The United Nations Ad-hoc Committee for Development of an International Cybercrime Convention: Overview and Key Observations from Week II of the Fifth Substantive Session

Sukanya Thapliyal

In Part I of the two-part blog series, we briefed our readers on the developments that took place in the first week of the Fifth Session of the Ad-Hoc Committee. In Part II of the series, we aim to capture the key discussion on provisions on (i) technical assistance, (ii) preventative measures, (iii) final provisions and (iv) the Preamble.

1. Provisions on Technical Assistance:

The Chapter on Technical Assistance listed down provisions including, general principles of technical assistance, and provision setting the scope of technical assistance (Training and technical assistance, exchange of information, and implementation of the Convention through economic development and technical assistance). The provisions listed under this Chapter highlight the importance of technical assistance and capacity building for developing countries. Further, the provisions also lay down obligations and responsibilities on the State Parties to initiate, develop and implement the widest measure of technical assistance and capacity-building that includes material support, training, mutual exchange of relevant experience and specialised knowledge, among others. 

All of the Member Countries and non-member Observer States were in agreement on the importance of the Chapter on technical assistance as an essential tool in combating and countering cybercrime. Technical assistance and capacity building helps in developing resources, institutional capacity, policies and programmes that help in mitigating and preventing cybercrime. A number of developing countries including, Iran, China, Nigeria, South Africa provided suggestions such as inclusion of “transfer of technology” and “technical assistance” to the existing text of the provisions in order to effectively broaden the scope of the chapter. 

On the other hand, several developed countries, including the United Kingdom, Germany, Japan, Norway, and Australia emphasised that provisions relating to technical assistance and capacity building should be voluntary in nature and should avoid an overly prescriptive approach. It should rather be based on mutual trust, be demand-driven, and correspond to nationally identified needs and priorities. These State Parties accordingly provided alternative provisions on similar lines for the said Chapter for the consideration of Member Countries and the Chair. 

The fifth session of the Ad-Hoc committee witnessed advanced discussions on technical assistance. Previously, technical assistance was discussed in the third session of the ad-hoc committee where discussions primarily revolved around the submission/ proposals from the Member Countries and non-member observer States. The CND presented ahead of the fifth session was well articulated and neatly organised into various provisions outlining the scope and mechanisms for technical assistance and capacity building to meet the objectives of the Convention.

2. Provisions on Preventative Measures: 

The provisions charted out under the Chapter on the Preventative Measures (Article 91 to 93 of CND) included general provisions on prevention, establishment of authorities responsible for preventing and combating cybercrime, and prevention and detection of transfers of proceeds of cybercrime. The chapter underscores the role of effective preventative measures and substantial impact of these measures in attaining the objectives of the proposed convention and reducing the immeasurable financial losses incurred by the States due to cybercrime. 

Majority of State Parties signalled their support on inclusion of the chapter on Preventative Measures. In addition, non-member observer States and the Member States including European Union, Netherlands, United Kingdom, Australia, New Zealand, Canada, United States of America made interesting proposals on building effective and coordinated policies for prevention of cybercrime. These Member Countries argued in favour of broadening the current understanding of the term “vulnerable groups”, inclusion of the reference of international human rights, and advocated for developing, facilitating and promoting programmes and activities to discourage persons at risk of committing cybercrime.  

There were interesting proposals aimed at strengthening cooperation between law enforcement agencies and relevant entities (private sector, academia, non-governmental organizations and general public) to counter gender-based violence and mitigate the dissemination of children sexual abuse and exploitation material online. The Member Countries also supported the proposal for Offender Prevention Programmes aimed at preventing (repeated) criminal behaviour among (potential) offenders of cyber-dependent crime.

Member Countries such as China submitted in favour of inclusion of classified tiered measures to provide multi-level protection schemes for cybersecurity. They also called for legislative and other measures to require service providers in their respective territory to take active preventive and technical measures. 

The discussions undertaken in the fifth session of the Ad-Hoc committee were based on the text provided under the CND in the form of concrete provisions wherein various participants provided their detailed submissions on the text. The session also witnessed new proposals on technical assistance such as multi-level protection schemes for cybersecurity, 24*7 network, preventive monitoring to timely detect, suppress and investigate crimes by different Member Countries.

3. Final Provisions

The Chapter on Final Provisions (Article 96-103 of the CND) listed crucial provisions namely, implementation of the Convention, relation with protocols, settlement of disputes concerning the interpretation or implementation of the Convention, and the signature, ratification, acceptance, approval and accession to the Convention. The CND also included provisions relating to the date of enforcement and procedure of amendment to the Convention. 

The Member States and non-members observer States unanimously recognised the importance of the provisions listed under the Chapter on Final Provisions. The non-member observer State and the Member Countries, including the United States of America, Singapore, European Union and others, emphasised that the provision listed under the CND should be in conformity with the existing legal instruments and other existing regional conventions. 

Member Countries such as China and Russia also recognised the importance of the existing legal frameworks. However, these countries further reminded the State Parties that comprehensiveness and universality are the twin goals of this Convention. Therefore, these countries stressed on the need for a “harmonious approach” or a “mutually reinforcing approach” regarding the same. 

Beside this, the Member States also showcased divergent opinions on the minimum number of ratification required for the Convention to come into force. Member Countries, including USA, Norway, New Zealand, Singapore and Canada, have opted for at least 90 ratifications. Member Countries, including Russia, Egypt, China, Brazil, India, and Nigeria, have supported thirty ratifications. Beside these, Japan, United Kingdom, European Union, Ghana and others have opted for forty to fifty ratifications as reasonable for the proposed Convention to come into force. 

The Member Countries supporting wider ratification have submitted that the support of a large number of Member States is indispensable for the success of the prospective Convention. On the other hand, the Member Countries supporting 30 ratifications have focused on the urgency of action in respect of cybercrime and therefore have supported a minimum number of ratifications to get the Convention up and running at the earliest.

Aside from this, Member Countries such as Mexico floated an interesting proposal to devise and incorporate Technical Annexes for ensuring that this Convention adapts and responds adequately to new and emerging challenges. The proposal garnered significant support from other State Parties. 

4. Preamble of the Convention

The CND tabled for the fifth session also featured the draft Preamble for the Convention. Member Countries and non-member observer States unanimously agreed on the inclusion of the Preamble to the prospective convention. The Member Countries maintained that the Preamble is an integral part of the convention and features the purpose and intention of the Convention. 

At the same time, several Member Countries stated that the draft Preamble provided under the CND can be improved further in order to bring more clarity. The Member Countries accordingly provided a wide range of suggestions regarding the same. 

Member Countries such as CARICOM, Norway, Dominican Republic, Kenya, Brazil, suggested that the Preamble should highlight the challenges and opportunities (negative economic and social implications) faced by the Countries with regard to information and communications technologies. Member States including Mexico, New Zealand, Singapore and others proposed the inclusion of – promotion of open, secure, stable, accessible and peaceful cyberspace, application of international law and human rights – in the Preamble of the CND. 

Additionally, Member States suggested the inclusion of denying safe havens to those who engage in cybercrime, prosecuting cybercrimes, international cooperation, collection and sharing of evidence, recovering and returning proceeds of cybercrime, technical assistance and capacity building as key objectives of the Convention. The Member States also recognised the seriousness of use of information and communications technologies violence against women and girls and children; consequently, they called for the inclusion of these concerns in the Preamble of the prospective Convention. 

Way Forward 

The intensive discussion between the Chair, Member States and non-member observer States on various agenda items culminated in the text of the CND being revised. The views expressed will be taken into consideration by the Chair in developing a more advanced draft text of the convention, in accordance with the road map and mode of work for the Committee, adopted at its first session (A/AC.291/7, annex II).

The United Nations Ad-hoc Committee for Development of an International Cybercrime Convention: Overview and Key Observations from Week I of the Fifth Substantive Session.

By Sukanya Thapliyal

Introduction

Last month from April 11-21, 2023, the Ad Hoc Committee to Elaborate a Comprehensive International Convention on Countering the Use of Information and Communications Technologies (ICTs) for Criminal Purpose held its Fifth Session in Vienna. As we reported earlier, the negotiating process has reached a pivotal stage, wherein the Member Countries are negotiating on the basis of a Consolidated Negotiating Document (CND).

The Fifth session of the Ad Hoc Committee was aimed at conducting the second reading of the provisions of the CND which are as follows – 1] international cooperation, 2] technical assistance, 3] preventative measures 4] mechanism of implementation 5] the final provisions, and 6] the preamble. Much like previous sessions, Member States, and non-member observer States were supported and facilitated by the Chair, the Secretariat and multistakeholder group consisting of global and regional intergovernmental organisations, civil society organisations, academic institutions and the private sector.

Over the two-part blog series, we aim to provide our readers with a brief overview and our observations from the discussions during the Fifth substantive session of the Ad-hoc Committee. Part I of the blog captures the consultations and developments concerning the draft chapter on International Cooperation. In addition, we also attempt to familiarise readers with the emerging points of convergence and divergence of opinions among different Member States, non-member observer States and implications for the future negotiation process.

In part II of the blog series, we will be laying out the discussions and exchanges on (i) preventive measures, (ii) technical assistance, (iii) the final provisions; and (iv) the preamble.

Provisions on International Cooperation (Agenda Item 4)
The Chapter on International Cooperation provided under the CND lists 28 provisions subdivided into seven clusters that include a range of provisions such as – 1] general principles on international cooperation and personal data 2] provisions relating to extradition, transfer of sentenced persons and transfer of criminal proceeding 3] general principles and procedure relating to mutual legal assistance 4] provisions relating to expedited preservation and sharing of data and 5] provisions on law enforcement cooperation

Some of our key observations from Week 1 on different draft provisions listed under Chapter on International Cooperation are as follows:

Cluster 1: General principles of international cooperation and protection of personal data

Cluster 1 provisions provided under the chapter on international cooperation listed two provisions namely: (i) General principles of international cooperation and (ii) Protection of personal data.

(i) The general principles of international cooperation: This is an overarching provision applicable to the chapter on international cooperation. The said provision mandates the State Parties to cooperate in matters relating to preventing, detecting, investigating, prosecuting and adjudicating cybercrime. The scope of international cooperation also includes collecting, obtaining, preserving and sharing evidence and is based on the principle of reciprocity and in accordance with the domestic laws of the State parties.

The Member States were broadly in consensus on inclusion of general principles on international cooperation. However there was some disagreement. Some states including European Union, Canada, New Zealand, Australia proposed for narrow application of the chapter extending only to the offences criminalised under the proposed Convention. On the other hand, member Countries including India, and Colombia, were in favour of broader application of the Convention extending to range of cybercrime.

Further, several State Parties including the European Union, United Kingdom, Australia and New Zealand also proposed for the mentioning of personal data protection, grounds for refusal of request for extradition or providing assistance within the provision on general principles.

(ii) Protection of Personal Data: The provision on protection of personal data obligates the State Parties to ensure that personal data transmitted on the basis of a request made in accordance with the Convention should only be used for stated purposes such as investigations or proceedings concerning criminal offences and should adhere to data minimisation and purpose limitation. The provision also mandates the State Parties to ensure that such data is protected against loss or accidental or unauthorised access, disclosure, alteration or destruction.

Majority of State Parties were in agreement on inclusion of provision on personal data protection. However, a few Member States including CARICOM, China, Iran, Singapore and the United States were not in agreement on inclusion of this provision stating lack of relevance of the provision to the Convention.

Non-member observer European Union proposed an alternate provision on protection of personal data. The said proposal included a more elaborate set of obligations for the State Parties relating to maintenance of accurate and complete personal data, periodic review of the need for the storage of personal data, requirement for publication of general notices to the persons whose personal data have been collected and provision for effective judicial and non-judicial remedies to provide redressal to affected person.

Cluster 2: Provisions relating to extradition, transfer of sentenced persons and transfer of criminal proceedings

The provision relating to extradition under Cluster 2 under the chapter on international cooperation deals in extradition of a person who is the subject of the request for extradition is present in the territory of the requested State Party. The provision requires that extradition is permissible where extradition sought is punishable under the domestic law of both the requesting State Party and the requested State Party.

A large number of Member States were in agreement on inclusion of the said provision. Additionally, Member States including Nicaragua proposed the addition of political offence and offences punishable with death penalty under domestic laws as grounds of refusal for request of extradition. Beside this, several new proposals regarding expedited extradition, temporary surrender, surrender of property were also placed by Member Countries including Armenia.

Cluster 4- General principles and procedures relating to mutual legal assistance

Cluster 4 of the chapter on international cooperation included provision relating to general principles and procedures relating to mutual legal assistance, establishment of electronic databases on mutual legal assistance requests, spontaneous information, emergency mutual legal assistance, and 24/7 network. The provision outlining general principles laid down the scope, general rules and grounds for refusal of mutual legal assistance. The provision relating to maintaining electronic databases aimed to facilitate access to statistics relating to incoming and outgoing requests for mutual legal assistance involving electronic evidence. Besides this, the provisions relating to spontaneous information, emergency mutual legal assistance, and 24/7 network were also included within the text of CND to set up an effective and efficient system in place.

The Member States were broadly in agreement on inclusion of these provisions within the text of the prospective Convention. In addition, Member States including the European Union, United Kingdom, New Zealand and others proposed some additional grounds for refusal of mutual legal assistance, namely: refusal of request wherein the person affected is in danger being subjected to the death penalty, a life sentence without possibility of parole, torture, inhuman or degrading treatment or where the offence is political in nature.

Cluster 5: Provision relating to mutual legal assistance in expedited preservation of data, stored computer data, expedited disclosure of preserved traffic data and others

The cluster 5 provision placed under chapter on international cooperation listed provisions relating to mutual legal assistance in expedited preservation of data, stored computer data, expedited disclosure of preserved traffic data, accessing stored computer data, and cross-border access to stored data.

A large number of Member States were in agreement on inclusion of these provisions. In addition, there were new proposals relating to Mutual legal assistance in the expedited disclosure of preserved traffic data and expedited production of subscriber information and traffic data by Pakistan and India respectively. The said inclusion was opposed by the United States of America, the European Union, New Zealand, Canada and others.

Cluster 6- Provisions related to law enforcement cooperation, public-private partnership to enhance investigation of cybercrime, joint investigations and special investigative techniques

The provisions listed under Cluster 6 of the Chapter on international cooperation include obligations relating law enforcement cooperation, public-private partnership to enhance investigation of cybercrime, joint investigations and special investigative techniques, among others. The provision on law enforcement cooperation laid the obligation on the State Parties to cooperate closely to enhance the effectiveness of law enforcement action to combat cybercrime. The provision on public-private partnership assists their respective law enforcement agencies in developing appropriate guidelines and cooperating directly with relevant service providers to streamlining cooperation with industry. Further the CND also featured provisions on joint investigations, cooperation through special investigative techniques such as electronic or other forms of surveillance and undercover operations by its competent authorities to provide a lawful basis for collection of such evidence for use in investigations and prosecutions.

The provisions listed under cluster 6 enjoy support by multiple State Parties. However, some of the Member States including the European Union, the United States of America, Japan, Singapore, Canada, Norway, China and others have opposed the inclusion of provision Public-private partnerships to enhance the investigation of cybercrime.

Conclusion

Since the First Session of the Ad-Hoc Committee, the Member Countries have come a long way in arriving at a CND wherein the negotiations are now taking place in a more concrete and cohesive manner. Although Member Countries are still exhibiting diverse views on several provisions, the discussions have arrived at a crucial stage. The sixth session of the Ad-hoc committee is likely to be a watershed moment for the cybercrime convention in defining the finalised text of the convention that will be placed before the 78th session of the United Nation General Assembly in September 2023.

Metaverse and the Global South: Bridging the Digital Divide

By Nidhi Singh

The Metaverse has become a buzzword over the last year or so, since a popular tech giant announced its plans to rebrand themselves and focus on bringing the concept of the Metaverse to life. While buzz generated around the Metaverse has brought it into the public eye, it is by no means a novel concept. The idea of a Metaverse, or a shared virtual space where people can interact with each other and with virtual objects and experiences, has been around for decades. The term Metaverse was first coined in 1992 in the book “Snow Crash”, which considered the Metaverse to be an all-encompassing digital world which existed parallel to the physical world. However, with the recent advances in technology and the proliferation of the internet, the Metaverse is closer than ever to becoming a reality. The current buzz around the concept is also bolstered by the potential for economic growth. Certain projections estimate that the Metaverse may have the potential to generate up to 5 trillion USD in value by 2030, making it an opportunity too big to miss. 

What is the Metaverse? 

In simple terms, the most commonly known concept of the Metaverse today is a 3D model of the internet, envisioned as the next step in the development of information interaction online. In its original conception, it was ideally accessible through a single gateway, and as it develops, it would be equivalent to the real world and become the “the next evolution in social technology”. The idea of the Metaverse is however still in development, and while it appears that it may include some components of Virtual Reality (VR) and Augmented Reality (AR) technologies, its difficult to say how this definition will evolve over time. 

Different companies however still have different conceptions of the Metaverse technology ranging from the use of Extended Reality (XR) technology for a fully immersive experience, to simple video games which now host art galleries and concerts. As the Metaverse is currently in the process of being built, there is little agreement on what the future iteration of it will look like. Depending on how the technology evolves, the Metaverse could end up being anything from some niche applications which employ an increased use of VR and AR technology, to a full scale 3D model of the internet or anything in between.

How does the Metaverse work?

In current times, the basic functions of an immersive online world which allows for a digital economy, where users can create, buy, and sell goods already exist in certain video games. Games like Worlds of Warcraft allow users to create and sell digital goods inside the game, and Fortnite, has previously introduced some immersive experiences like concerts and installations within the game, providing a brief look into what the Metaverse could be. The current conception of the Metaverse is expected to be more expansive than this, where everyone would be able to log into a shared online space.

Operationalising the Metaverse

So when can we all expect to be part of this new shared virtual online world? While some experts believe that a large portion of the population will have some access to the Metaverse by 2030, there are some basic challenges which must be addressed before this technology can be operationalised, particularly in Global South countries. 

A very basic problem with the widespread implementation of the Metaverse in India is likely to stem from the cost of entry, including the cost of VR hardware and other technology which may be needed to operate the Metaverse. Additionally, the use of these technologies would also require higher computing power than what is currently available, and an almost 1000 time increase in computational efficiency. While a large portion of the country is now connected to the internet due to the low cost of data through their smartphones, the technologies required to implement Metaverse are still out of reach for a vast majority. This coupled with the lack of access to infrastructure such as fast internet and systems with high-computing power will pose considerable challenges hindering people from participating in the virtual world and participating in the Metaverse.

Another considerable barrier to access is the design of the Metaverse. The current conversation around the design and implementation of the Metaverse is dominated by the Global North, and it is likely that much of the virtual world which is currently being envisaged will be dominated by English language content and experiences which are designed for the western world. This would make it difficult for audiences from the Global South to fully engage in the new technology.

There are also concerns about how this technology could result in further deepening the digital divide. There is a risk that the Metaverse will exacerbate existing inequalities, by creating a virtual space where only those with access to technology and the resources to participate are able to engage. This would widen the digital divides between the Global North and the South, where the technology would cater predominantly to those who have easier access to the technology. 

Finally, the Metaverse also raises questions around data protection and privacy of users in the virtual world. In the absence of a cohesive legal and regulatory framework around data collection, use and protection, users are at a risk when they participate in virtual worlds and engage with the Metaverse. This is exacerbated in Global South countries, many of which are still in the process of formulating their data protection laws and do not have adequate legal and regulatory protections for data governance, 

Addressing these challenges would require a collaborative effort between governments, businesses, and communities in the Global South. By working together, it may be possible to ensure that the benefits of the Metaverse are more widely distributed and that everyone has an opportunity to participate. This would require substantial changes to the current conversations around the Metaverse, which lack inclusivity in design and deployment. 

CCG-NLUD’s Statement on International Cooperation to the Fifth Session of the Ad Hoc Committee to Elaborate a Comprehensive International Convention on Countering the Use of Information and Communication Technologies for Criminal Purposes

Sukanya Thapliyal

As an accredited stakeholder to the United Nations Ad-hoc Committee, tasked to elaborate a comprehensive international convention on countering the use of information and communications technologies (ICTs) for criminal purposes (“the Ad Hoc Committee”), CCG-NLUD recently participated in the Fifth Session of this key process setting the stage for first universal and legally binding convention on cybercrime.

As we reported earlier, the negotiating process has reached a pivotal stage, wherein the Member Countries are negotiating on the basis of a Consolidated Negotiating Document (CND). The CND is prepared by the Chair of the Ad Hoc Committee and succinctly incorporates various views, proposals, and submissions made by the Member States at previous sessions of the Committee.

The previous sessions of the Ad Hoc Committee witnessed the exchange of general views of the Member States on the scope, and objectives of the comprehensive convention, and agreement on the structure of the convention. This was followed by themed discussions and intense discussions on provisions relating to criminalisation, procedural measures and legal enforcement, international cooperation, technical assistance, preventive measures, among others.

The Fifth Session of the Ad hoc Committee is aimed to discuss the preamble, provisions on international cooperation, preventive measures, technical assistance and the mechanism of implementation and the final provisions. Besides the Member Countries, the multistakeholder group consisting of global and regional intergovernmental organisations, civil society organisations, academic institutions and the private sector are also weighing-in with their inputs to support and contribute to the process.

CCG-NLUD, welcomes the opportunity to submit its comments/ inputs on the present text of “Consolidated negotiating document on the preamble, the provisions on international cooperation, preventive measures, technical assistance and the mechanism of implementation and the final provisions of a comprehensive international convention on countering the use of information and communications technologies for criminal purposes.” CCG-NLUD presented the following statement on the “provision on international cooperation.”

The provisions on “international cooperation” are the crucial aspects of the Convention as it aims to encourage both formal and informal means of international cooperation for (i) investigation and prosecution of offences covered under this convention as well as (ii) collection of evidence in electronic form of a criminal offence. The CND also draws from common and well understood principles and standards in the areas of extradition, mutual legal assistance, transfer of criminal proceedings, and other effective measures, while being conversant with the divergent realities of participating member countries.

The CND text lays down general principles of international cooperation, specific provisions on extradition, transfer of sentenced persons and detailed provisions detailing mutual legal assistance amongst state legal enforcement agencies. The CND also recognises that the various provisions laid down under the chapter on international cooperation are aligned with the international human rights regime and ensure adequate protection to human rights and other fundamental freedoms.

The chapter aptly lays down the overarching principles in relation to international cooperation for it broadly outlines the scope and objective of international cooperation and recognises that power and procedure outlined under the Chapter are subject to conditions and safeguards pertaining to protection of human rights. The chapter also includes specific provisions relating to protection of personal data transmitted from one State to another and instils other important requirements such as purpose limitation and data minimisation to reduce harms manifesting to individuals.

CCG-NLUD is broadly in agreement with the above-mentioned provisions under the chapter on International Cooperation. However, we conveyed several reservations and concerns as explained below –

In light of the fact that the powers and procedures laid down in the chapter are highly intrusive and interfering, the scope of international cooperation should be restricted to a narrow set of cyber-dependent crimes that satisfy the criteria of “dual criminality”. Further, the chapter should expressly mention “applicable human rights instruments” and other necessary safeguards for protection of human rights and other fundamental freedoms. This will ensure that power and procedure laid out in this chapter are subject to adequate restrictions to protect against potential human rights abuses.

The provision on extradition should apply only in cases of “serious crimes” that include offences punishable by maximum deprivation of liberty of at least four years or a more serious penalty as defined under United Nations Convention Against Transnational Organized Crime (UNTOC). The Convention should enumerate sufficient evidentiary basis required for extradition and should also make specific references to the applicable international legal instruments such as International Covenant on Civil and Political Rights (UN ICCPR) and the UN Convention against Torture and Other Cruel, Inhuman or Degrading Treatment or Punishment and ensure adequate protection to human rights and other fundamental freedoms.

The powers and procedures laid down under the Convention mandates the State Parties develop guidelines in relation to the format and duration of preservation of digital evidence and information for service providers. We note that such an authority should not result in data retention for indefinite periods and should not unnecessarily interfere with the data minimisation efforts of service providers. It is important that such guidelines incorporate ex-ante procedures that require independent judicial authorisation, provision for adequate and timely notice to users, measures that are strictly necessary and proportionate to stated aims and an efficient mechanism for redressal, appeal, and review.

Readers can learn more about our submission on international cooperation below:

oral_submission_agenda-item-4_international_cooperation_ccg-nlu-delhi_-to-the-fifth-session-of-ad-hoc-committee-on-cybercrime-1-1.docxDownload

Understanding the Anatomy of Cyber Enabled Crimes and their Governance

Sukanya Thapliyal

1. Introduction: 

Digital systems and Information Communication Technology (ICT) play an increasingly central role in our lives. Technological advancement has created new opportunities for cybercriminals to exploit vulnerabilities in digital systems and networks. The resulting cybercrimes can affect everyone, from government and multinational corporations to individuals. As technology continues to make deeper inroads into our lives, cybercriminals are finding unique ways to attack. The continuous evolution in technology has resulted in newer forms of cybercrimes such as Man-in-the-Middle-attack, Bluetooth Man-in-the-Middle attacks, and false data injection attacks, to name a few. This has resulted in a lack of agreement in defining and classifying threats and crimes associated with them. 

Although we lack a uniform and a neat understanding and approach towards addressing cybercrime, a few useful classification tools have been developed in this regard. One such classification tool was developed by Dr Mike McGuire and Samantha Dowling in 2013, wherein cybercrimes were divided into broad categories of “cyber-dependent” and “cyber-enabled” crimes. The cyber-dependent crimes are described as offences that can only be committed with the help of a computer, computer network or an ICT device. These include hacking, DDoS attacks, malware etc. The other category is of cyber-enabled crimes that are traditional crimes whose scope, scale and severity is greatly impacted by the use of computers, computer networks and other devices. Examples include: cyber fraud, cyberterrorism, online child sexual abuse or exploitation material, among others. 

The broad classification of cybercrime into cyber-dependent and cyber-enabled crimes is the central theme in the discussions carried out under the proceedings of the United Nations Ad-hoc Committee, which has been tasked to elaborate a comprehensive international convention on countering the use of ICTs for criminal purposes (“the Ad Hoc Committee”). The discussion around cyber-enabled and cyber-dependent crimes are crucial in setting the scope of the convention. Over four different sessions, the Ad-Hoc committee witnessed wide ranging proposals on inclusion of cyber-dependent and cyber-enabled crimes under the proposed convention. Cyber-dependent offences, along with a narrow set of cyber-enabled crimes (online child sexual abuse, sexual extortion, and non-consensual dissemination of intimate images), have garnered broad support. Other cyber-enabled crimes (terrorism-related offences, arms trafficking, distribution of counterfeit medicines, extremism-related offences) have witnessed divergences, and their inclusion is currently being discussed at length. 

This blog piece attempts to investigate the inclusion of cyber-enabled crimes as a specific choke point and why its regulations attract diverse views from the Member States and key stakeholders. The piece ends with specific recommendations and suggestions that may act as possible solutions for countering and combating cyber-enabled crimes. 

2. How Cyber-enabled Crimes have been included under other International Instruments:

Besides the UN Ad-Hoc Committee’s, several regional legal conventions, recommendations, and directives have already been developed in this regard. These have also been a reference point for the proposed convention. These include: African Union Convention on Cybersecurity and Personal Data Protection (Malabo Convention), The Council of Europe Convention on Cybercrime (Budapest Convention), League of Arab States Convention on Combating Information Technology Offences, and the Economic Community of West African States (ECOWAS) Directive on Fighting Cyber Crime. Besides, there is also the CARICOM Model Legislative Texts of Cybercrimes/ E-crimes and Electronic Evidences that targets the prevention and investigation of computer and network related crime. In addition, the UNODC Report on the meeting of the Expert Group to Conduct a Comprehensive Study on Cybercrime (2021) lays down Recommendations on best practices to address issues of cybercrime through the implementation of legislation and frameworks on effective criminalization, law enforcement and investigation, international cooperation, and prevention. 

International legal instruments (identified above) address an extensive range of cybercrime and criminalised both cyber-dependent and cyber-enabled crimes. The most common cyber-enabled crimes covered under these conventions include attack on computer systems, computerised data breaches, computer-related forgery, and computer-related fraud. The second set of cyber-enabled crimes covered include, offences related to child pornography, crimes that are racist or xenophobic in nature committed through computer systems. The third set of cyber-enabled crimes include offences against privacy, offences related to terrorism committed by means of information technology, and increasing punishment for traditional crimes when they are committed by means of information technology which are covered by a miniscule number of convention (such as League of Arab States Convention on Combating Information Technology Offences). 

3. Languishing Fate of Cyber-enabled crimes in Ad-Hoc Committee Process and Key Challenges in their Governance.

Although the cyber-enabled crimes are widely recognised at the international level, these have acquired only partial success in terms of their incorporation into the work of the Ad-Hoc Committee Process. 

Tracking the Ad-Hoc committee for four consecutive sessions has enabled us to identify the key challenges in incorporating and addressing a wide range of cyber-enabled crimes under the proposed convention. The cyber-enabled crimes such as terrorism-related offences, violation of personal information, extremism-related offences, or content-related crimes lack a common and clear understanding of what it constitutes due to the diverging political, cultural, and legal systems in the Member Countries. Further, these sets of crimes are largely traditional crimes that are often covered under existing international and domestic legislation and incidentally involve the usage of computer systems and ICTs. In the event that these crimes are also incorporated separately in the cybercrime convention, these can conflict with the legal instruments that are already in place. Moreover, content-related offences are broadly- worded, lack a uniform approach, and need more adequate safeguards to protect human rights and other fundamental freedoms. Therefore, binding international criminal instruments such as the Ad-Hoc Committee’s work is not an appropriate forum to address the issues emerging out of cyber-enabled crimes. Instead, these should be addressed via civil and non-legal instruments while ensuring balance with fundamental rights and freedoms. Some cyber-enabled crimes discussed under the Ad-Hoc committee, including extremism-related crimes and terrorist use of ICT technologies, are more umbrella terms that are extremely vague and subjective and pose a threat to widely recognised international human rights. Finally, the provisions related to privacy-related offences are troublesome as they criminalise a broad range of conduct without establishing a legitimate aim and providing sufficient exceptions in favour of students, journalists, cybersecurity researchers, and other public-spirited individuals. 

4. Way Forward and Suggested Solutions 

The vague and highly subjective nature of cyber-enabled crimes, their tense relationship with widely recognised international human rights and lack of sufficient exceptions can be attributed as primary obstructions that inhibit their inclusion in the Ad-Hoc Committee process. Nevertheless, these issues are of crucial importance for a large number of countries participating in the process. Member Countries, including India, Egypt, South Africa, Russia, and China, have repeatedly argued in favour of a broad cybercrime treaty and have also pushed for provisions enabling international cooperation, technical assistance, and capacity building. Lack of adequate procedural and technical competence amongst the state enforcement agencies is hampering them in their societal role, keeping citizens secure, and upholding the rule of law. In such a scenario where it is hard to build consensus in fractious issues as this, and urgency of action in respect of the threat faced by Member States, the pathway through binding international criminal instruments is less than ideal. The Member Countries, therefore, need to devise alternative pathways to address the cyber-enabled crimes though civil or non-legal instruments while keeping up the balance with international human rights and fundamental freedom. 

Another possible route to address cyber-enabled crimes is through Public-Private Leadership. The four sessions of the Ad-Hoc committee allowed us to uncover the growing mistrust and misalignment between the public and the private sector. These key stakeholders exhibit discord and opposing views of each other and are less than beneficial in addressing the critical challenges we face today due to rising cybercrime. Technology companies have latched on to their strong opinion that enforcement agencies cannot be trusted sufficiently with citizen data and digital communication. On the other hand, Member States also need to highlight the day-to-day challenges faced by legal enforcement agencies and promise adequate transparency in their actions. Some Member States have instead advocated in favour of strong obligations on the private sector to cooperate with national authorities. While public-private cooperation is imperative to address these crimes, both entities need to rethink their position, establish a cordial relationship and take up leadership roles that can then be translated into a better and more effective approach to addressing cyber-enabled crimes. 

The United Nations Ad-hoc Committee for Development of an International Cybercrime Convention: Overview and Key Observations from Fourth Substantive Session (Part II)

Sukanya Thapliyal

Introduction 

In Part I of this two-part blog series, we provided our readers a brief overview and observations from the discussions pertaining to the second reading of the provisions on criminalisation of offences under the proposed convention during the Fourth Session of the Ad-hoc Committee. In Part II of the series, we will be laying down our reflections and learnings from the discussions that were held in regard to: (i) General Provisions; and (ii) Provisions on Procedural Measures and Legal Enforcement. We also attempt to familiarise the reader with the emerging points of convergence and divergence of opinions among different Member States and implications for the future negotiation process.

1. General Provisions 

Chapter 1 of the Consolidated Negotiating Document (CND) includes five articles: statement and purposes (article 1), use of terms (article 2), scope and application (article 3), the protection of sovereignty (article 4), and protection of human rights (article 5). In the first round of discussions on General Provisions, the Member Countries, the European Union, in its capacity as observer, and the observers for non-member States provided their preliminary views on different provisions so as to allow the Secretariat to identify provisions that enjoy broad support and others where participants held divergent views. 

Round 1 Discussions

1. Points of Agreement  (Advanced to Second Round of Discussions)

A majority of the participants held positive views on the provisions enlisted under the General Provisions. They sought to strengthen several of these provisions. For example: developing countries including Iran, Jamaica (on behalf of the Caribbean Community), South Africa, and Egypt were in favour of a more elaborate and strongly worded provision on technical assistance. Similarly, several countries including, European Union, Japan, USA, Switzerland, New Zealand, Canada, and others sought (i) strong safeguards for protection of human rights and other fundamental freedoms and (ii) mainstreaming of gender perspective and (iii) consideration of persons and groups vulnerable to cybercrime. 

2. Points of Disagreement  (Subject to Co-facilitated Informal Negotiations)

The discussion witnessed divergences in relation to Article 2 (Use of Terms) of the CND. Countries including India and Russia were in favour of usage of the term “ICT” over “cybercrime” as the former is wider in nature and has been used in UN General Assembly-Resolution 74/247 that established the mandate for the Ad-Hoc Committee. On the other hand, countries including the USA, Japan, Israel, and others were in favour of “cybercrime” for being more widely understood and recognised under the domestic legal framework of various countries and already employed under several international legal instruments. The chair, therefore, took up the decision to pursue the deliberation on the said provision in the co- facilitated informal consultations under the able leadership of Mr H.E. Mr. Rapulane Sydney Molekane, Ambassador and Permanent Representative of South Africa to the United Nations, Vienna, and Mr. Eric Do Val Lacerda Sogocio, Counsellor, Permanent Mission of Brazil to the United Nations, Vienna, and Vice-Chair of the Ad Hoc Committee.

3. Co-Facilitated Informal Consultations 

The co-facilitated informal consultations witnessed detailed deliberations on the use of terminologies to be defined under the draft Convention. The deliberations represented initial exchange of views without prejudice to the future informal discussion. They shall continue ahead of, during and beyond the 5th session to allow for a common understanding on key terms in order to facilitate consensus on several provisions throughout the text of the future convention.

Round 2 Discussions

Further, in the second round of discussion on provisions that enjoy wider support, the participants brainstormed on the final language of the provisions. Several Member Countries proposed terms/ phrases and even provisions that they considered more reflective of their needs and preferences. For instance: Member Countries including Russia, Tajikistan and India proposed the usage of “detect, prevent, suppress and investigate cybercrime/ use of ICTs for criminal use” in place of “prevent and combat cybercrime/ use of ICTs for criminal use.” In addition, India also proposed the usage of “the collection and sharing of electronic and digital information/evidence” in place of “collection of electronic evidence”. Further, countries including Malaysia, Honduras and Singapore proposed for “proper balance between the interests of law enforcement and the respect for fundamental human rights” to the provision detailing the Statement of Purpose for the Convention. Similar proposals were made on provisions relating to protection of sovereignty, respect for human rights and scope of the application respectively.

The discussions relating to General Provision at the Ad-Hoc Committee process do not suffer from irreconcilable differences.  Member Countries have showcased a growing sense of convergence on provisions relating to protection of human rights and other fundamental freedoms. There is also a broad support for mainstreaming the gender perspective within the convention. The Member Countries, however, have outstanding work in relation to definitions and use of terms under the proposed convention. 

II. Provisions on Procedural Measures and Legal Enforcement 

Chapter 3 of the CND laid out provisions for – a] investigation and prosecution of offences, b] collection and sharing of information and electronic evidence, c] conditions and safeguards highlighting the need for and importance of the protection of human rights and liberties, insertion of principles of proportionality, necessity and legality and d] the protection of privacy and personal data for the purposes of the convention. The chapter included 16 articles divided into the following six clusters:

1. Cluster 1: provisions on jurisdiction, scope of procedural measures and conditions and safeguards
2. Cluster 2: procedural measures for expedited preservation of stored data; expedited preservation and disclosure of traffic data, production order, search and seizure, real-time collection of traffic data, interception of content, among others.
3. Cluster 3: procedural measures relating to freezing, seizure and confiscation of assets, establishment of criminal records, protection of witnesses and victims, and compensation for damage suffered.

Round 1 Discussions 

1. Points of Agreement (Advanced to Second Round of Discussions)

In the first round of discussions, the Member Parties unanimously recognised the importance of the provisions on procedural measures and legal enforcement and their role in laying the solid foundation for the practical international cooperation and implementation of this convention. The first round of discussions witnessed a broad agreement on the majority of the provisions under Cluster 1, 2 and 3 of CND. 

Furthermore, several Member Parties, Observer States including the European Union, India, Japan, UK, Norway, Canada, Australia, Kenya, and Israel affirmed their support on the inclusion and further strengthening of Article 42 that lays out Conditions and Safeguards that ensure adequate protection of human rights and liberties, including rights and fundamental freedoms arising from obligations under applicable international human rights law. 

Several Participant Countries also highlighted the close correlation between Article 42 and Article 41 (Scope of Procedural Measures) as being inextricably linked to one another and stated that strong procedural measures must be accompanied by robust human rights safeguards. The participant Member Countries and Observer States were broadly in agreement on inclusion of Article 43 (Expedited Preservation of Stored Computer Data), Article 44 (Expedited Preservation and Partial Disclosure of Traffic Data), Article 45 (Production Order), Article 46 (Search and Seizure) and Cluster 3 provisions (Article 50-55) of the CND. 

2. Points of Disagreement (Subject to Co-facilitated Informal Negotiations)

There was disagreement on the inclusion of Article 40 (jurisdiction), Article 47 (Real Time Collection of Traffic Data), Article 48 (Interception of Content Data) and Article 49 (Admission of electronic/digital evidence) respectively. Member Countries and Observer States and other participants including Switzerland, Japan, USA, European Union, Australia, Norway, UK, Canada raised concerns on Article 40 that allowed for extraterritorial jurisdiction of State and jurisdiction over computer data/ digital or electronic information irrespective of place of storage, screening or processing. As per the participant countries and observer states, such a provision is not in consonance with the traditional understanding of jurisdiction and may not be in alignment with Article 4 (Protection of Sovereignty) enlisted in the CND. 

Further, Member States and Observer States including EU, UK, Japan, Australia, and Norway also raised concerns on inclusion of Article 47 and 48 as these significantly interfere with human rights and are considered to be extremely sensitive in nature.  Singapore, in particular, opposed the inclusion of these provisions and stated that its inclusion has a limited utility and is likely to deter states from signing the final convention. India along with USA, Malaysia, Jamaica on the behalf of Caribbean Community (CARICOM) were in favour of inclusion of these provisions. India, in particular, also requested for the definitional clarity on terms such as “traffic data”. Besides, the participant member countries and observer states were disputed on inclusion of Article 49 and stated that the convention on cybercrime is not appropriate to include issues pertaining to admissibility of electronic evidence and is to be dealt under State’s domestic law and judicial rulings. 

3. Co-Facilitated Informal Sessions 

The chair accordingly delegated the discussion on Article 40, 47, 48 and 49 for the co-facilitated informal negotiation process to be undertaken under the leadership of Mrs. Andrea Martin-Swaby (Jamaica) and Mr. Syed Noureddin Bin Syed Hassim (Singapore).

The co-facilitated informal negotiation process underwent detailed discussions amongst participant Member States, Observer States and multi-stakeholders. The co-facilitators informed the Chair of the various developments that took place during the informal negotiation and that the co-facilitators would conduct intersessional bilateral meetings with delegations and convene additional informal negotiations of the Committee at the 5th Session scheduled in April 2023.

Round 2 Discussions 

Subsequently, in the second round of discussions, several newer contributions were made in the context of provisions laying out Conditions and Safeguards. There was also a proposal for additional provision relating to Retention of Traffic Data and Metadata, and Retention of Electronic Information in CND. Further, additional provisions on Cooperation between national authorities and service providers were also proposed and introduced in the CND for further deliberation. 

The CND and deliberations at the Fourth Session of the Ad-Hoc Committee process crystallised a number of interesting submissions and proposals made by the Member Countries over past sessions. The CND enlisted provisions aimed to redress current challenges faced by the legal enforcement agencies by providing appropriate authority allowing for expedited preservation of Stored Computer Data, expedited preservation and partial disclosure of traffic data, search and seizure, real time collection of traffic data, interception of content data, among others. 

The process, however, also witnessed disagreement on provisions relating to the understanding of jurisdiction, cooperation between national investigating and prosecuting authorities and service providers – as evident from the developments that took place in previous sessions. It is likely that the Secretariat and Member Countries will be continuing these deliberations to build consensus over conflicting issues. 

The Way Forward The proceedings at the Ad-Hoc Committee process have arrived at a critical juncture wherein Member Countries have begun text-based negotiations spearheaded by the Chair and Secretariat. The Ad-Hoc Committee will organise the Fifth Session from 11 to 21 April 2023 in Vienna as an immediate next step. The session will conduct text-based negotiations based on CND on the preamble, the provisions on international cooperation, preventive measures, technical assistance, and the mechanism of implementation, and the final provisions of a comprehensive international convention on countering the use of information and communications technologies for criminal purposes. The upcoming sessions would be crucial in determining whether and how Member Countries would draw consensus and build toward an effective cybercrime convention that caters to the needs and expectations of the wide variety of countries participating in the UN process.

The United Nations Ad-hoc Committee for Development of an International Cybercrime Convention: Overview and Key Observations from Fourth Substantive Session

Sukanya Thapliyal

1. Background/ Overview 

Last month, the Centre for Communication Governance at National Law University Delhi had the opportunity to participate as a stakeholder in the Fourth Session of the United Nations Ad-hoc Committee, tasked to elaborate a comprehensive international convention on countering the use of information and communications technologies (ICTs) for criminal purposes (“the Ad Hoc Committee”). 

The open-ended Ad-hoc Committee is an intergovernmental committee of experts representative of all regions.  It was established by the UN General Assembly-Resolution 74/247 under the Third Committee of the UN General Assembly. The committee was originally proposed by the Russian Federation and 17 co-sponsors in 2019. The UN Ad-hoc Committee is mandated to provide a draft of the convention to the General Assembly at its seventy-eighth session in 2023 (UNGA Resolution 75/282). 

The three previous sessions of the Ad Hoc Committee witnessed the exchange of general views of the Member States on the scope, and objectives of the comprehensive convention, and agreement on the structure of the convention. This was followed by themed discussions and a first reading of the provisions on criminalisation, procedural measures and legal enforcement, international cooperation, technical assistance, preventive measures, among others. (We had previously covered the proceedings from the First Session of the Ad-Hoc Committee here.)

The fourth session of the Ad Hoc Committee was marked by a significant development – the preparation of a Consolidated Negotiating Document (CND) to facilitate the remainder of the negotiation process. The CND was prepared by the Chair of the Ad Hoc Committee keeping in mind the various views, proposals, and submissions made by the Member States at previous sessions of the Committee. It is also based on existing international instruments and efforts at the national, regional, and international levels to combat the use of information and communications technologies (ICTs) for criminal purposes. 

As per the road map and mode of work for the Ad Hoc Committee approved at its first session (A/AC.291/7, annex II), the fourth session of the Ad Hoc Committee conducted the second reading of the provisions of the convention on criminalisation, the general provisions and the provisions on procedural measures and law enforcement. Therefore, the proceedings during the Fourth Session involved comprehensive and elaborate discussions around these provisions amongst the Chair, Member States, Observer States, and other multi-stakeholder groups. 

Over the two-part blog series, we aim to provide our readers with a brief overview and our observations from the discussions during the fourth substantive session of the Ad-hoc Committee. Part I of the blog (i) discusses the methodology employed by the Ad-Hoc Committee discussions and (ii) captures the consultations and developments from the second reading of the provisions on criminalisation of offences under the proposed convention. Furthermore, we also attempt to familiarise  readers with the emerging points of convergence and divergence of opinions among different Member States and implications for the future negotiation process. 

In part II of the blog series, we will be laying out the discussions and exchanges on (i) the general provisions and (ii) provisions on procedural measures and legal enforcement. 

2. Methodology used for Conducting the Fourth session of the Ad-Hoc Committee. 

The text-based negotiations at the Fourth Session proceeded in two rounds. 

Round 1: The first round of discussions allowed the participants to share concise, substantive comments and views. Provisions on which there was broad agreement proceeded to Round 2. Other provisions were subject to a co-facilitated informal negotiation process. Co-facilitators that spearheaded the informal negotiations reported orally to the Chair and the Secretariat. 

Round 2: Member Countries progressed through detailed deliberations on the wording of each of the provisions that enjoyed broad agreement. 

3. Provisions on Criminalization (Agenda Item 4)

The Chapter on “provisions on criminalization” included a wide range of criminal offences that are under consideration for inclusion under the Cybercrime Convention. Chapter 2 under the CND features 33 Articles grouped into 11 clusters as:

1. Cluster 1: offences against illegal access, illegal interference, interference with computer systems/ ICT systems, misuse of devices, that jeopardises the confidentiality, integrity and availability of system, data or information;
2. Cluster 2: offences that include computer or ICT-related forgery, fraud, theft and illicit use of electronic payment systems;
3. Cluster 3: offences related to violation of personal information
4. Cluster 4: infringement of copyright.
5. Cluster 5: offences related to online child sexual abuse or exploitation material
6. Cluster 6: offences related to Involvement of minors in the commission of illegal acts, and encouragement of or coercion to suicide
7. Cluster 7: offences related to sexual extortion and non-consensual dissemination of intimate images.
8. Cluster 8: offences related to incitement to subversive or armed activities and extremism-related offences
9. Cluster 9: terrorism related offences and offences related to the distribution of narcotic drugs and psychotropic substances, arms trafficking, distribution of counterfeit medicines.
10. Cluster 10: offences related to money laundering, obstruction of justice and other matters (based on the language of United Nation Convention against Corruption (UNCAC) and United Nation Convention against Transnational Organised Crime (UNTOC))
11. Cluster 11: provisions relating to liability of legal persons, prosecution, adjudication and sanctions. 

Round 1 Discussions 

1. Points of Agreement (taken to the second round) 

The first round of discussions on provisions related to criminalisation witnessed a broad agreement on inclusion of provisions falling under Cluster 1, 2, 5, 7, 10 and 11. Member States, Observer States and other parties including the EU, Austria, Jamaica (on the behalf of CARICOM), India, USA, Japan, Malaysia, and the UK strongly supported the inclusion of offences enlisted under Cluster 1 as these form part of core cybercrimes recognised and uniformly understood by a majority of countries. 

A large number of the participant member countries were also in favour of a narrow set of cyber-dependent offenses falling under Cluster 5 and 7. They contended that these offenses are of grave concern to the majority of countries and the involvement of computer systems significantly adds to the scale, scope and severity of such offenses. 

Several countries such as India, Jamaica (on behalf of CARICOM), Japan and Singapore broadly agreed on offences listed under clusters 10 and 11. These countries expressed some reservations concerning provisions on the liability of legal persons (Article 35). They contended that such provisions should be a part of the domestic laws of member countries. 

2. Points of Disagreement (subject to Co-facilitated Informal Negotiations)

There was strong disagreement on the inclusion of provisions falling under Cluster 3, 4, 6, 8 and 9. The EU along with Japan, Australia, USA, Jamaica (on the behalf of CARICOM), and others objected to the inclusion of these cyber-dependent crimes under the Convention. They stated that such offenses (i) lack adequate clarity and uniformity across countries(ii) pose a serious threat of misuse by the authorities, and (iii) present an insurmountable barrier to building consensus as Member Countries have exhibited divergent views on the same. Countries also stated that some of these provisions (Cluster 9: terrorism-related offenses) are already covered under other international instruments. Inclusion of these provisions risks mis-alignment with other international laws that are already employed to oversee those areas.

3. Co-Facilitated Informal Round

The Chair delegated the provisions falling under Cluster 3, 4, 6, 8 and 9 into two groups for the co-facilitated informal negotiations. Clusters 3, 4 and 6 were placed into group 1, under the leadership of Ms. Briony Daley Whitworth (Australia) and Ms. Platima Atthakor (Thailand). Clusters 8 and 9 were placed into group 2, under the leadership of Ambassador Mohamed Hamdy Elmolla (Egypt) and Ambassador Engelbert Theuermann (Austria). 

Group 1: During the informal sessions for cluster 3, 4 and 6, the co-facilitator encouraged  Member States to provide suggestions/views/ comments on provisions under consideration. The positions of Member States remained considerably divergent. Consequently, the co-facilitators decided to continue their work after the fourth session during the intersessional period with interested Member States.

Group 2: Similarly for cluster 8 and 9, the co-facilitators, along with interested Member States engaged in constructive discussions. Member States expressed divergent views on the provisions falling under cluster 8 and 9. These ranged from proposals for deletion to proposals for the strengthening and expansion of the provisions. Besides, additional proposals were made in favour of the following areas – provision enabling future Protocols to the Convention, inclusion of the concept of serious crimes and broad scope of cooperation that extends beyond the provisions criminalised under the convention. The co-facilitators emphasised the need for future work to forge a consensus and make progress towards finalisation of the convention. 

Round 2 Discussions: 

Subsequently, the second round of discussions witnessed intensive discussions and deliberation amongst the participating Member Countries and Observer States. The discussions explored the possibility of adding provisions on issues relating to the infringement of website design, unlawful interference with critical information infrastructure, theft with the use of information and communications technologies and dissemination of false information, among others. 

Conclusion:

Since the First Session of the Ad-Hoc Committee, the scope of the convention has remained an open-ended question. Member Countries have put forth a wide range of cyber-dependent and cyber-enabled offences for inclusion in the Convention.  Cyber-dependent offences, along with a narrow set of cyber-enabled crimes (such as online child sexual abuse or exploitation material, sexual extortion, and non-consensual dissemination of intimate images), have garnered broad support. Other cyber-enabled crimes (terrorism-related offences, arms trafficking, distribution of counterfeit medicines, extremism-related offences) have witnessed divergences, and their inclusion is currently being discussed at length. Countries must agree on the scope of the Convention if they want to make headway in the negotiation process. 

(The Ad-Hoc committee is likely to take up these discussions forward in the sixth session of the Ad-Hoc Committee 21 August – 1 September 2023.) 

Guest Post: Vinit Kumar v CBI: Admissibility of evidence and the right to privacy

This post was authored by Sama Zehra

The Bombay High Court (‘HC’) in Vinit Kumar v CBI was faced with a situation familiar to the constitutional courts in India. The HC was called upon to decide whether telephone recordings obtained in contravention of section 5(2) of the Telegraphs Act, 1885 (‘Act’) would be admissible in a criminal trial against the accused. Before delving into the reasoning of the HC, it will be instructive to refer to the facts of the case and an overview of India’s interception regime. 

Section 5(2) of Telegraph Act, permits interception (or ‘phone tapping’) done in accordance with a “procedure established by law” and lays down two conditions: the occurrence of a “public emergency” and in the interests of “public safety”,under which such orders may be passed. Moreover, the order must be “necessary” for reasons related to the security of the state, friendly relations with other states, sovereignty or preventing the commission of an offense. The Apex Court in PUCL v. UOI (‘PUCL’) stated that telephone tapping without following the appropriate safeguards and legal process would infringe the Right to Privacy of an individual. Accordingly, procedural safeguards, in addition to those under section 5(2) of the Act, were laid down; eventually incorporated in the Telegraph Rules, 1951 (‘Telegraph Rules’). These included; such orders being only issued by the Home Secretaries of Central and State governments in times of emergency. Secondly, such an order shall be passed only when necessary and the authority passing the order shall maintain a detailed record of the intercepted communication and the procedure followed. Further, the order shall cease to be effective within two months, unless renewed. Lastly, the  intercepted material shall be used only for purposes deemed necessary under the Act.

In the Vinit Kumar case, during a bribery related investigation, three interception orders were issued directing the interception of telephone calls by the petitioner. These were challenged as being ultra vires of section 5(2) of the Act, non-compliant with the Telegraph Rules, and for being in violation of the fundamental rights guaranteed under Part-III of the Indian Constitution. 

The HC quashed the said orders by holding that: 

Firstly, the right to privacy would include telephone-conversation in the privacy of one’s home or office. Telephone-tapping would, thus, impermissibly infringe on the interceptee’s Article 21 rights unless it is conducted under the procedure established by law (in this case, the law laid down in PUCL and the Telegraph Rules). In Vinit Kumar, the HC found the impugned orders were in contravention of the procedural guidelines laid down for the protection of the right to privacy by the Supreme Court in PUCL, section 5 of the Act and Rule 419A of the Telegraph Rules. Additionally, (and crucially) the evidence obtained through infringement of the right to privacy would be inadmissible in the court of law. 

This blog analyses this third aspect of the HC judgment and argues that the approach of the HC reflects a true reading of the decision of the SC in K.S. Puttaswamy v UoI (‘Puttaswamy’) and ushers us into a new regime of right to privacy for accused persons. While doing so, the author critically examines the previous decisions wherein the courts have held the evidence collected through processes that infringe  the fundamental rights of the accused to be admissible.

Correct Reading of Privacy Doctrine and Puttaswamy Development

Based on the decisions of the SC in State v Navjot Sandhu and Umesh Kumar v State, the current legal position would appear to be that illegally obtained evidence is admissible in courts as long as it is relevant. Consequently, as Vrinda Bhandari and Karan Lahiri have argued, the State is placed in a position whereby it is incentivised to access private information of an accused in a manner which may not be legally permissible. There are no adverse legal consequences for illegally obtaining evidence, only prosecutorial benefits. This is reflected in the decisions concerning the admissibility of recordings of telephonic conversations without the knowledge of the accused.  The rule regarding admissibility of illegally collected evidence stems from a couple of cases, however it is submitted that the rule has a crumbling precedential basis. 

A good starting point is the  Supreme Court’s decision in RM Malkani v State  (‘Malkani’). It was held that telephone recordings without  the knowledge of the accused would be admissible in evidence as long as they are not obtained by coercion or compulsion. The Court had negligible analysis to offer insofar as the right to privacy of an individual is concerned. However, this decision dates back to the Pre-PUCL and the Pre-Puttaswamy era, wherein the right to privacy (especially vis-a-vis telephonic conversations) was not recognised as a fundamental right. Hence, it becomes imperative to question the continued relevance and correctness of this decision in light of the new developments in our understanding of fundamental rights under the Constitution. Moreover, Malkani relied on  Kharak Singh v. State of U.P, which was explicitly overruled by Puttaswamy. This also casts doubt on other cases which relied on the reasoning in Kharak singh on the issue of privacy. 

In Vinit Kumar, the HC rejected the approach adopted in Malkani and Kharak Singh. Affirming the right to privacy as a fundamental right, and relying on the requirements of ‘public emergency’ or ‘public order’, the HC observes that the respondents failed to justify any ingredients of “risk to the people at large or interest of the public safety, for having taken resort to the telephonic tapping by invading the right to privacy” (¶ 19). It emphasized the need to adhere by procedural safeguards, as provided in the Act, the Telegraph Rules, and the PUCL judgment, so as to ensure that the infringement of the right to privacy in a particular case meets the standards of proportionality laid down in Puttaswamy. Crucially, the HC goes a step further to hold that since the infringement of the right to privacy is not in accordance with the procedure established by law, the intercepted messages ought to be destructed and not used as evidence in trial as it is sourced from the infringement of the fundamental right to life (¶ 22). 

Thus, we can see an adherence to the new constitutional doctrines espoused by the Supreme Court whereby the HC emphatically rejected the now-overruled reasoning of Kharak Singh v State as far as the right to privacy is concerned, and refused to apply the cases of Malkani and Dharambir Khattar v UoI whose ratios flow from Kharak Singh’s non-recognition of a right to privacy. The HC held that such judgements have been overruled by Puttaswamy (to the extent that they do not recognise the right to privacy as a fundamental right). Furthermore, it was also held that these cases involved no examination of law on the touchstone of principles of proportionality and legitimacy, as laid down in Puttaswamy (¶ 37). It circumvented the issue of ‘relevancy’ by distinguishing between ‘illegally collected evidence’, and ‘unconstitutionally collected evidence’, ruling that the latter was inadmissible as it would lead to the erosion of fundamental rights at the convenience of the State’s investigatory arm. 

The HC judgment is, therefore, an important landmark with respect to the admissibility of evidence involving violation of fundamental rights. However, given the absence of a clear Supreme Court judgment in this regard, the rights of the Indian citizenry are susceptible to the difference in the approaches taken by other HCs. A case in point is the Delhi HC judgment in Deepti Kapur v. Kunal Julka wherein a video-recording of the wife’s conversation with her friend, collected by the CCTV camera in her room was admitted in evidence despite the arguments raised with regards to infringement of the right to privacy. Thus, the exact application of a bar on evidence collected through privacy infringing measures in different contexts will need to be developed on a case by case basis. 

Conclusion

The Bombay HC judgment correctly traces the evolution of the right to privacy debate in the Indian jurisprudence. It is based on the transformative vision of the Puttaswamy judgment and appropriate application of precedent with regards to the case in hand. It symbolizes a true deference to the  Constitution by protecting the citizenry from state surveillance and  potential abuses of power. Especially in the current electronic era where personal information can be extracted through unconstitutional means, the Vinit Kumar judgment affirms the importance of procedural due process under the fundamental rights regime in India. 

Guest Post: The inclusion of “OTT” services in the Indian Telecommunications Bill 2022

This post is authored by Chiranjeev Singh

The Department of Telecommunications (“DoT”) released a draft for the Indian Telecommunications Bill 2022 (“the Bill”) on 21^st September 2022. It seeks to replace the Indian Telegraph Act 1885 (“the Telegraph Act”), among others, and provide a modern framework for regulating Telecommunications. One of the significant changes proposed by the Bill is to include over-the-top (“OTT”) communication services within the scope of regulation. This inclusion will be a paradigm shift in the Indian telecom law regime as non-spectrum services will now require a license. This article questions the rationale of including OTT services and critiques its formulation in the Bill.  

The Telegraph Act, which is the extant law, was enacted to deal with Telegraphs and Telephone Exchanges. Section 4 of the Telegraph Act states that a license is required to establish, operate and use a “Telegraph”, which is defined as any apparatus used for the transmission and emission of signals. These technologies have long been abandoned. To make this framework applicable to the modern forms of telecommunications, services provided by a “Telegraph” have been interpreted to include Access Services (voice calling, messages), Carrier Services (long distance communication) and Internet Access Services (providing access to the internet) among others. The entities which wish to provide these services (Telecom Service Providers or “TSPs”) have to obtain a license from the DoT, and abide by the conditions prescribed therein. Additionally, licensed entities must abide by regulations under the Telegraph Act, such as interconnection obligations and contributions to the Universal Service Obligation Fund.

Licensed services typically require the use of spectrum. Even though spectrum is non-depletable, it is limited in nature. The reason being, transmission of information can only take place in specific bands of spectrum, which is dependent on the nature of information. Further, the same part of the spectrum cannot be used by multiple persons at the same time and within the same geographical area. Interference of multiple signals over the same frequency can significantly worsen spectrum quality and reliability. In other words, it is a scarce rivalrous natural resource.

As is the case with other such resources, it becomes a duty upon the State to allocate the use of spectrum in a way which maximises the efficient use of the resource, maintains the quality of service and ensures that the public gets the benefit of such services to the fullest. Therefore, the State is justified in regulating the TSP’s economic exploitation of an exclusive natural resource, through licensing, national frequency allocation plans and other means.

At the same time, there has been a rise of another class of services, which are provided over-the-top of the existing network infrastructure. That is to say, entities are providing communication services over the internet, which in the first place is provided by a TSP. As an example, WhatsApp is a platform which allows users to have video and audio calls over the internet. While it provides a service which may seem similar to a traditional phone call, it neither requires any spectrum use nor a license under the Telegraph Act which a TSP would require.

Presently, OTT services act as intermediaries, i.e. they receive, store or transmit electronic records on behalf of others, are covered under the Information Technology Act 2000 (“IT Act”). The regulation of intermediaries under the IT Act involves content moderation, data privacy, lawful interception mechanism and safe harbour protections.

The Bill proposes to include OTT communication services under the telecom law regime. It seeks to regulate how communication takes place on these platforms, and intends to subject the providers of these services to regulations at par with TSPs.

The Bill introduces the term “Telecommunication Services”, which is defined as a service of any description given to a user through telecommunication. It includes, “voice, … internet and broadcast services, … internet based communication services, …  OTT communication services …” among other things. Section 3 of the Bill further states that it is the exclusive privilege of the Central Government to provide “Telecommunication Services”, and a license is required by an entity to operate the same.

A cursory look at the definition will make it evident that it is all encompassing in nature. It includes services which utilise spectrum and those that do not. In fact, one can say that it covers virtually all digital communication services.

There are a number of issues with such an approach. At the outset, the regulatory justification present for providing licenses for spectrum services does not exist for OTT services. Internet, unlike spectrum, is an abundant non-rivalrous resource which is not owned by the State. Thus, the scarcity of resources is not a concern here and the case for a licensing model is not made out. The issues pertaining to handling of sensitive personal information are taken care by the IT Act presently, and will be better addressed by the upcoming personal data protection regime. Concerns regarding quality of service also do not stand. The OTT environment is extremely competitive, and consumers have a wide range of options. As a result, consumers frequently change to higher-quality services.

The inclusion of OTT services in the telecom law regime also brings up the issue of incompatible compliance regimes. As highlighted before, OTT services are regulated by the IT Act as well. One area of dual regulation would be the lawful interception mechanism. Under the Bill as well as the Telegraph Act, there needs to be a public emergency for the State to make an interception order, which is not the case under the IT Act. Furthermore, the IT Act also recognises investigation of an offence as a ground for interception, which the Bill and the Telegraph Act do not. In such a situation, OTT services will be subjected to contradictory regulations.  

Several TSPs have welcomed this inclusion as it espouses the principle of “same services, same rules”. The argument is that while TSPs have to comply with several requirements and incur several costs (spectrum use charges, license fees etc), none of these rules apply to entities which provide OTT services which are the “same” as spectrum services. This reasoning is unfounded because the two services are based on different kinds of technologies, operate on different network layers and have different economic models.

OTT services are dependent on the network provided by the TSPs, and cannot function without them. Additionally, by subjecting OTT services to similar requirements, the net-neutrality principle will be violated. Certain websites which provide OTT services will be subject to greater barriers in the form of requiring a license to operate and other such compliances, as opposed to other websites on the Internet. This is not the case when TSPs are required to have a license. In essence, functional similarities should not be the only guiding factor for regulating them at parity.

In addition, the formulation of Telecommunication Services within the Bill is questionable. The definition of OTT services for the purpose of telecom law is disputed globally. Issues like what is meant by communication, what all is covered under OTT communication services, or should communication be a predominant function of the service to be included invite a lot of discourse as the response to them can drastically alter the scope of regulation. However, the Bill makes no effort to provide any clarity on these issues.

All these gaps make the definition vague. A law is termed vague when there is no reasonable opportunity to understand what conduct is regulated with an amount of certainty. The result is that it delegates to the law enforcers and judges the job of determining the positive content of the regulated act to an impermissible extent. Based on these reasons, the Supreme Court has previously struck down  provisions relating to the licensing powers of the executive concerning Gold dealers under the Gold (Control) Act 1968, stating that the grounds for the grant were uncertain and vague.

Presently, the Bill makes it an offence to provide Telecommunication Services without a license. However, given the sheer variety of different OTT communication services that exist, the service providers would simply not know whether they require a license to function in India. More so, the Bill is silent on the grounds on which a license may be granted, which is left to the rule making powers of the Central Government.  Thus, the constitutional validity of such a provision is suspect.

To conclude, the Telecommunications Bill 2022 leaves us with more questions than answers. It seeks to bring in a radical new individual licensing regime for OTT communication services without providing any clarifications on what it constitutes or why such a significant change is required. As can be seen from the discussion, the definition is vague in scope and can potentially include everything on the internet. Further, there is no basis on which services which are utilising spectrum are treated the same as OTT services. The policymakers need to address these concerns while revisiting the draft.

Guest Post: The Data Producer’s Right and its Limitations

This guest post was authored by Ishita Khanna.

Information privacy theorists have argued that data is ‘quasi currency’ in the age of information technology. Though the economic value of data incentivizes companies to collect data, big data also possesses the potential to increase productivity, improve governance and thus benefit consumers and citizens. Data-driven insights can extract significant value by analysing it for purposes such as cost savings, enhanced procedures, a better knowledge of behaviour, and highly tailored products.

In this data driven economy, the data generated and collected by machines and human beings possesses tremendous value. Machine generated data is said to be data which is created through the use of computer applications, processes and services or through sensors which process information which they get from software, equipment or machinery, whether real or virtual. An interesting example of machine generated data is provided by the automobile industry. Sensors installed on cars generate data with respect to traffic prediction, location based searches, safety warnings, autonomous driving, and entertainment services. An analysis of this data can result in monetizable insights in the form of revelations for vehicle designs or selling access to the insurance industry. In this way, data precedes information, which precedes knowledge, which precedes understanding. Thus, raw data in crucial in the generation of value.

It was in response to this phenomenon that the European Commission in 2017 had proposed the creation of a ‘data producer’s right’ (DPR) which would protect anonymized, non-personal machine generated industrial data against the world i.e., a novel property right in data. This would create in favour of the data producer, ‘a right to use and authorize the use of machine generated data’. One of the other dominant reasons inspiring the call for creation of a novel property right in data stems from the fear that American companies are misappropriating valuable European assets. The use of European news by Google led to an initiative for a neighbouring rights for news publishers in the EU which furthered the call for a data producer’s right. For instance, the introduction of the sui generis database producer’s right in Europe in 1996 was borne out of the fear of domination by the US database industry over Europe’s markets.

This post seeks to critically examines the background, stated aims, subject matter and scope of the data producer’s right. It studies the inter-relationship between the existing intellectual property regimes and the property right in data to analyse if and how this new right would affect these regimes. Towards the end it offers recommendations for the alternative models that could be adopted for the protection of non-personal data.

Do we need a new IP right for machine generated data?

It has been contended that the existing IPR regimes as well as civil law, contract law and trade secret protection do not offer requisite protection to machine generated non-personal data since they do not create an ex-ante right in rem, hence raw data would not be protected from misappropriation by third parties and a market for licensing of data would not emerge. Copyright law only protects acts of authorship or compilations of data that are a consequence of creative arrangement or selection. Further, the sui generis database right only extends to data structured in a database. Hence, the argument for the introduction of a right in machine generated raw data.

The EU- DPR was envisaged as a novel type of intellectual property right, as the means to an end: to make data accessible. However, building new property fences seems paradoxical to the idea of increasing access to data. The answer to this lies in recognition of the fact that ‘property is an institution for organising the use of resources in society’. The stable legal entitlements that come along with a property right incentivizes the development of a valuable resource through consolidating both risks and benefits in right-holders and also stimulates the use and trade of data. The DPR was conceived of as a right in rem i.e. ‘enforceable against the world independent of contractual relations’ including the exclusive right in the data producer to use certain types of data and license their usage, thus embodying the essential features of the right of ownership of property. The hope was that infusing machine generated non-personal data with property rights, it would lead to the creation of a stable and safe licensing marketplace for the data.

Why is data such a challenging subject for IP Law?

However, the DPR would extensively overlap with copyright and sui generis database rights in production made using digital machines which could give lead to numerous competing ownership claims. For instance, the aggregate stock market data in a financial database would be the subject matter of protection of both the data producer’s right and the sui generis database right. Further, DPR could trump the statutory limitations laid down under the existing IPR regimes and the database right thus limiting their scope of protection. At present, users in the European Union are allowed to copy data from databases for the purpose of non-commercial research. The DPR would infringe on such freedoms allowed to the users unless it includes within its ambit all such relevant exceptions.

Another objection against a property right in data lies in its inherent lack of legal certainty and stability with respect to its scope, subject matter, and ownership, essential for it to be considered as a full-fledged IP right enforceable against the world. A property right in data would severely infringe on the freedom of expression and information by curtailing access to data to scientists, research institutions and journalists with respect to text and data mining. This freedom has been acknowledged in Article 13 of the EU Charter which stresses on the free flow of data in arts, scientific research and academic freedom.

Thus, a data producer’s right would encroach upon the central tenet of the IPR system which regards data as ‘free air for common use’ and only offers protection to creative and innovative inventions. The dynamic and fluid nature of raw data makes it difficult to classify as subject matter of a full-fledged intellectual property right. The database right raised a similar objection. However, the definition of ‘database’ and the requirement of a certain threshold of investment created at least some stability in the scope and subject matter of the right, unlike the DPR.

It is also important to understand why the property logic for data protection failed. The lack of success of the closely analogous, sui generis database right in promoting investment in and incentivizing the formulation of databases in the EU database industry is one of the reasons. Another reason is said to be attributed to the inclination towards opening data or making it accessible for both commercial and non-commercial re-use thus doing away with the exclusivity requirement. Hence, currently there exist no potent economic justifications for creation of a DPR. Instead, data producers can protect their data using the contract law, trade secret law and technology law protection mechanisms.

Thus, it can be concluded that a novel IP right should only be introduced after thorough economic-evidence based research establishing the real requirement for the right and not spontaneously. However, this alone will not suffice and must be accompanied with a methodical legal analysis of the scope and subject matter of the new right as well as its inter-relationship with the existing IPR regime.