This is Part II  in EFF’s ongoing series about the proposed UN Cybercrime Convention. Read Part I for a quick snapshot of the ins and outs of the zero draft;  Part III for a deep dive on Chapter V regarding international cooperation: the historical context, the zero draft's approach, scope of cooperation, and protection of personal data., and Part IV, which deals with the criminalization of security research.

As one of the last negotiating sessions to finalize the UN Cybercrime Convention approaches, it’s important to remember that the outcome and implications of the international talks go well beyond the UN meeting rooms in Vienna and New York. Representatives from over 140 countries around the globe with widely divergent law enforcement practices, including Iran, Russia,  Saudi Arabia, China, Brazil, Chile, Switzerland, New Zealand, Kenya, Germany, Canada, the U.S., Peru, and Uruguay, have met over the last year to push their positions on what the draft convention should say about across border police powers, access to private data, judicial oversight of prosecutorial practices, and other thorny issues.

As we noted in Part I of this post about the zero draft of the draft convention now on the table, the final text will result in the rewriting of criminal and surveillance laws around the world, as Member States work into their legal frameworks the agreed upon requirements, authorizations, and protections. Millions of people, including those often in the crosshairs of governments for defending human rights and advocating for free expression, will be affected. That’s why we and our international allies have been fighting for users to ensure the draft convention includes robust human rights protections.

Going into the sixth negotiating session, which begins August 21 in New York, the outcome of the talks remains uncertain. A variety of issues are still unresolved, and the finalization of the intricate text faces approaching deadlines. The foundational principle of the negotiations—“nothing is agreed until everything is agreed upon”—underscores the complexity and delicate nature of these discussions. Every element of the draft convention is interrelated, and the resolution of one aspect hinges on the consonance of all other areas of the text.

In Part I, we shared our initial takeaways about the zero draft—some bad provisions were dropped, but ambiguous and overly broad spying powers to investigate any crime, potentially including speech-related crimes, remain. In Part II we’ll delve deeper into one of the convention’s most concerning provisions: domestic surveillance powers.

These provisions endow governments with extensive surveillance powers but only offer weak checks and balances to prevent potential law enforcement overreach. States could misuse such powers by misrepresenting protected speech as cybercrime and exploiting the broad scope of these spying powers beyond their initial purpose. While we successfully advocated for the exclusion of many of the most problematic non-cybercrimes from the draft convention's criminalization section, the draft still permits law enforcement to collect and share data for the investigation of any crime, including content-related crimes, rather than limiting these powers to core cybercrimes. The existing human rights obligations under Article 5, although a positive inclusion, are not sufficiently robust. Combined with the draft’s inherent ambiguity, this could lead to the abusive or disproportionate misapplication of these domestic surveillance powers.

Below, we’ll talk about the domestic spying chapter of the draft convention:

Criminal Procedural Measures (Chapter IV, Article 23)

Article 23 of this chapter expands the scope of the surveillance powers chapter in concerning ways. It describes procedures for dealing not just with specified cybercrimes (those in Articles 6-16), but also for the collection of electronic evidence related to any type of crime, regardless of its severity or whether it is connected to a computer system. This expansion means that the domestic spying powers can be used to investigate any crime, from cybercrimes like hacking to traditional non-cybercrime offenses like drug trafficking—even speech crimes in some jurisdictions, such as insulting a monarch—as long as there's digital evidence involved.

Moreover, Article 23 doesn’t clearly stipulate that the powers established should be used only for specific and targeted criminal investigations or proceedings; though the draft convention’s wording doesn’t explicitly compel service providers to indiscriminately retain data for mass surveillance or fishing expeditions, it does not clearly prevent it. 

New Domestic Spying Powers

The draft chapter on criminal procedural measures introduces six domestic spying powers (expedited preservation of stored data, expedited preservation and partial disclosure of traffic data, production order, search and seizure of stored data, real-time collection of traffic data, and interception of content data) with far-reaching implications for human rights. These powers, if misused or applied overly broadly, hold the potential for serious intrusions into peoples’ private lives. Personal data can reveal a person’s detailed private information, such as contacts, browsing history, location, device details, and patterns of behavior. For instance, a series of web searches, visits, and phone calls can reveal someone's medical condition. Access to personal data represents a significant interference with privacy rights and must be handled with necessary safeguards, including prior judicial authorization, transparency, notification, remedies, time limits, and oversight.

This is why States need to ensure robust, detailed safeguards in the draft convention. EFF and more than 400 NGOs have led the way, introducing in 2014 the Necessary and Proportionate Principles, a set of guidelines that serve as a blueprint on how to apply human rights law to communications surveillance. In court briefings and other material, we’ve discussed the sensitivity of communications data and the application of these principles, including metadata and subscriber data. But, in its current form, the draft convention’s human rights safeguards are simply not robust enough to protect against the misuse of personal data. Several critical requirements are noticeably absent.

Human Rights Safeguards (Articles 5 and 24)

The draft convention has two articles on human rights: a general provision, under Article 5, that applies to the whole draft convention, and Article 24, which describes the conditions and safeguards applied to the new domestic surveillance powers. We believe that the current version of Article 24 fails to provide the robust safeguards needed to protect human rights and to curb law enforcement overreach, and should be revised. 

For instance, it should require prior approval by a judge, set time limits, and give targets a remedy if they are wrongfully spied on. It should also require authorities to explain specifically what facts justify intercepting particular people’s communications, and why. And it should require governments to tell the public how often these powers were used. We’ve been fighting for years around the world for mandatory safeguards like these, for example through amicus briefs in court cases, for example, our joint amicus with ARTICLE19 and Privacy International, as well as through the Necessary and Proportionate Principles.

Article 24 also only mentions the principle of proportionality, omitting other equally important principles, such as legality and necessity. It leaves it up to States to decide what kind of oversight is “appropriate in view of the nature of” each spying power, potentially allowing States to claim that some powers don’t require significant limitations or oversight. There are no specific minimum safeguards or minimum rights for targets of surveillance, not even for the most intrusive surveillance provisions authorizing real-time collection of data or interception of content. 

Meanwhile, Article 5 says the “implementation” of their obligations under the new draft convention shall be “consistent with [states’] obligations under international human rights law.” While that sounds good, it can also be taken to apply only to human rights treaties that a given state has already ratified, providing a big loophole for states like China, Bhutan, Brunei, Holy See, Saudi Arabia, Oman, Palau, Niue, Myanmar, Malaysia, Kiribati, Singapore, South Sudan, Tonga, United Arab Emirates, and Cuba that have failed to sign or ratify the main human rights rules such as the International Covenant on Civil and Political Rights (ICCPR) that other states have ratified. 

In the face of opposition from some states to the safeguards in Articles 5 and 24, and even proposals to delete Article 5, it's critical to consider what's really at stake. Importantly, these Articles are not duplicative nor overarching, but apply strictly to the provisions within the convention itself, offering a crucial scope to these powers. The integration of human rights into the draft convention isn't a surrender of sovereignty but an acknowledgment of states’ shared responsibility to uphold our common human dignity. These rights, universal in nature, set the baseline standards for all to live free from injustice and persecution. It's not just about semantics or legal technicalities, the inclusion of these Articles is pivotal to ensure that the draft UN Cybercrime Convention, throughout all its chapters, embodies states’ commitments to protect and uphold human rights.

In prior sessions, some states argued for the elimination of Article 5 or the consolidation of protections into a single article, but we fervently believe that reinforcing Article 5 is paramount. Most alarmingly, unlike the Consolidated Negotiating Document (CND)—an earlier draft with all states’ positions—Article 24 of the zero draft no longer applies to the international cooperation chapter. This issue is deeply concerning as it opens the door to "jurisdictional exploitation," where a state could exploit these varying domestic safeguards standards to conduct surveillance activities in a less safeguarded jurisdiction that would be considered illegal on its own. By bolstering the universal safeguards standards as proposed in Articles 5 and 24, such potential abuses could be effectively mitigated.

The current version of the draft convention, lacking robust safeguards, risks enabling discretionary or prejudiced use of surveillance powers. Our new joint submission with Privacy International for the upcoming sixth negotiation session has proposed explicit safeguards (in our updated version of Article 24) wherever new powers are granted to law enforcement. We also believe in the need for service providers to deny data requests based on human rights concerns. The necessity to adopt our suggested changes to Article 24 and reinforce Article 5 cannot be overstated. These modifications would clear ambiguities and ensure universally recognized human rights are enforced both within the draft convention and globally. Regrettably, the Budapest Convention lacks a provision similar to Article 5 of the zero draft, which applies to all chapters of the draft UN convention. This is concerning, given that most democratic states have been usually proposing text based on language that already exists in the Budapest Convention itself, and hardly making any modifications.

Definitions Matter (Article 2)

An additional concern arises from the recurring and undefined term "competent authorities," found throughout the zero draft. Notably, the six powers listed above include a similar provision, stating “Each state party shall adopt such legislative and other measures as may be necessary to enable its competent authorities.” However, the term is not yet included in Article 2 of the zero draft, which lists term definitions. In the context of the Budapest Convention, this term has been broadly defined to include a variety of entities, such as prosecutors or the police themselves, who lack impartiality and independence. If the concept of “competent authorities” is copy-pasted verbatim from the Budapest Convention, it risks replicating its shortcomings. This is due to the significant potential for overreach and misuse of powers by authorities who are neither impartial nor independent, raising serious concerns.

Interception of Content Data (Article 30)

This power allows for the real-time interception of content data, granting law enforcement the ability to monitor communications as they occur. Article 30 calls for State Parties to adopt legislative measures empowering “competent authorities” to collect or record content data in real-time for “a range of serious criminal offenses to be determined by domestic law”—with no restriction to cybercrimes. Some states’ notion of “serious offenses” can include speech about politics or religion, or criticism of the government or public officials. It also mandates cooperation from service providers to assist in data collection or recording “within [their] existing technical capabilities.” Furthermore, service providers (which could be any kind of communications intermediary, such as an ISP, social network, or cloud provider) can be ordered to keep the interception confidential.

As we mentioned above, this kind of intrusive surveillance power should require prior approval by a judge, set time limits for interception, and provide targets an effective remedy if they are wrongfully spied on. Our new joint submission with Privacy International for the upcoming sixth negotiation session asks for some of these safeguards to be made explicit and for these powers to be limited to the particular cybercrimes in Articles 6-16 defined by the draft convention.

When the draft convention talks about “content,” it refers to “the substance or purport” of the communication, “such as text, voice messages, audio recordings, video recordings, and other types of information.” We understand that “other types of information” might include things like images or files attached to an email. We’d like to see more clarity, for example, on the treatment of web browsing, to make sure the pages someone visits on a website, like Wikipedia articles, are considered content. This information is potentially sensitive as it can reveal details about a person’s interests and even beliefs. We’ve argued for years that the distinction between content and non-content is obsolete for evaluating the intrusiveness of surveillance and the sensitivity of private information. Quite a lot of privacy questions hinge on this distinction, which often can no longer bear the weight that’s placed on it. (See “ Changing  Technology and Definitions” in the Necessary and Proportionate Principles for one example.) We understand that numerous laws have used these concepts, often following the Budapest Convention, so moving beyond them remains challenging, but we continue fighting for stronger protections for sensitive information of all types.

One way to safeguard this sensitive data in the draft convention is by strengthening Article 24 to expressly apply principles and safeguards uniformly to every kind of surveillance power. But if that’s not possible, we should still provide strong protections like those described above.

Real-time Collection of Traffic Data is Also Highly Intrusive (Article 29)

The collection of traffic data in real time provides an understanding of communication patterns and connections between different entities. This is also a highly intrusive power. Given the sensitive nature of real-time traffic data, which could encompass individuals' locations, relationships, browsing habits, and communication patterns, the adoption of such measures must be handled with utmost care. 

Based on the definition of traffic data under Article 2, it could be argued to include location information. Traffic data refers includes data used to trace and identify the source and destination of a communication, as well as data about the location of the device used for communication, along with the date, time, duration, and type of the communication.

This power can help law enforcement agencies map out networks of cybercriminals. However, the privacy implications are substantial if this power is not strictly limited nor data highly safeguarded, as it could be used to track innocent individuals' online behavior, including their physical location. Such information reveals whether people were in the same place at the same time, and whom they do or don’t communicate with under particular circumstances, and allows the mapping out of their personal relationships and specific locations over a period of time.

Under this Article, state parties must pass domestic laws that authorize their competent authorities to collect or record traffic data in real-time, or compel service providers to do this for them where the providers are able. We’re calling for these powers to be available only for the cybercrimes defined under Articles 6-16 of the draft convention, or at most for serious crimes. In any case, the safeguards we propose under Article 24 should apply to this power, including the need to obtain prior judicial authorization. 

Search and Seizure of Stored Data (Article 28)

This provision allows authorities to search and seize data stored on a computer system, including personal devices. Under this search power, authorities can look through someone's computer or other digital devices, find the data they need, and seize or secure it.

Article 28.4 requires Parties to put in place laws or other measures enabling their competent authorities to order anyone with knowledge about how a particular computer or device works to provide information necessary to search that computer or device. This could involve understanding the device itself, its network, any security measures protecting its data, or other aspects of its operation. This is similar to language already in the Budapest Convention that technologists have been concerned about for years because it might be read to compel an unwilling engineer to help break a security system. In the worst case, it might be interpreted to include disproportionate orders that can lead to forcing persons to disclose a vulnerability to the government that hasn’t been fixed. It could also imply forcing people to disclose encryption keys such as signing keys on the basis that these are “the necessary information to enable” some form of surveillance.

PI and EFF strongly recommend Article 28.4 be removed in its entirety. If it stays in, the drafters should include material in the explanatory memorandum that accompanies the draft Convention to clarify limits on compelling technologists to reveal confidential information or do work on behalf of law enforcement. Once again, it would also be appropriate to have clear legal standards about how law enforcement can be authorized to seize and look through people’s private devices. Somewhat akin to language in the Budapest Convention, Article 28.3(d) also allows law enforcement to obtain a warrant to delete data from a device.

Production Order (Article 27)

This power comes in two parts. Article 27(a) involves compelling someone to turn over stored data that already exists, typically stored data such as users’ messages, emails, cloud data, or even online backups of people’s devices. Article 27(b) involves compelling service providers to turn over subscriber information, such as the identity or contact information of a particular user.

Subscriber information is often treated as less sensitive and is less stringently protected than other kinds of data, but it’s the most common means by which law enforcement identifies a person associated with some online activity. In some states, governments have sought indiscriminate access to this data (and hence to the ability to identify people) without individualized suspicion. In other cases, it can be turned over voluntarily with no legal process. The ability to put names and addresses to online information is immediately connected with the power to intimidate and repress dissent, and causes people to doubt that they can do anything at all online without having their name readily turned over to the government. These scenarios underscore the need for the draft convention to require legal standards for all kinds of surveillance, including disclosure of subscriber identities.

Courts in many places have recognized the importance of online anonymity and the harm to online speech that results from making it too easy for people’s identities to be exposed. We should ensure that the draft convention doesn’t compel a low standard for identifying online speakers, or preclude courts from adopting a higher standard in the future.

Conclusion

As we approach the final negotiation session of the United Nations Cybercrime Convention, it's important to underscore the need for strengthening the human rights safeguards under Articles 5 and 24 to ensure power is met with accountability rather than tilt the scale in favor of weak safeguards that do not sufficiently curb overreach. 

The draft convention negotiations represent an understated global battle for our digital rights and freedoms. The conclusion of these talks will deeply influence the digital lives of billions of people worldwide. Hence, States must strive to guarantee that the resulting accord doesn't encroach upon our human rights, but rather fortifies and augments them. Digital rights are human rights, and our digital future hinges on the decisions and actions of negotiators.