Griffin on Tech: Cybercrime treaties must not become tools of oppression
The international nature of cybercrime can make it very difficult to track down the perpetrators of devastating hacking attacks and misinformation campaigns that can damage democracy.
Hackers are increasingly sophisticated, hiding their tracks with onion routers and clever masking techniques. Organisations like the Waikato District Healthboard and its patients had their data stolen in 2021 in a ransomware attack. The cost of fixing compromised IT systems was significant. But the criminals weren’t held to account.
While hackers’ extortion attempts are often fruitless, they are happy to move on to the next victim - it’s just another day at the office for them.
It means that some sort of international agreement to aid countries in collectively tackling cybercrime from a legal standpoint makes a lot of sense and could disproportionately benefit New Zealand given our small size and the fact that the vast bulk of cyber attacks originate from other countries.
There are two agreements seeking to do so - the Budapest Convention created way back in 2001 by European countries and now including 67 countries as signatories and the UN Cybercrime Convention which is currently being negotiated.
New Zealand is not a signatory to the Budapest Convention, but we have observer status and considering where to sign up. We are at the table for the UN discussions, for which the 5th negotiating session was held in Vienna this week, but there’s plenty of dissent among UN member nations as negotiations drag on.
The content problem
Human rights groups and organisations like the Electronic Frontier Foundation are deeply concerned that the UN Convention on Cybercrime, as outlined, could lead to serious overreach by governments trying to silence dissent. That’s because the treaty as drafted doesn’t just foster cooperation on computer crime, unmasking spammers, hackers and disrupting the infrastructure they use. It also outlines a host of content-based crimes that take us into freedom of speech territory.
Our own Government discovered how problematic that can be when it tried to introduce hate speech legislation but was met with a wall of opposition and had to scale back its scope to focus mainly on religious hate speech.
Now UN treaty negotiators are facing the same backlash on a global scale.
“As it stands, [the convention] creates over thirty new cybercrime offenses, including half a dozen that would make it a crime to send or post legitimate content protected by international law,” the EFF points out.
“This goes far beyond what States are allowed to restrict under international human rights standards. Most concerning are overly broad provisions seeking to criminalize speech on the basis of fake news, extremism, incitement and terrorism. International human rights law already provides clear guidance on how to address many of these issues.”
Indigenous data
There are similar concerns about the Budapest Convention, which despite being in effect for years, doesn’t appear to have had a huge impact on cybercrime prevention anyway.
As the University of Auckland’s Professor Jane Kelsey says of the Budapest Convention:
"There is a concern that Indigenous people’s resistance that is organised on the Internet risks being labelled as cyber-crime by governments in their countries, and that their data stored on social media could be trawled.
“Under the Convention, authorities who have these concerns would be able to access indigenous people’s data not only in their own country but could also to make requests to trawl through the data of other indigenous people they have relationships with from other signatory countries."
An international cybercrime agreement would be valuable to speed up the process of identifying and shutting down cybercriminals. It could allow law enforcement agencies to gain access to internet service provider data without a warrant, speeding up urgent investigations.
Stick to computer crime
But these treaties’ emphasis on content-related “crimes” is deeply problematic. Many governments will use these provisions to silence their opposition and run roughshod over privacy and established human rights.
As TechDirt’s Tim Cushing puts it: “If [the UN] really wants to stop cybercrime, it should focus more on universally recognized computer crimes, rather than speech that, while terrible, is still protected. And it definitely should rewrite the proposal with an eye on the unintended consequences, because it’s those consequences that will contribute the most to the inevitable abuse of this treaty”.