broad proactive monitoring mandates.

However, our Working Paper also noted that it was of paramount importance to ensure that only NCII content was added to any proposed hash database, to ensure that lawful content was not accidently added to the database and continually removed every time it resurfaced. To ensure this, our Working Paper proposed several important institutional safeguards including: (i) setting up an independent body to maintain the hash database; (ii) having multiple experts vet each piece of NCII content that was added to the database; (iii) where NCII content had public interest implications (e.g., it involved a public figure), a judicial determination should be required; (iv) ensuring that the independent body provides regular transparency reports and conducts audits of the hash database; and (v) imposing sanctions on the key functionaries of the independent body if the hash database was found to include lawful content. 

We believe that where hash-databases (or any technological solutions) are utilised to prevent the re-uploading of unlawful content, these strong institutional safeguards are essential to ensure the public accountability of such databases. Absent this public accountability, it is hard to ascertain the effectiveness of such solutions, allowing large technology companies to comply with such mandates on their own terms. While the High Court did not substantively engage with these institutional mechanisms outlined in our Working Paper, we believe that the adoption of the upcoming Digital India Bill represents an excellent opportunity to consider these issues and further our discussion on combating NCII.

The United Nations Ad-hoc Committee for Development of an International Cybercrime Convention: Overview and Key Observations from Week I of the Fifth Substantive Session.

By Sukanya Thapliyal

Introduction

Last month from April 11-21, 2023, the Ad Hoc Committee to Elaborate a Comprehensive International Convention on Countering the Use of Information and Communications Technologies (ICTs) for Criminal Purpose held its Fifth Session in Vienna. As we reported earlier, the negotiating process has reached a pivotal stage, wherein the Member Countries are negotiating on the basis of a Consolidated Negotiating Document (CND).

The Fifth session of the Ad Hoc Committee was aimed at conducting the second reading of the provisions of the CND which are as follows – 1] international cooperation, 2] technical assistance, 3] preventative measures 4] mechanism of implementation 5] the final provisions, and 6] the preamble. Much like previous sessions, Member States, and non-member observer States were supported and facilitated by the Chair, the Secretariat and multistakeholder group consisting of global and regional intergovernmental organisations, civil society organisations, academic institutions and the private sector.

Over the two-part blog series, we aim to provide our readers with a brief overview and our observations from the discussions during the Fifth substantive session of the Ad-hoc Committee. Part I of the blog captures the consultations and developments concerning the draft chapter on International Cooperation. In addition, we also attempt to familiarise readers with the emerging points of convergence and divergence of opinions among different Member States, non-member observer States and implications for the future negotiation process.

In part II of the blog series, we will be laying out the discussions and exchanges on (i) preventive measures, (ii) technical assistance, (iii) the final provisions; and (iv) the preamble.

Provisions on International Cooperation (Agenda Item 4)
The Chapter on International Cooperation provided under the CND lists 28 provisions subdivided into seven clusters that include a range of provisions such as – 1] general principles on international cooperation and personal data 2] provisions relating to extradition, transfer of sentenced persons and transfer of criminal proceeding 3] general principles and procedure relating to mutual legal assistance 4] provisions relating to expedited preservation and sharing of data and 5] provisions on law enforcement cooperation

Some of our key observations from Week 1 on different draft provisions listed under Chapter on International Cooperation are as follows:

Cluster 1: General principles of international cooperation and protection of personal data

Cluster 1 provisions provided under the chapter on international cooperation listed two provisions namely: (i) General principles of international cooperation and (ii) Protection of personal data.

(i) The general principles of international cooperation: This is an overarching provision applicable to the chapter on international cooperation. The said provision mandates the State Parties to cooperate in matters relating to preventing, detecting, investigating, prosecuting and adjudicating cybercrime. The scope of international cooperation also includes collecting, obtaining, preserving and sharing evidence and is based on the principle of reciprocity and in accordance with the domestic laws of the State parties.

The Member States were broadly in consensus on inclusion of general principles on international cooperation. However there was some disagreement. Some states including European Union, Canada, New Zealand, Australia proposed for narrow application of the chapter extending only to the offences criminalised under the proposed Convention. On the other hand, member Countries including India, and Colombia, were in favour of broader application of the Convention extending to range of cybercrime.

Further, several State Parties including the European Union, United Kingdom, Australia and New Zealand also proposed for the mentioning of personal data protection, grounds for refusal of request for extradition or providing assistance within the provision on general principles.

(ii) Protection of Personal Data: The provision on protection of personal data obligates the State Parties to ensure that personal data transmitted on the basis of a request made in accordance with the Convention should only be used for stated purposes such as investigations or proceedings concerning criminal offences and should adhere to data minimisation and purpose limitation. The provision also mandates the State Parties to ensure that such data is protected against loss or accidental or unauthorised access, disclosure, alteration or destruction.

Majority of State Parties were in agreement on inclusion of provision on personal data protection. However, a few Member States including CARICOM, China, Iran, Singapore and the United States were not in agreement on inclusion of this provision stating lack of relevance of the provision to the Convention.

Non-member observer European Union proposed an alternate provision on protection of personal data. The said proposal included a more elaborate set of obligations for the State Parties relating to maintenance of accurate and complete personal data, periodic review of the need for the storage of personal data, requirement for publication of general notices to the persons whose personal data have been collected and provision for effective judicial and non-judicial remedies to provide redressal to affected person.

Cluster 2: Provisions relating to extradition, transfer of sentenced persons and transfer of criminal proceedings

The provision relating to extradition under Cluster 2 under the chapter on international cooperation deals in extradition of a person who is the subject of the request for extradition is present in the territory of the requested State Party. The provision requires that extradition is permissible where extradition sought is punishable under the domestic law of both the requesting State Party and the requested State Party.

A large number of Member States were in agreement on inclusion of the said provision. Additionally, Member States including Nicaragua proposed the addition of political offence and offences punishable with death penalty under domestic laws as grounds of refusal for request of extradition. Beside this, several new proposals regarding expedited extradition, temporary surrender, surrender of property were also placed by Member Countries including Armenia.

Cluster 4- General principles and procedures relating to mutual legal assistance

Cluster 4 of the chapter on international cooperation included provision relating to general principles and procedures relating to mutual legal assistance, establishment of electronic databases on mutual legal assistance requests, spontaneous information, emergency mutual legal assistance, and 24/7 network. The provision outlining general principles laid down the scope, general rules and grounds for refusal of mutual legal assistance. The provision relating to maintaining electronic databases aimed to facilitate access to statistics relating to incoming and outgoing requests for mutual legal assistance involving electronic evidence. Besides this, the provisions relating to spontaneous information, emergency mutual legal assistance, and 24/7 network were also included within the text of CND to set up an effective and efficient system in place.

The Member States were broadly in agreement on inclusion of these provisions within the text of the prospective Convention. In addition, Member States including the European Union, United Kingdom, New Zealand and others proposed some additional grounds for refusal of mutual legal assistance, namely: refusal of request wherein the person affected is in danger being subjected to the death penalty, a life sentence without possibility of parole, torture, inhuman or degrading treatment or where the offence is political in nature.

Cluster 5: Provision relating to mutual legal assistance in expedited preservation of data, stored computer data, expedited disclosure of preserved traffic data and others

The cluster 5 provision placed under chapter on international cooperation listed provisions relating to mutual legal assistance in expedited preservation of data, stored computer data, expedited disclosure of preserved traffic data, accessing stored computer data, and cross-border access to stored data.

A large number of Member States were in agreement on inclusion of these provisions. In addition, there were new proposals relating to Mutual legal assistance in the expedited disclosure of preserved traffic data and expedited production of subscriber information and traffic data by Pakistan and India respectively. The said inclusion was opposed by the United States of America, the European Union, New Zealand, Canada and others.

Cluster 6- Provisions related to law enforcement cooperation, public-private partnership to enhance investigation of cybercrime, joint investigations and special investigative techniques

The provisions listed under Cluster 6 of the Chapter on international cooperation include obligations relating law enforcement cooperation, public-private partnership to enhance investigation of cybercrime, joint investigations and special investigative techniques, among others. The provision on law enforcement cooperation laid the obligation on the State Parties to cooperate closely to enhance the effectiveness of law enforcement action to combat cybercrime. The provision on public-private partnership assists their respective law enforcement agencies in developing appropriate guidelines and cooperating directly with relevant service providers to streamlining cooperation with industry. Further the CND also featured provisions on joint investigations, cooperation through special investigative techniques such as electronic or other forms of surveillance and undercover operations by its competent authorities to provide a lawful basis for collection of such evidence for use in investigations and prosecutions.

The provisions listed under cluster 6 enjoy support by multiple State Parties. However, some of the Member States including the European Union, the United States of America, Japan, Singapore, Canada, Norway, China and others have opposed the inclusion of provision Public-private partnerships to enhance the investigation of cybercrime.

Conclusion

Since the First Session of the Ad-Hoc Committee, the Member Countries have come a long way in arriving at a CND wherein the negotiations are now taking place in a more concrete and cohesive manner. Although Member Countries are still exhibiting diverse views on several provisions, the discussions have arrived at a crucial stage. The sixth session of the Ad-hoc committee is likely to be a watershed moment for the cybercrime convention in defining the finalised text of the convention that will be placed before the 78th session of the United Nation General Assembly in September 2023.

Metaverse and the Global South: Bridging the Digital Divide

By Nidhi Singh

The Metaverse has become a buzzword over the last year or so, since a popular tech giant announced its plans to rebrand themselves and focus on bringing the concept of the Metaverse to life. While buzz generated around the Metaverse has brought it into the public eye, it is by no means a novel concept. The idea of a Metaverse, or a shared virtual space where people can interact with each other and with virtual objects and experiences, has been around for decades. The term Metaverse was first coined in 1992 in the book “Snow Crash”, which considered the Metaverse to be an all-encompassing digital world which existed parallel to the physical world. However, with the recent advances in technology and the proliferation of the internet, the Metaverse is closer than ever to becoming a reality. The current buzz around the concept is also bolstered by the potential for economic growth. Certain projections estimate that the Metaverse may have the potential to generate up to 5 trillion USD in value by 2030, making it an opportunity too big to miss. 

What is the Metaverse? 

In simple terms, the most commonly known concept of the Metaverse today is a 3D model of the internet, envisioned as the next step in the development of information interaction online. In its original conception, it was ideally accessible through a single gateway, and as it develops, it would be equivalent to the real world and become the “the next evolution in social technology”. The idea of the Metaverse is however still in development, and while it appears that it may include some components of Virtual Reality (VR) and Augmented Reality (AR) technologies, its difficult to say how this definition will evolve over time. 

Different companies however still have different conceptions of the Metaverse technology ranging from the use of Extended Reality (XR) technology for a fully immersive experience, to simple video games which now host art galleries and concerts. As the Metaverse is currently in the process of being built, there is little agreement on what the future iteration of it will look like. Depending on how the technology evolves, the Metaverse could end up being anything from some niche applications which employ an increased use of VR and AR technology, to a full scale 3D model of the internet or anything in between.

How does the Metaverse work?

In current times, the basic functions of an immersive online world which allows for a digital economy, where users can create, buy, and sell goods already exist in certain video games. Games like Worlds of Warcraft allow users to create and sell digital goods inside the game, and Fortnite, has previously introduced some immersive experiences like concerts and installations within the game, providing a brief look into what the Metaverse could be. The current conception of the Metaverse is expected to be more expansive than this, where everyone would be able to log into a shared online space.

Operationalising the Metaverse

So when can we all expect to be part of this new shared virtual online world? While some experts believe that a large portion of the population will have some access to the Metaverse by 2030, there are some basic challenges which must be addressed before this technology can be operationalised, particularly in Global South countries. 

A very basic problem with the widespread implementation of the Metaverse in India is likely to stem from the cost of entry, including the cost of VR hardware and other technology which may be needed to operate the Metaverse. Additionally, the use of these technologies would also require higher computing power than what is currently available, and an almost 1000 time increase in computational efficiency. While a large portion of the country is now connected to the internet due to the low cost of data through their smartphones, the technologies required to implement Metaverse are still out of reach for a vast majority. This coupled with the lack of access to infrastructure such as fast internet and systems with high-computing power will pose considerable challenges hindering people from participating in the virtual world and participating in the Metaverse.

Another considerable barrier to access is the design of the Metaverse. The current conversation around the design and implementation of the Metaverse is dominated by the Global North, and it is likely that much of the virtual world which is currently being envisaged will be dominated by English language content and experiences which are designed for the western world. This would make it difficult for audiences from the Global South to fully engage in the new technology.

There are also concerns about how this technology could result in further deepening the digital divide. There is a risk that the Metaverse will exacerbate existing inequalities, by creating a virtual space where only those with access to technology and the resources to participate are able to engage. This would widen the digital divides between the Global North and the South, where the technology would cater predominantly to those who have easier access to the technology. 

Finally, the Metaverse also raises questions around data protection and privacy of users in the virtual world. In the absence of a cohesive legal and regulatory framework around data collection, use and protection, users are at a risk when they participate in virtual worlds and engage with the Metaverse. This is exacerbated in Global South countries, many of which are still in the process of formulating their data protection laws and do not have adequate legal and regulatory protections for data governance, 

Addressing these challenges would require a collaborative effort between governments, businesses, and communities in the Global South. By working together, it may be possible to ensure that the benefits of the Metaverse are more widely distributed and that everyone has an opportunity to participate. This would require substantial changes to the current conversations around the Metaverse, which lack inclusivity in design and deployment. 

CCG-NLUD’s Statement on International Cooperation to the Fifth Session of the Ad Hoc Committee to Elaborate a Comprehensive International Convention on Countering the Use of Information and Communication Technologies for Criminal Purposes

Sukanya Thapliyal

As an accredited stakeholder to the United Nations Ad-hoc Committee, tasked to elaborate a comprehensive international convention on countering the use of information and communications technologies (ICTs) for criminal purposes (“the Ad Hoc Committee”), CCG-NLUD recently participated in the Fifth Session of this key process setting the stage for first universal and legally binding convention on cybercrime.

As we reported earlier, the negotiating process has reached a pivotal stage, wherein the Member Countries are negotiating on the basis of a Consolidated Negotiating Document (CND). The CND is prepared by the Chair of the Ad Hoc Committee and succinctly incorporates various views, proposals, and submissions made by the Member States at previous sessions of the Committee.

The previous sessions of the Ad Hoc Committee witnessed the exchange of general views of the Member States on the scope, and objectives of the comprehensive convention, and agreement on the structure of the convention. This was followed by themed discussions and intense discussions on provisions relating to criminalisation, procedural measures and legal enforcement, international cooperation, technical assistance, preventive measures, among others.

The Fifth Session of the Ad hoc Committee is aimed to discuss the preamble, provisions on international cooperation, preventive measures, technical assistance and the mechanism of implementation and the final provisions. Besides the Member Countries, the multistakeholder group consisting of global and regional intergovernmental organisations, civil society organisations, academic institutions and the private sector are also weighing-in with their inputs to support and contribute to the process.

CCG-NLUD, welcomes the opportunity to submit its comments/ inputs on the present text of “Consolidated negotiating document on the preamble, the provisions on international cooperation, preventive measures, technical assistance and the mechanism of implementation and the final provisions of a comprehensive international convention on countering the use of information and communications technologies for criminal purposes.” CCG-NLUD presented the following statement on the “provision on international cooperation.”

The provisions on “international cooperation” are the crucial aspects of the Convention as it aims to encourage both formal and informal means of international cooperation for (i) investigation and prosecution of offences covered under this convention as well as (ii) collection of evidence in electronic form of a criminal offence. The CND also draws from common and well understood principles and standards in the areas of extradition, mutual legal assistance, transfer of criminal proceedings, and other effective measures, while being conversant with the divergent realities of participating member countries.

The CND text lays down general principles of international cooperation, specific provisions on extradition, transfer of sentenced persons and detailed provisions detailing mutual legal assistance amongst state legal enforcement agencies. The CND also recognises that the various provisions laid down under the chapter on international cooperation are aligned with the international human rights regime and ensure adequate protection to human rights and other fundamental freedoms.

The chapter aptly lays down the overarching principles in relation to international cooperation for it broadly outlines the scope and objective of international cooperation and recognises that power and procedure outlined under the Chapter are subject to conditions and safeguards pertaining to protection of human rights. The chapter also includes specific provisions relating to protection of personal data transmitted from one State to another and instils other important requirements such as purpose limitation and data minimisation to reduce harms manifesting to individuals.

CCG-NLUD is broadly in agreement with the above-mentioned provisions under the chapter on International Cooperation. However, we conveyed several reservations and concerns as explained below –

In light of the fact that the powers and procedures laid down in the chapter are highly intrusive and interfering, the scope of international cooperation should be restricted to a narrow set of cyber-dependent crimes that satisfy the criteria of “dual criminality”. Further, the chapter should expressly mention “applicable human rights instruments” and other necessary safeguards for protection of human rights and other fundamental freedoms. This will ensure that power and procedure laid out in this chapter are subject to adequate restrictions to protect against potential human rights abuses.

The provision on extradition should apply only in cases of “serious crimes” that include offences punishable by maximum deprivation of liberty of at least four years or a more serious penalty as defined under United Nations Convention Against Transnational Organized Crime (UNTOC). The Convention should enumerate sufficient evidentiary basis required for extradition and should also make specific references to the applicable international legal instruments such as International Covenant on Civil and Political Rights (UN ICCPR) and the UN Convention against Torture and Other Cruel, Inhuman or Degrading Treatment or Punishment and ensure adequate protection to human rights and other fundamental freedoms.

The powers and procedures laid down under the Convention mandates the State Parties develop guidelines in relation to the format and duration of preservation of digital evidence and information for service providers. We note that such an authority should not result in data retention for indefinite periods and should not unnecessarily interfere with the data minimisation efforts of service providers. It is important that such guidelines incorporate ex-ante procedures that require independent judicial authorisation, provision for adequate and timely notice to users, measures that are strictly necessary and proportionate to stated aims and an efficient mechanism for redressal, appeal, and review.

Readers can learn more about our submission on international cooperation below:

oral_submission_agenda-item-4_international_cooperation_ccg-nlu-delhi_-to-the-fifth-session-of-ad-hoc-committee-on-cybercrime-1-1.docxDownload

Understanding the Anatomy of Cyber Enabled Crimes and their Governance

Sukanya Thapliyal

1. Introduction: 

Digital systems and Information Communication Technology (ICT) play an increasingly central role in our lives. Technological advancement has created new opportunities for cybercriminals to exploit vulnerabilities in digital systems and networks. The resulting cybercrimes can affect everyone, from government and multinational corporations to individuals. As technology continues to make deeper inroads into our lives, cybercriminals are finding unique ways to attack. The continuous evolution in technology has resulted in newer forms of cybercrimes such as Man-in-the-Middle-attack, Bluetooth Man-in-the-Middle attacks, and false data injection attacks, to name a few. This has resulted in a lack of agreement in defining and classifying threats and crimes associated with them. 

Although we lack a uniform and a neat understanding and approach towards addressing cybercrime, a few useful classification tools have been developed in this regard. One such classification tool was developed by Dr Mike McGuire and Samantha Dowling in 2013, wherein cybercrimes were divided into broad categories of “cyber-dependent” and “cyber-enabled” crimes. The cyber-dependent crimes are described as offences that can only be committed with the help of a computer, computer network or an ICT device. These include hacking, DDoS attacks, malware etc. The other category is of cyber-enabled crimes that are traditional crimes whose scope, scale and severity is greatly impacted by the use of computers, computer networks and other devices. Examples include: cyber fraud, cyberterrorism, online child sexual abuse or exploitation material, among others. 

The broad classification of cybercrime into cyber-dependent and cyber-enabled crimes is the central theme in the discussions carried out under the proceedings of the United Nations Ad-hoc Committee, which has been tasked to elaborate a comprehensive international convention on countering the use of ICTs for criminal purposes (“the Ad Hoc Committee”). The discussion around cyber-enabled and cyber-dependent crimes are crucial in setting the scope of the convention. Over four different sessions, the Ad-Hoc committee witnessed wide ranging proposals on inclusion of cyber-dependent and cyber-enabled crimes under the proposed convention. Cyber-dependent offences, along with a narrow set of cyber-enabled crimes (online child sexual abuse, sexual extortion, and non-consensual dissemination of intimate images), have garnered broad support. Other cyber-enabled crimes (terrorism-related offences, arms trafficking, distribution of counterfeit medicines, extremism-related offences) have witnessed divergences, and their inclusion is currently being discussed at length. 

This blog piece attempts to investigate the inclusion of cyber-enabled crimes as a specific choke point and why its regulations attract diverse views from the Member States and key stakeholders. The piece ends with specific recommendations and suggestions that may act as possible solutions for countering and combating cyber-enabled crimes. 

2. How Cyber-enabled Crimes have been included under other International Instruments:

Besides the UN Ad-Hoc Committee’s, several regional legal conventions, recommendations, and directives have already been developed in this regard. These have also been a reference point for the proposed convention. These include: African Union Convention on Cybersecurity and Personal Data Protection (Malabo Convention), The Council of Europe Convention on Cybercrime (Budapest Convention), League of Arab States Convention on Combating Information Technology Offences, and the Economic Community of West African States (ECOWAS) Directive on Fighting Cyber Crime. Besides, there is also the CARICOM Model Legislative Texts of Cybercrimes/ E-crimes and Electronic Evidences that targets the prevention and investigation of computer and network related crime. In addition, the UNODC Report on the meeting of the Expert Group to Conduct a Comprehensive Study on Cybercrime (2021) lays down Recommendations on best practices to address issues of cybercrime through the implementation of legislation and frameworks on effective criminalization, law enforcement and investigation, international cooperation, and prevention. 

International legal instruments (identified above) address an extensive range of cybercrime and criminalised both cyber-dependent and cyber-enabled crimes. The most common cyber-enabled crimes covered under these conventions include attack on computer systems, computerised data breaches, computer-related forgery, and computer-related fraud. The second set of cyber-enabled crimes covered include, offences related to child pornography, crimes that are racist or xenophobic in nature committed through computer systems. The third set of cyber-enabled crimes include offences against privacy, offences related to terrorism committed by means of information technology, and increasing punishment for traditional crimes when they are committed by means of information technology which are covered by a miniscule number of convention (such as League of Arab States Convention on Combating Information Technology Offences). 

3. Languishing Fate of Cyber-enabled crimes in Ad-Hoc Committee Process and Key Challenges in their Governance.

Although the cyber-enabled crimes are widely recognised at the international level, these have acquired only partial success in terms of their incorporation into the work of the Ad-Hoc Committee Process. 

Tracking the Ad-Hoc committee for four consecutive sessions has enabled us to identify the key challenges in incorporating and addressing a wide range of cyber-enabled crimes under the proposed convention. The cyber-enabled crimes such as terrorism-related offences, violation of personal information, extremism-related offences, or content-related crimes lack a common and clear understanding of what it constitutes due to the diverging political, cultural, and legal systems in the Member Countries. Further, these sets of crimes are largely traditional crimes that are often covered under existing international and domestic legislation and incidentally involve the usage of computer systems and ICTs. In the event that these crimes are also incorporated separately in the cybercrime convention, these can conflict with the legal instruments that are already in place. Moreover, content-related offences are broadly- worded, lack a uniform approach, and need more adequate safeguards to protect human rights and other fundamental freedoms. Therefore, binding international criminal instruments such as the Ad-Hoc Committee’s work is not an appropriate forum to address the issues emerging out of cyber-enabled crimes. Instead, these should be addressed via civil and non-legal instruments while ensuring balance with fundamental rights and freedoms. Some cyber-enabled crimes discussed under the Ad-Hoc committee, including extremism-related crimes and terrorist use of ICT technologies, are more umbrella terms that are extremely vague and subjective and pose a threat to widely recognised international human rights. Finally, the provisions related to privacy-related offences are troublesome as they criminalise a broad range of conduct without establishing a legitimate aim and providing sufficient exceptions in favour of students, journalists, cybersecurity researchers, and other public-spirited individuals. 

4. Way Forward and Suggested Solutions 

The vague and highly subjective nature of cyber-enabled crimes, their tense relationship with widely recognised international human rights and lack of sufficient exceptions can be attributed as primary obstructions that inhibit their inclusion in the Ad-Hoc Committee process. Nevertheless, these issues are of crucial importance for a large number of countries participating in the process. Member Countries, including India, Egypt, South Africa, Russia, and China, have repeatedly argued in favour of a broad cybercrime treaty and have also pushed for provisions enabling international cooperation, technical assistance, and capacity building. Lack of adequate procedural and technical competence amongst the state enforcement agencies is hampering them in their societal role, keeping citizens secure, and upholding the rule of law. In such a scenario where it is hard to build consensus in fractious issues as this, and urgency of action in respect of the threat faced by Member States, the pathway through binding international criminal instruments is less than ideal. The Member Countries, therefore, need to devise alternative pathways to address the cyber-enabled crimes though civil or non-legal instruments while keeping up the balance with international human rights and fundamental freedom. 

Another possible route to address cyber-enabled crimes is through Public-Private Leadership. The four sessions of the Ad-Hoc committee allowed us to uncover the growing mistrust and misalignment between the public and the private sector. These key stakeholders exhibit discord and opposing views of each other and are less than beneficial in addressing the critical challenges we face today due to rising cybercrime. Technology companies have latched on to their strong opinion that enforcement agencies cannot be trusted sufficiently with citizen data and digital communication. On the other hand, Member States also need to highlight the day-to-day challenges faced by legal enforcement agencies and promise adequate transparency in their actions. Some Member States have instead advocated in favour of strong obligations on the private sector to cooperate with national authorities. While public-private cooperation is imperative to address these crimes, both entities need to rethink their position, establish a cordial relationship and take up leadership roles that can then be translated into a better and more effective approach to addressing cyber-enabled crimes. 

The United Nations Ad-hoc Committee for Development of an International Cybercrime Convention: Overview and Key Observations from Fourth Substantive Session (Part II)

Sukanya Thapliyal

Introduction 

In Part I of this two-part blog series, we provided our readers a brief overview and observations from the discussions pertaining to the second reading of the provisions on criminalisation of offences under the proposed convention during the Fourth Session of the Ad-hoc Committee. In Part II of the series, we will be laying down our reflections and learnings from the discussions that were held in regard to: (i) General Provisions; and (ii) Provisions on Procedural Measures and Legal Enforcement. We also attempt to familiarise the reader with the emerging points of convergence and divergence of opinions among different Member States and implications for the future negotiation process.

1. General Provisions 

Chapter 1 of the Consolidated Negotiating Document (CND) includes five articles: statement and purposes (article 1), use of terms (article 2), scope and application (article 3), the protection of sovereignty (article 4), and protection of human rights (article 5). In the first round of discussions on General Provisions, the Member Countries, the European Union, in its capacity as observer, and the observers for non-member States provided their preliminary views on different provisions so as to allow the Secretariat to identify provisions that enjoy broad support and others where participants held divergent views. 

Round 1 Discussions

1. Points of Agreement  (Advanced to Second Round of Discussions)

A majority of the participants held positive views on the provisions enlisted under the General Provisions. They sought to strengthen several of these provisions. For example: developing countries including Iran, Jamaica (on behalf of the Caribbean Community), South Africa, and Egypt were in favour of a more elaborate and strongly worded provision on technical assistance. Similarly, several countries including, European Union, Japan, USA, Switzerland, New Zealand, Canada, and others sought (i) strong safeguards for protection of human rights and other fundamental freedoms and (ii) mainstreaming of gender perspective and (iii) consideration of persons and groups vulnerable to cybercrime. 

2. Points of Disagreement  (Subject to Co-facilitated Informal Negotiations)

The discussion witnessed divergences in relation to Article 2 (Use of Terms) of the CND. Countries including India and Russia were in favour of usage of the term “ICT” over “cybercrime” as the former is wider in nature and has been used in UN General Assembly-Resolution 74/247 that established the mandate for the Ad-Hoc Committee. On the other hand, countries including the USA, Japan, Israel, and others were in favour of “cybercrime” for being more widely understood and recognised under the domestic legal framework of various countries and already employed under several international legal instruments. The chair, therefore, took up the decision to pursue the deliberation on the said provision in the co- facilitated informal consultations under the able leadership of Mr H.E. Mr. Rapulane Sydney Molekane, Ambassador and Permanent Representative of South Africa to the United Nations, Vienna, and Mr. Eric Do Val Lacerda Sogocio, Counsellor, Permanent Mission of Brazil to the United Nations, Vienna, and Vice-Chair of the Ad Hoc Committee.

3. Co-Facilitated Informal Consultations 

The co-facilitated informal consultations witnessed detailed deliberations on the use of terminologies to be defined under the draft Convention. The deliberations represented initial exchange of views without prejudice to the future informal discussion. They shall continue ahead of, during and beyond the 5th session to allow for a common understanding on key terms in order to facilitate consensus on several provisions throughout the text of the future convention.

Round 2 Discussions

Further, in the second round of discussion on provisions that enjoy wider support, the participants brainstormed on the final language of the provisions. Several Member Countries proposed terms/ phrases and even provisions that they considered more reflective of their needs and preferences. For instance: Member Countries including Russia, Tajikistan and India proposed the usage of “detect, prevent, suppress and investigate cybercrime/ use of ICTs for criminal use” in place of “prevent and combat cybercrime/ use of ICTs for criminal use.” In addition, India also proposed the usage of “the collection and sharing of electronic and digital information/evidence” in place of “collection of electronic evidence”. Further, countries including Malaysia, Honduras and Singapore proposed for “proper balance between the interests of law enforcement and the respect for fundamental human rights” to the provision detailing the Statement of Purpose for the Convention. Similar proposals were made on provisions relating to protection of sovereignty, respect for human rights and scope of the application respectively.

The discussions relating to General Provision at the Ad-Hoc Committee process do not suffer from irreconcilable differences.  Member Countries have showcased a growing sense of convergence on provisions relating to protection of human rights and other fundamental freedoms. There is also a broad support for mainstreaming the gender perspective within the convention. The Member Countries, however, have outstanding work in relation to definitions and use of terms under the proposed convention. 

II. Provisions on Procedural Measures and Legal Enforcement 

Chapter 3 of the CND laid out provisions for – a] investigation and prosecution of offences, b] collection and sharing of information and electronic evidence, c] conditions and safeguards highlighting the need for and importance of the protection of human rights and liberties, insertion of principles of proportionality, necessity and legality and d] the protection of privacy and personal data for the purposes of the convention. The chapter included 16 articles divided into the following six clusters:

1. Cluster 1: provisions on jurisdiction, scope of procedural measures and conditions and safeguards
2. Cluster 2: procedural measures for expedited preservation of stored data; expedited preservation and disclosure of traffic data, production order, search and seizure, real-time collection of traffic data, interception of content, among others.
3. Cluster 3: procedural measures relating to freezing, seizure and confiscation of assets, establishment of criminal records, protection of witnesses and victims, and compensation for damage suffered.

Round 1 Discussions 

1. Points of Agreement (Advanced to Second Round of Discussions)

In the first round of discussions, the Member Parties unanimously recognised the importance of the provisions on procedural measures and legal enforcement and their role in laying the solid foundation for the practical international cooperation and implementation of this convention. The first round of discussions witnessed a broad agreement on the majority of the provisions under Cluster 1, 2 and 3 of CND. 

Furthermore, several Member Parties, Observer States including the European Union, India, Japan, UK, Norway, Canada, Australia, Kenya, and Israel affirmed their support on the inclusion and further strengthening of Article 42 that lays out Conditions and Safeguards that ensure adequate protection of human rights and liberties, including rights and fundamental freedoms arising from obligations under applicable international human rights law. 

Several Participant Countries also highlighted the close correlation between Article 42 and Article 41 (Scope of Procedural Measures) as being inextricably linked to one another and stated that strong procedural measures must be accompanied by robust human rights safeguards. The participant Member Countries and Observer States were broadly in agreement on inclusion of Article 43 (Expedited Preservation of Stored Computer Data), Article 44 (Expedited Preservation and Partial Disclosure of Traffic Data), Article 45 (Production Order), Article 46 (Search and Seizure) and Cluster 3 provisions (Article 50-55) of the CND. 

2. Points of Disagreement (Subject to Co-facilitated Informal Negotiations)

There was disagreement on the inclusion of Article 40 (jurisdiction), Article 47 (Real Time Collection of Traffic Data), Article 48 (Interception of Content Data) and Article 49 (Admission of electronic/digital evidence) respectively. Member Countries and Observer States and other participants including Switzerland, Japan, USA, European Union, Australia, Norway, UK, Canada raised concerns on Article 40 that allowed for extraterritorial jurisdiction of State and jurisdiction over computer data/ digital or electronic information irrespective of place of storage, screening or processing. As per the participant countries and observer states, such a provision is not in consonance with the traditional understanding of jurisdiction and may not be in alignment with Article 4 (Protection of Sovereignty) enlisted in the CND. 

Further, Member States and Observer States including EU, UK, Japan, Australia, and Norway also raised concerns on inclusion of Article 47 and 48 as these significantly interfere with human rights and are considered to be extremely sensitive in nature.  Singapore, in particular, opposed the inclusion of these provisions and stated that its inclusion has a limited utility and is likely to deter states from signing the final convention. India along with USA, Malaysia, Jamaica on the behalf of Caribbean Community (CARICOM) were in favour of inclusion of these provisions. India, in particular, also requested for the definitional clarity on terms such as “traffic data”. Besides, the participant member countries and observer states were disputed on inclusion of Article 49 and stated that the convention on cybercrime is not appropriate to include issues pertaining to admissibility of electronic evidence and is to be dealt under State’s domestic law and judicial rulings. 

3. Co-Facilitated Informal Sessions 

The chair accordingly delegated the discussion on Article 40, 47, 48 and 49 for the co-facilitated informal negotiation process to be undertaken under the leadership of Mrs. Andrea Martin-Swaby (Jamaica) and Mr. Syed Noureddin Bin Syed Hassim (Singapore).

The co-facilitated informal negotiation process underwent detailed discussions amongst participant Member States, Observer States and multi-stakeholders. The co-facilitators informed the Chair of the various developments that took place during the informal negotiation and that the co-facilitators would conduct intersessional bilateral meetings with delegations and convene additional informal negotiations of the Committee at the 5th Session scheduled in April 2023.

Round 2 Discussions 

Subsequently, in the second round of discussions, several newer contributions were made in the context of provisions laying out Conditions and Safeguards. There was also a proposal for additional provision relating to Retention of Traffic Data and Metadata, and Retention of Electronic Information in CND. Further, additional provisions on Cooperation between national authorities and service providers were also proposed and introduced in the CND for further deliberation. 

The CND and deliberations at the Fourth Session of the Ad-Hoc Committee process crystallised a number of interesting submissions and proposals made by the Member Countries over past sessions. The CND enlisted provisions aimed to redress current challenges faced by the legal enforcement agencies by providing appropriate authority allowing for expedited preservation of Stored Computer Data, expedited preservation and partial disclosure of traffic data, search and seizure, real time collection of traffic data, interception of content data, among others. 

The process, however, also witnessed disagreement on provisions relating to the understanding of jurisdiction, cooperation between national investigating and prosecuting authorities and service providers – as evident from the developments that took place in previous sessions. It is likely that the Secretariat and Member Countries will be continuing these deliberations to build consensus over conflicting issues. 

The Way Forward The proceedings at the Ad-Hoc Committee process have arrived at a critical juncture wherein Member Countries have begun text-based negotiations spearheaded by the Chair and Secretariat. The Ad-Hoc Committee will organise the Fifth Session from 11 to 21 April 2023 in Vienna as an immediate next step. The session will conduct text-based negotiations based on CND on the preamble, the provisions on international cooperation, preventive measures, technical assistance, and the mechanism of implementation, and the final provisions of a comprehensive international convention on countering the use of information and communications technologies for criminal purposes. The upcoming sessions would be crucial in determining whether and how Member Countries would draw consensus and build toward an effective cybercrime convention that caters to the needs and expectations of the wide variety of countries participating in the UN process.

The Voluntary Undertaking Provision: A Flawed Endeavor

This post is authored by Tejaswita Kharel*

In order to ease the enforcement process for data protection laws, various jurisdictions such as Singapore and Australia have incorporated voluntary undertaking provisions. Such a provision encourages organisations to self regulate and adopt accountable practices. It is also believed that the incorporation of such a provision in data protection compliance frameworks will help build a collaborative relationship between data protection boards and data fiduciaries.

India has recently also taken a step in this direction. Clause 24 of the Digital Personal Data Protection Bill, 2022 [“Bill”] provides that the Data Protection Board [“Board”] may accept voluntary undertaking at any stage and that the acceptance of such undertaking by the Board would constitute a bar to proceedings. 

However, while voluntary undertaking provisions may work elsewhere, Clause 24 should be removed from the Bill for the following reasons: 

1] Excessive Scope of Voluntary Undertaking Provision

The voluntary undertaking regime in Singapore clearly provides that the request to invoke a voluntary undertaking process must be made “soon after the [breach] incident is known”. But the voluntary undertaking provision in the Bill states that the undertaking can be given at “any stage” including before a breach has even taken place. This will allow data fiduciaries to delay their compliance with the provisions of the Bill and postpone the implementation of important provisions of the Bill. 

For example Clause 9(4) of the Bill provides that “Every Data Fiduciary and Data Processor shall protect personal data in its possession or under its control by taking reasonable security safeguards to prevent personal data breach.” A fiduciary could offer a voluntary undertaking stating that it will comply with this clause after a period of six months, during which time multiple breaches can occur. The scope of the voluntary undertaking clause in the Bill is thus massive and is likely to give too much leeway to data fiduciaries to circumvent the law and violate the rights of the Data Principals. 

2] Lack of Regulatory Standards for Voluntary Undertaking

Additionally, there is no set standard for what a voluntary undertaking offer is supposed to contain. While Clause 24 states that a voluntary undertaking may include “undertaking to take specified action within a specified time, an undertaking to refrain from taking specified action, and an undertaking to publicise the voluntary undertaking”, the requirements are not specific enough to ensure that fiduciaries will adequately comply with  the provisions of the Bill. Data fiduciaries have no requirement to provide for an in-depth remediation plan unlike in Singapore. 

3] Excessive Discretion of the Board 

Clause 24 merely says that the Board “may” accept voluntary undertakings. While it is clear that the Board has the discretion to decide whether it is appropriate to accept an undertaking or not, it is necessary to have standards for acceptance or rejection of such undertakings in order to reduce possibilities of arbitrariness and misuse of the voluntary undertaking regime.

Hence, while it is important to ensure that the compliance burden on data fiduciaries is not too heavy in order to achieve effective implementation of the Bill, the current voluntary undertaking provision acts as a loophole which will allow fiduciaries to circumvent formal proceedings and exempt themselves from liability under the Bill.

Conclusion

The voluntary undertaking provision in the Bill should be removed. It provides too much leeway to fiduciaries to submit voluntary undertakings that will exempt them from application of key provisions of the Bill. Moreover, it fails to constrain the Board from accepting such offers. 

In addition, several clauses of the Bill adequately provide for flexibility in case of non-compliance. Clause 25(2) ensures that data fiduciaries are not penalised excessively and Clause 21(11) ensures that they are not punished for non-significant non-compliance. 

The benefit of a voluntary undertaking system is that data fiduciaries will aid the Board in understanding the technological difficulties and processes involved in the regulation of data protection. However, this understanding is something that can be achieved through regular and active discussions with stakeholders. This is the direction that countries like the United Kingdom are also moving towards. 

*Tejaswita is a Research Analyst at the Centre for Communication Governance.

The United Nations Ad-hoc Committee for Development of an International Cybercrime Convention: Overview and Key Observations from Fourth Substantive Session

Sukanya Thapliyal

1. Background/ Overview 

Last month, the Centre for Communication Governance at National Law University Delhi had the opportunity to participate as a stakeholder in the Fourth Session of the United Nations Ad-hoc Committee, tasked to elaborate a comprehensive international convention on countering the use of information and communications technologies (ICTs) for criminal purposes (“the Ad Hoc Committee”). 

The open-ended Ad-hoc Committee is an intergovernmental committee of experts representative of all regions.  It was established by the UN General Assembly-Resolution 74/247 under the Third Committee of the UN General Assembly. The committee was originally proposed by the Russian Federation and 17 co-sponsors in 2019. The UN Ad-hoc Committee is mandated to provide a draft of the convention to the General Assembly at its seventy-eighth session in 2023 (UNGA Resolution 75/282). 

The three previous sessions of the Ad Hoc Committee witnessed the exchange of general views of the Member States on the scope, and objectives of the comprehensive convention, and agreement on the structure of the convention. This was followed by themed discussions and a first reading of the provisions on criminalisation, procedural measures and legal enforcement, international cooperation, technical assistance, preventive measures, among others. (We had previously covered the proceedings from the First Session of the Ad-Hoc Committee here.)

The fourth session of the Ad Hoc Committee was marked by a significant development – the preparation of a Consolidated Negotiating Document (CND) to facilitate the remainder of the negotiation process. The CND was prepared by the Chair of the Ad Hoc Committee keeping in mind the various views, proposals, and submissions made by the Member States at previous sessions of the Committee. It is also based on existing international instruments and efforts at the national, regional, and international levels to combat the use of information and communications technologies (ICTs) for criminal purposes. 

As per the road map and mode of work for the Ad Hoc Committee approved at its first session (A/AC.291/7, annex II), the fourth session of the Ad Hoc Committee conducted the second reading of the provisions of the convention on criminalisation, the general provisions and the provisions on procedural measures and law enforcement. Therefore, the proceedings during the Fourth Session involved comprehensive and elaborate discussions around these provisions amongst the Chair, Member States, Observer States, and other multi-stakeholder groups. 

Over the two-part blog series, we aim to provide our readers with a brief overview and our observations from the discussions during the fourth substantive session of the Ad-hoc Committee. Part I of the blog (i) discusses the methodology employed by the Ad-Hoc Committee discussions and (ii) captures the consultations and developments from the second reading of the provisions on criminalisation of offences under the proposed convention. Furthermore, we also attempt to familiarise  readers with the emerging points of convergence and divergence of opinions among different Member States and implications for the future negotiation process. 

In part II of the blog series, we will be laying out the discussions and exchanges on (i) the general provisions and (ii) provisions on procedural measures and legal enforcement. 

2. Methodology used for Conducting the Fourth session of the Ad-Hoc Committee. 

The text-based negotiations at the Fourth Session proceeded in two rounds. 

Round 1: The first round of discussions allowed the participants to share concise, substantive comments and views. Provisions on which there was broad agreement proceeded to Round 2. Other provisions were subject to a co-facilitated informal negotiation process. Co-facilitators that spearheaded the informal negotiations reported orally to the Chair and the Secretariat. 

Round 2: Member Countries progressed through detailed deliberations on the wording of each of the provisions that enjoyed broad agreement. 

3. Provisions on Criminalization (Agenda Item 4)

The Chapter on “provisions on criminalization” included a wide range of criminal offences that are under consideration for inclusion under the Cybercrime Convention. Chapter 2 under the CND features 33 Articles grouped into 11 clusters as:

1. Cluster 1: offences against illegal access, illegal interference, interference with computer systems/ ICT systems, misuse of devices, that jeopardises the confidentiality, integrity and availability of system, data or information;
2. Cluster 2: offences that include computer or ICT-related forgery, fraud, theft and illicit use of electronic payment systems;
3. Cluster 3: offences related to violation of personal information
4. Cluster 4: infringement of copyright.
5. Cluster 5: offences related to online child sexual abuse or exploitation material
6. Cluster 6: offences related to Involvement of minors in the commission of illegal acts, and encouragement of or coercion to suicide
7. Cluster 7: offences related to sexual extortion and non-consensual dissemination of intimate images.
8. Cluster 8: offences related to incitement to subversive or armed activities and extremism-related offences
9. Cluster 9: terrorism related offences and offences related to the distribution of narcotic drugs and psychotropic substances, arms trafficking, distribution of counterfeit medicines.
10. Cluster 10: offences related to money laundering, obstruction of justice and other matters (based on the language of United Nation Convention against Corruption (UNCAC) and United Nation Convention against Transnational Organised Crime (UNTOC))
11. Cluster 11: provisions relating to liability of legal persons, prosecution, adjudication and sanctions. 

Round 1 Discussions 

1. Points of Agreement (taken to the second round) 

The first round of discussions on provisions related to criminalisation witnessed a broad agreement on inclusion of provisions falling under Cluster 1, 2, 5, 7, 10 and 11. Member States, Observer States and other parties including the EU, Austria, Jamaica (on the behalf of CARICOM), India, USA, Japan, Malaysia, and the UK strongly supported the inclusion of offences enlisted under Cluster 1 as these form part of core cybercrimes recognised and uniformly understood by a majority of countries. 

A large number of the participant member countries were also in favour of a narrow set of cyber-dependent offenses falling under Cluster 5 and 7. They contended that these offenses are of grave concern to the majority of countries and the involvement of computer systems significantly adds to the scale, scope and severity of such offenses. 

Several countries such as India, Jamaica (on behalf of CARICOM), Japan and Singapore broadly agreed on offences listed under clusters 10 and 11. These countries expressed some reservations concerning provisions on the liability of legal persons (Article 35). They contended that such provisions should be a part of the domestic laws of member countries. 

2. Points of Disagreement (subject to Co-facilitated Informal Negotiations)

There was strong disagreement on the inclusion of provisions falling under Cluster 3, 4, 6, 8 and 9. The EU along with Japan, Australia, USA, Jamaica (on the behalf of CARICOM), and others objected to the inclusion of these cyber-dependent crimes under the Convention. They stated that such offenses (i) lack adequate clarity and uniformity across countries(ii) pose a serious threat of misuse by the authorities, and (iii) present an insurmountable barrier to building consensus as Member Countries have exhibited divergent views on the same. Countries also stated that some of these provisions (Cluster 9: terrorism-related offenses) are already covered under other international instruments. Inclusion of these provisions risks mis-alignment with other international laws that are already employed to oversee those areas.

3. Co-Facilitated Informal Round

The Chair delegated the provisions falling under Cluster 3, 4, 6, 8 and 9 into two groups for the co-facilitated informal negotiations. Clusters 3, 4 and 6 were placed into group 1, under the leadership of Ms. Briony Daley Whitworth (Australia) and Ms. Platima Atthakor (Thailand). Clusters 8 and 9 were placed into group 2, under the leadership of Ambassador Mohamed Hamdy Elmolla (Egypt) and Ambassador Engelbert Theuermann (Austria). 

Group 1: During the informal sessions for cluster 3, 4 and 6, the co-facilitator encouraged  Member States to provide suggestions/views/ comments on provisions under consideration. The positions of Member States remained considerably divergent. Consequently, the co-facilitators decided to continue their work after the fourth session during the intersessional period with interested Member States.

Group 2: Similarly for cluster 8 and 9, the co-facilitators, along with interested Member States engaged in constructive discussions. Member States expressed divergent views on the provisions falling under cluster 8 and 9. These ranged from proposals for deletion to proposals for the strengthening and expansion of the provisions. Besides, additional proposals were made in favour of the following areas – provision enabling future Protocols to the Convention, inclusion of the concept of serious crimes and broad scope of cooperation that extends beyond the provisions criminalised under the convention. The co-facilitators emphasised the need for future work to forge a consensus and make progress towards finalisation of the convention. 

Round 2 Discussions: 

Subsequently, the second round of discussions witnessed intensive discussions and deliberation amongst the participating Member Countries and Observer States. The discussions explored the possibility of adding provisions on issues relating to the infringement of website design, unlawful interference with critical information infrastructure, theft with the use of information and communications technologies and dissemination of false information, among others. 

Conclusion:

Since the First Session of the Ad-Hoc Committee, the scope of the convention has remained an open-ended question. Member Countries have put forth a wide range of cyber-dependent and cyber-enabled offences for inclusion in the Convention.  Cyber-dependent offences, along with a narrow set of cyber-enabled crimes (such as online child sexual abuse or exploitation material, sexual extortion, and non-consensual dissemination of intimate images), have garnered broad support. Other cyber-enabled crimes (terrorism-related offences, arms trafficking, distribution of counterfeit medicines, extremism-related offences) have witnessed divergences, and their inclusion is currently being discussed at length. Countries must agree on the scope of the Convention if they want to make headway in the negotiation process. 

(The Ad-Hoc committee is likely to take up these discussions forward in the sixth session of the Ad-Hoc Committee 21 August – 1 September 2023.) 

Re-thinking content moderation: structural solutions beyond the GAC

This post is authored by Sachin Dhawan and Vignesh Shanmugam

The grievance appellate committee (‘GAC’) provision in the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Amendment Rules, 2022 has garnered significant controversy. While it seeks to empower users to challenge the arbitrary moderation decisions of platforms, the provision itself has been criticised for being arbitrary. Lawyers, privacy advocates, technology companies, and other stakeholders have raised many  concerns about the constitutional validity of the GAC, its lack of transparency and independence, and excessive delegated power.

Although these continuing discussions on the GAC are necessary, they do not address the main concerns plaguing content moderation today. Even if sufficient legal and procedural safeguards are incorporated, the GAC will still be incapable of resolving the systemic issues in content moderation. This fundamental limitation persists because “governing content moderation by trying to regulate individual decisions is [like] using a teaspoon to remove water from a sinking ship”.  

Governments, platforms, and other stakeholders must therefore focus on: (i) examining the systemic issues which remain unaddressed by content moderation systems; and (ii) ensuring that platforms implement adequate structural measures to effectively reduce the number of individual grievances as well as systemic issues.

The limitations of the current content moderation systems

Globally, a majority of platforms rely on an individual case-by-case approach for content moderation. Due to the limited scope of this method, platforms are unable to resolve, or even identify, several types of systemic issues. This, in turn, increases the number of content moderation cases.

To illustrate the problem, here are a few examples of systemic issues which are unaddressed by content moderation systems: (i) coordinated or periodic attacks (such as mass reporting of users/posts) which target a specific class of users (based on gender, sexuality, race, caste, religion, etc.); (ii) differing content moderation criteria in different geographical locations; and (iii) errors, biases or other issues with algorithms, programs or platform design which lead to increased flagging of users/posts for content moderation.

Considering the gravity of these systemic issues, platforms must adopt effective measures to improve the standards of content moderation and reduce the number of grievances.

Addressing the structural concerns in content moderation systems

Several legal scholars have recommended the adoption of a ‘systems thinking’ approach to address the various systemic concerns in content moderation. This approach requires platforms to implement corporate structural changes, administrative practices, and procedural accountability measures for effective content moderation and grievance redressal. 

Accordingly, revising the existing content moderation frameworks in India to include the following key ‘systems thinking’ principles would ensure fairness, transparency and accountability in content moderation.

• Establishing independent content moderation systems. Although platforms have designated content moderation divisions, these divisions are, in many cases, influenced by the platforms’ corporate or financial interests, advertisers’ interests, or political interests, which directly impacts the quality and validity of their content moderation practices. Hence, platforms must implement organisational restructuring measures to ensure that content moderation and grievance redressal processes are (i) solely undertaken by a separate and independent ‘rule-enforcement’ division; and (ii) not overruled or influenced by any other divisions in the corporate structure of the platforms. Additionally, platforms must designate a specific individual as the authorised officer in-charge of the rule-enforcement division. This ensures transparency and accountability from a corporate governance viewpoint. 

• Robust transparency measures. Across jurisdictions, there is a growing trend of governments issuing formal or informal orders to platforms, including orders to suspend or ban specific accounts, take down specific posts, etc. In addition to ensuring transparency of the internal functioning of platforms’ content moderation systems, platforms must also provide clarity on the number of measures undertaken (and other relevant details) in compliance with such governmental orders. Ensuring that platforms’ transparency reports separately disclose the frequency and total number of such measures will provide a greater level of transparency to users, and the public at large.

• Aggregation and assessment of claims. As stated earlier, individual cases provide limited insight into the overall systemic issues present on the platform. Platforms can gain a greater level of insight  through (i) periodic aggregation of claims received by them; and (ii) assessment of  these aggregated claims for any patterns of harm or bias (for example: assessing for the presence of algorithmic/human bias against certain demographics). Doing so will illuminate algorithmic issues, design issues, unaccounted bias, or other systemic issues which would otherwise remain unidentified and unaddressed.

• Annual reporting of systemic issues. In order to ensure internal enforcement of systemic reform, the rule-enforcement divisions must provide annual reports to the board of directors (or the appropriate executive authority of the platform), containing systemic issues observed, recommendations for certain systemic issues, and protective measures to be undertaken by the platforms (if any). To aid in identifying further systemic issues, the division must conduct comprehensive risk assessments on a periodic basis, and record its findings in the next annual report.

• Implementation of accountability measures. As is established corporate practice for financial, accounting, and other divisions of companies, periodic quality assurance (‘QA’) and independent auditing of the rule-enforcement division will further ensure accountability and transparency.

Conclusion

Current discussions regarding content moderation regulations are primarily centred around the GAC, and the various procedural safeguards which can rectify its flaws. However, even if the GAC  becomes an effectively functioning independent appellate forum, the systemic problems plaguing content moderation will remain unresolved. It is for this reason that platforms must actively adopt the structural measures suggested above. Doing so will (i) increase the quality of content moderation and internal grievance decisions; (ii) reduce the burden on appellate forums; and (iii) decrease the likelihood of governments imposing stringent content moderation regulations that undermine  the free speech rights of users.