Earlier this month, the Centre for Communication Governance at National Law University Delhi had the opportunity to participate as a stakeholder in the proceedings of the United Nations Ad-hoc Committee, which has been tasked to elaborate a comprehensive international convention on countering the use of information and communications technologies (ICTs) for criminal purposes (“the Ad Hoc Committee”).
In this blog, we present a brief overview and our observations from the discussions during the first substantive session of the Ad-hoc Committee. Furthermore, we also attempt to familiarise the reader with the emerging points of convergence and divergence of opinions among different Member States and implications for the future negotiation process.
The open-ended Ad-hoc Committee is an intergovernmental committee of experts representative of all regions and was established by the UN General Assembly-Resolution 74/247 under the Third Committee of the UN General Assembly. The committee was originally proposed by the Russian Federation and 17 co-sponsors in 2019. The UN Ad-hoc Committee is mandated to provide a draft of the convention to the General Assembly at its seventy-eighth session in 2023 (UNGA Resolution 75/282).
Presently, the Budapest Convention, also known as Convention on Cybercrime is the most comprehensive and widely accepted legal instrument on cybercrime which was adopted by the Council of Europe (COE) and came into force in July, 2004. However, the work of the Ad-hoc Committee is significant and can pave the way for the first universal and legally binding instrument on cybercrime issues. The Committee enjoys widespread representation from State and Non-State stakeholders (participation from the non-governmental organizations, civil society, academia and private organizations) and other UN bodies, including the United Nations Office on Drugs and Crime (UNODC), serving as the secretariat for the process.
The Ad-hoc Committee, over the next two years, is set to have six sessions towards developing this cybercrime convention. The convention is expected to foster coordination and cooperation among state actors to combat cybercrime while giving due regard to the peculiar socio-economic conditions prevailing in the developing and least-developed countries.
The first substantive session of the Ad-hoc Committee was scheduled for 28 February-11 March 2022 to chart out a clear road map to guide subsequent sessions. In addition, the session also provided opportunity to the Member States to explore the possibility of reaching a consensus on the objective and scope of the Convention, which could provide a general framework for future negotiation without constituting a pre-condition for future stages.
2. Discussions at the First Ad-hoc committee
The first session of the Ad-hoc Committee witnessed extensive discussions in sessions on general debate, objective and scope of the convention, exchange of preliminary views on key elements of the convention. In addition, a fruitful engagement took place in the sessions dedicated to arriving at a consensus on the structure of the convention (A/AC.291/L.4/Add.4). Member states also reached consensus on discussion and decision-making on the mode of work of the Ad Hoc Committee during subsequent sessions and intersessional periods (A/AC.291/L.4/Add.6). As the negotiations commenced days after the Russia-Ukraine conflict began, the negotiations proceeded in a tense environment where several Member States expressed their concerns and-inability to negotiate in “good faith” in the light of the current state of play and condemned Russia for the military and cyber operations directed at Ukraine.
A. Scope of the convention: From “Cyber-Enabled” to “Cyber-Dependent” Crimes
There was complete agreement on the growing importance of ICT technologies, the threat created by cybercriminals, and the need for a collective response within a sound international framework. However, countries highlighted different challenges that range from ‘pure cybercrimes’ or cyber dependent crimes to a broader set of crimes (cyber-enabled crimes) that includes misuse of ICT technologies and digital platforms by terrorist groups, deepfakes, disinformation, misinformation, false narrative, among others.
While there was a broad consensus on including cyber dependent crimes, there was significant disagreement on whether cyber-enabled crimes should be addressed under the said convention. This divergence was evident throughout the first session with the EU, the US, the UK, New Zealand, Australia, Liechtenstein, Japan, Singapore and Brazil advocating to limit the operation of such a convention only up to cyber dependent crimes (such as ransomware attacks, denial of services attack, illegal system interference, among others). The member states maintained that the said convention should exclude vague and broadly defined crimes that may dilute legal certainty and disproportionately affect the freedom of speech and expression. Furthermore, that the convention should include only those cyber enabled crimes whose scale scope and speed increases substantially with the use of ICT technologies (cyber-fraud, cyber-theft, child sexual abuse, gender-based crime).
On the other hand, the Russian Federation, China, India, Egypt, South Africa, Venezuela, Turkey, Egypt expressed that the convention should include both cyber dependent and cyber enabled crimes under such a convention. Emphasizing the upward trend in the occurrence of cyber enabled crimes, the member states stated that the cybercrime including cyber fraud, copyright infringement, misuse of ICTs by terrorists, hate speech must be included under the said convention.
There was overall agreement that cybersecurity, and internet governance issues are subject to other UN multilateral fora such as UN Group of Governmental Experts (UNGGE) and UN Open Ended Working Group (OEWG) and must not be addressed under the proposed convention.
The process witnessed significant discussion on the protection and promotion of human rights and fundamental freedoms as an integral part of the proposed convention. While there was a broad agreement on the inclusion of human rights obligations, Member States varied in their approaches to incorporating human rights obligations. Countries such as the EU, USA, Australia, New Zealand, UK, Canada, Singapore, Mexico and others advocated for the centrality of human rights obligations within the proposed convention (with particular reference to the right to speech and expression, privacy, freedom of association and data protection). These countries also emphasized the need for adequate safeguards to protect human rights (legality, proportionality and necessity) in the provisions dealing with the criminalization of offenses, procedural rules and preventative measures under the proposed convention.
India and Malaysia were principally in agreement with the inclusion of human rights obligations but pointed out that human rights considerations must be balanced by provisions required for maintaining law and order. Furthermore, countries such as Iran, China and Russia emphasized that the proposed convention should be conceptualized strictly as a technical treaty and not a human rights convention.
C. Issues pertaining to the conflict in jurisdiction and legal enforcement
The Ad-hoc Committee’s first session saw interesting proposals on improving the long-standing issues emanating from conflict of jurisdictions that often create challenges for law enforcement agencies in effectively investigating and prosecuting cybercrimes. In its numerous submissions, India highlighted the gaps and limitations in the existing international instruments and the need for better legal frameworks for cooperation, beyond Mutual Legal Assistance Treaties (MLATs). Such arrangements aim to assist law enforcement agencies in receiving metadata/ subscriber information to establish attribution and to overcome severe delays in accessing non-personal data. Member states, including Egypt, China supported India’s position in this regard.
Mexico, Egypt, Jamaica (on behalf of CARICOM), Brazil, Indonesia, Iran, Malaysia also highlighted the need for the exchange of information, and greater international cooperation in the investigation, evidence sharing and prosecution of cybercrimes. These countries also highlighted the need for mutual legal assistance, 24*7 contact points, data preservation, data sharing and statistics on cybercrime and modus operandi of the cybercriminals, e-evidence, electronic forensics and joint investigations.
Member states including the EU, Luxembourg, UK supported international cooperation in investigations and judicial proceedings, and obtaining electronic evidence. These countries also highlighted that issues relating to jurisdiction should be modeled on the existing international and regional conventions such as the UN Convention against Corruption (UNCAC), UN Convention against Transnational Organized Crimes (UNCTOC), and the Budapest Convention.
D. Technical Assistance and Capacity Building
There was unanimity among the member states to incorporate provisions on capacity building and technical assistance to cater to the peculiar socio-economic conditions of the developing and least-developed countries. However, notable inputs/ suggestions came from Venezuela, Egypt, Jamaica on behalf of CARICOM, India and Iran. Venezuela highlighted the need for technology transfer, lack of financing and lack of sufficient safeguards for developing and least-developed countries. The countries outlined technology transfer, financial assistance, sharing of best practices, training of personnel, and raising awareness as different channels for capacity building and technical assistance for developing and least-developed countries.
E. Obligations for the Private Sector
The proposal for instituting obligations on non-state actors , including the private sector (with particular reference to digital platforms and service providers), witnessed strong opposing views by member countries. Countries including India, China, Egypt and Russia backed the proposal on including a strong obligation on the private sectors as they play an essential role in the ICT sector. In one of its submissions, India explained the increasing involvement of multinational companies in providing vital services in different countries. Therefore, in its view, such private actors must be held accountable and should promptly cooperate with law enforcement and judicial authorities in these countries to fight cybercrime. Iran, China and Russia further emphasized the need for criminal liability of legal persons, including service providers and other private organizations. In contrast, member states, including the EU, Japan and USA, were strictly against incorporating any obligations on the private sector.
F. Other Issues
There was a broad consensus including EU, UK, Japan, Mexico, USA, Switzerland and others on not reinventing the wheel but building on the work done under the UNCAC, UNCTOC, and the Budapest Convention. However, countries, including Egypt and Russian Federation, were skeptical over the explicit mention of the regional conventions, such as the Budapest Convention and its impact on the Member States, who are not a party to such a convention.
The proposals for inclusion of a provision on asset recovery, and return of the proceeds of the crime elicited a lukewarm response by Egypt, Iran, Brazil, Russia, China, Canada, Switzerland, USA Jamaica on behalf of CARICOM countries, but appears likely to gain traction in forthcoming sessions.
3. Way Forward
Member countries are expected to submit their written contributions on criminalisation, general provisions, procedural measures, and law enforcement in the forthcoming month. These written submissions are likely to bring in more clarity about the expectations and key demands of the different member states.
The upcoming sessions will also indicate how the demands put forth by developing, and least developing countries during the recently concluded first session are taken up in the negotiation process. Furthermore, it is yet to be seen whether these countries would chart out a path for themselves or get subsumed in the west and east binaries as seen in other multilateral fora dedicated to clarifying the rules governing cyberspace.
*The full recordings of the first session of the Ad-hoc Committee to elaborate international convention on countering the use of information and communications (ICTs) technologies for criminal purposes is available online and can be accessed on UN Web TV.
**The reader may also access more information on the first session of the Ad-hoc Committee here, here and here.