The following are the outputs of the captioning taken during an IGF intervention. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid, but should not be treated as an authoritative record.
***
>> JOEY SHEA: Hello, everyone. We are going to get started in a few moments. And just to note for folks in the room, I believe you are going to have to listen with the headphones so that you can hear our speakers online. Channel number 1. We are just making sure that everyone in the room has their headphones on and can be listening. Give us 30 more seconds and then we will be beginning.
Excellent. Thank you, everyone, for being here today. Channel 1 with the headphones on.
We are going to begin the session. My name is Joey Shea. I cover Saudi Arabia for Human Rights Watch. We are also joined in person by my colleague, Deborah Brown, who covers tech and human rights in our tech division, also at Human Rights Watch.
I want to welcome you today to our session on the UN Cybercrime Treaty and the impacts that it may have on transnational repression. We have a very important and, in fact, historic panel for everyone here today.
Before we begin the conversation, I do want to take a moment to acknowledge who is not here. Many human rights defenders are unable to be here on the grounds, including a number from the country in which this conference is taking place.
So, I do want to take a moment to say a few names of human rights defenders who have been detained across the Middle East, including in the country which we now reside, and have a moment of silence for them.
So I want to take a moment, a brief moment of silence, to reflect on these individuals and their contribution to the space.
Thank you again to everyone for being here today. The other thing I want to acknowledge, in addition to those defenders whose names I just spoke, other folks who are not able to be here in the room with us today.
So, beside me would have sat Lina al-Hathloul, who is joining us remotely on the screen. Lina is, of course, a citizen of the country in which we now reside, but she is unable to be here given, you know, security concerns related to her activism abroad.
Instead of her physically being here in person, we have laid out an empty chair and a name tag here to show not only her absence.
I want to welcome our other panelists, to get to it more concretely, who are joining us remotely. We have Nick Ashton-Hart, who is joining us here on our lower left of the screen. Nick leads the Security Tech Accords representation at the UN and headed their delegation to the cybercrime convention negotiations. And the Tech Accord is a global coalition of more than 160 companies that advocates for greater international action to address malicious cyber incidents and their causes.
We are also joined by Veridiana Alimonti, who is a Social Director for Latin America Policy at the Electronic Frontier Foundation. She is a lawyer, she holds a Ph.D. in human rights from the University of São Paulo Law School, and her work focuses on the intersection of technology and human rights such as privacy and freedom of expression.
We are also going to be joined a little bit later by another colleague, Fionnuala Ni Aolain, who is a Professor of Law at Queens University of Belfast and a Regents Professor at the Minnesota Law School. And she is also a former UN Special Rapporteur on Counterterrorism and Human Rights.
So, to start off to our discussion here today, I want to turn to my colleague in the room, Deborah Brown, who has been focused on the UN Cybercrime Treaty for many years.
And so I first would be super grateful if you could take us through, first of all, what is the UN Cybercrime Treaty, what is its status, where are we today, and what are the main issues with regard to human rights concerning the treaty.
>> DEBORAH BROWN: Thank you so much, Joey, for the introduction. And hi to everyone on the room and online. I know it's very early for some of you. So, thank you for joining us.
Thank you also, Joey, for that moment of silence. I think that really grounds our discussion why we are here to talk about transnational repression and the rights of people who have been detained or otherwise had their rights restricted on the basis of cybercrime laws.
I'm going to start off with an overview. I see some familiar faces in the room. I know some of you are intimately familiar with the UN Cybercrime Treaty. Others of you luckily might not be so I want to set a groundwork or grounding the treaty on basics where we are, what it does and what comes next.
So, this is the first global treaty on cybercrime, that we will be discussing today, it was first approved to move forward almost five years exactly today by the UN General Assembly. In 2019, in December, the UN General Assembly voted to start negotiations on this treaty. There was not consensus at the time that there should be a global cybercrime treaty or what even the scope or purpose of that treaty would be.
The treaty was first proposed by the Russian Federation. Russia circulated a draft treaty two years prior in 2017 and when it came down to decide whether to move ahead with this, the U.S., European Union and a number of likeminded states voted against our abstained from the treaty, from the process to start the treaty negotiations.
Since then, there's been a little over three years of negotiations, give or take, and in August 2024, what's known as the ad hoc committee which was the body established to negotiate the treaty text agreed on a treaty. They agreed by consensus for the treaty that sits before the UN General Assembly this week. It's expected to be adopted I think any day now. And at that point it will open for ratification.
Once 40 governments ratify the treaty, 90 days after that point it will go into effect, into force. And then soon after, within the next two years, negotiations on a protocol to be attached to the treaty will also start and that protocol will be adopted once there's agreement on it and once 60 states have ratified it.
We refer to the treaty shorthand today as the UN Cybercrime Treaty, but it's actually a bit of a misnomer. That's not the full name. The full name is strengthening international cooperation for combating certain crimes committed by means of information and communications technology systems, and for sharing of evidence in electronic form of serious crimes.
And that last bit is, I think, what brings us here today mostly, is to discuss beyond cybercrime, beyond attacks on computer networks and network systems, this treaty is a general purpose treaty to investigate and prosecute and cooperate internationally on a much wider range of crimes, particularly serious crimes.
The treaty just to break down the components, it does actually criminalize certain acts, the criminalization chapter, if you will and that requires states that ratify the treaty to criminalize and domestic law certain offenses, these range from core cybercrimes like attacks on ICT systems, illegal access to data, illegal intersect, things like this, and cyber enabled crime a select number of them like online child sex abuse material.
We will here nor from Fionnuala later on about the capability of those offices and how they are drawn up into international rights law. In the negotiations there was a lot of disagreement or negotiation one might say on the scope of criminalization, there were some states that really wanted to see a much broader range of acts criminalized, which would include content-related offenses, things that are broadly defined like -- were not defined like extremism or terrorism and then states that wanted to see a much narrower set of crimes included, and we landed somewhere in between.
On the flip side of that there's a much broader scope of crimes on which investigations and prosecutions can happen and transnational cross-border cooperation.
The convention requires states to establish expansive electronic surveillance powers to investigate and cooperate on a range of crimes even when no ICT systems were used to commit those crimes. It includes specifically international cooperation on anything called a serious crime, which under the treaty says that, basically, any crime as defined in domestic law that carries a criminal sentence or penalty of four years in prison or more.
Now, looking around the world, and I think we will hear more about this from my colleagues remotely, many countries criminalize acts that are defensive human right, for example, independent journalism, criticizing one's government, being LGBTQ and under this treaty this now states are required to provide mutual legal assistance to prosecute the crimes that might not be an offense in their own country and that's the kind of issues that we will be talking more about later.
I know for this introductory period we are trying to just cover the high-level point so I think I will move to the human rights safeguards or lack thereof before turning to other colleagues.
I think it's important to recognize that the treaty does include a provision an article on human rights and it also includes, so that's Article 6, it includes another article 24 on conditions and safeguards.
And this wasn't a guarantee from the outset and it's important to recognize where some progress was made. Article 62 specifically says nothing in this convention shall be interpreted as permitting the suppression of human rights for fundamental freedoms.
So, it's designed in principal to guard against misuse of the Treaty to restrict or violate human rights. Unfortunately that article is inactionable. There aren't really enforceable limitations on the use of the treaty to restrict rights elsewhere and I will turn to Article 24 which is a condition and safeguards article which largely defers to domestic law. It does mention international human rights standards, but it does so in a selective and in some cases optional way. It relies heavily on the principle of proportionality but fails to mention legality and necessity, meaning that limitations on human rights that would be permitted by the Treaty should be legal, specific and really clear and that they should be necessary, meaning that they are designed for a specific purpose and least restrictive measure necessary. Things like traditional authorization are not required. They are optional in this. And things like notice of individual notice to, let's say, people who have been surveilled or had their data collected for the purpose of an investigation, there's no individual notice and there's no transparency required that you need to know in order to actually push back against such request.
And I would also flag that Article 24.2 or as a whole only applies to chapter for the procedural measures and to chapter 5 on international cooperation when the powers on chapter 4 are relied on. There are certain acts like law enforcement cooperation and joint investigations which may include the sharing of data collected outside of the Treaty or domestically aren't covered by the human rights provisions. And there were strong efforts from some member states to apply Article 24 on conditions and safeguards to the whole Treaty and those were not successful in the end. So, there are certain gaps and there's a lot of latitude and kind of flexibility given to governments in how they interpret and enforce the Treaty from the human rights perspective.
Throughout the negotiations, Human Rights Watch, electronic Frontier Foundation, industry have been raising these questions in terms of the gaps and how this Treaty can be used to -- or abused to violate human rights.
We often give examples in our work. These aren't hypothetical. And this is why I am very pleased that Lina will be speaking here to share from her work and her experience on the very real cases of what's at stake.
>> JOEY SHEA: Thank you so much, Deborah. And I think that is a very appropriate note to end on, as we turn now to Lina al-Hathloul, who I didn't actually properly introduce when we began.
But Lina al-Hathloul is a Saudi human rights defender. She is the head of monitoring advocacy at ALQST, which is the Saudi-led human rights organization based in London. She is also the sister of Loujain al-Hathloul, one of the most famous Saudi human rights defenders, who spent over 1000 days in Saudi prison due to her human rights work.
With that, I would like to turn to Lina. And Deborah did an excellent job outlining what the Cybercrime Treaty is and some of the gaps with regard to human rights, particularly as the treaty defers to domestic law on a number of these issues.
So, I'm wondering if you could speak about your experience as a Saudi human rights defender and Saudi law and how this treaty May, sort of, interact and leads to further repression in Saudi Arabia.
>> LINA AL-HATHLOUL: Thank you, Joey, thank you Deborah. Good day, everyone. I will be reading my speech and we can have a later -- a conversation later on.
So, I want to begin by expressing my gratitude for the opportunity to address you today, even if I cannot be with you in person. The proposed UN Cybercrime Treaty and its potential ramifications for countries like Saudi Arabia.
The UN Cybercrime Treaty as it currently stands is excessively broad and introduces certain illegal uncertain. It provides states with the tools to leverage cross Border surveillance powers to address a vaguely defined list of criminal offenses. This vague framing risks becoming a serious weapon at the hands of governments that are already using cybercrime laws to suppress the citizens.
Under Article 34 of the proposed treaty, states are required to cooperate in collecting, obtaining, preserving and sharing electronic evidence for any serious crime, punishable by four years or more.
Article 40 requires states provide one another with the widest measures of mutual legal assistance in investigations, prosecutions and judicial proceedings in related to acts criminalized by the treaty and any serious crime.
Without clear and (?) limitations, such provisions will give governments unchecked power to surveil, arrest and silence individuals under the guise of law enforcement.
It also risks making States Parties to the treaty complicit in abuses.
The problem is compounded by differences in judicial systems and their independence or lack thereof. The treaty largely defers to domestic law and the conditions and safeguards it outlines in Article 24.
The cybercrime treaty will only exacerbate these existing abuses, it will provide governments with even more tools to surveil, silence and detain critics, undermine fundamental human rights under the pretense of addressing cybercrime.
It is critical to address these risks and implement clear safeguards to ensure that such provisions cannot be misused.
In closing, I want to emphasize that cybercrime legislation must prioritize human rights and include robust definitions, safeguards and dependent oversight.
The price of failing to do so is measured in lives silenced, freedoms lost and families torn apart, a price that many, I know all too well.
Thank you for listening and for holding space for voices like mine. I look forward to a day where I can join you in person, without fear, to continue this vital conversation. Thank you.
>> JOEY SHEA: Thank Lina so much for those very important remarks, and I do want to come back to you to hear, you know, even further how the cybercrime treaty will impact human rights and freedoms here in Saudi Arabia.
I also want to turn now to Veridiana. I just want to make sure that the screen -- there we go. I want to turn now to Veridiana to speak about another case study. And I just want to make sure that our technical -- we are just going to wait until the Zoom appears on the screen here so that we can see Veridiana as we are hearing from her.
>> VERIDIANA ALIMONTI: Hi.
>> JOEY SHEA: Excellent. Veridiana, I'm sure you can't see in the room but you are now on our screen. So welcome.
Veridiana, I want to, sort of, turn to you now and ask you about the lack of robust privacy and data protections and the conventions, and specifically how these may be problematic from an Latin American perspective, particularly with regards to the legal frameworks in place and the weak protections in your region. So, welcome.
>> VERIDIANA ALIMONTI: Thank you very much, Joey and Deborah.
So, we at the Electronic Frontier Foundation have engaged with the UN debates on the cybercrime convention from the early stages. And as Joey mentioned, the point I want to highlight is the fundamental imbalance of the proposed treaty between surveillance powers and human rights safeguards and how this is concerning vis-a-vis transnational repression.
So, EFF has repeatedly stressed that the convention has become a broad surveillance pact. As Deborah mentioned it established intrusive investigative measures at national level and requires international cooperation in accessing and sharing data even for crimes that do not involve ICTs. And such powers come without adequate safeguards to prevent their abusive application.
Although the treaty text sets that the implementation of surveillance obligations must comply with states' commitments before international human rights law, not all the states that are UN members and may join the convention have ratified important treaties such as international convention on civil and political rights or have domestic legal frameworks that ensure sufficient guarantees.
If we consider Latin American countries within the spectrum of democratic nations, safeguards that we can deem essential are not necessarily present in domestic legal frameworks.
Looking only at prior judicial authorization for accessing communications-related data, for example, Colombia doesn't require prior judicial (?) for the interception of communications content. (?) allows realtime location data access without a previous warrant under a specific conditions, subject only to later judicial review. In Panama, the law authorizes prosecutors to request a considerable amount of communications metadata to telephone providers without previous judicial authorization. Law enforcement authorities in pair Guyana also rely on Supreme Court's ruling to require access to metadata without authorization. And in Brazil there is an ongoing legal debate on whether the disclosure of storage location data requires a previous judicial order.
Yet, as Deborah mentioned, Article 24 of the UN Convention sets that the application of the investigatory surveillance powers and procedures provided for in its specific chapter are subject to conditions and safeguards provided for under the country's domestic law, and that in accordance with and pursuant to the domestic law of each state party, such conditions and safeguards shall as appropriate in view of the nature of the procedure or (?) concern, include safeguards that are absolutely crucial as judicial or independent review, the right to an effective remedy, which is an international human right established in international human rights instruments, grounds define education and limitation of the scope and the duration of such power or procedure.
Also Article 24 establishes the principle of proportionality but not legality, necessity and nondiscrimination.
So, as such, the text of the UN Cybercrime convention does not require that surveillance measures have prior judicial authorization, are only carried out in the face of reasonable suspicion and are necessary for the investigation.
Furthermore, the authorities could keep such measures secret indefinitely according to the law of each country. This surveillance powers that state parties to the convention will have to establish in their domestic law and will be available for international cooperation include realtime collection of metadata, interception of content data which are two provisions that could be abused to underpin government use of malicious software, for example, to (?) in spite dissidents in human rights defenders. Individual tech employees working at services providers to provide information, possibly including security witnesses that could be used to bypass system security safeguards.
The fundamental imbalance between surveillance powers and human rights safeguards is particularly concerning Latin American countries, where the lack of adoption of legal safeguards against data, the absence of comprehensive data protection laws in the law enforcement context, and the insufficient mechanisms for transparency notification, effective remedy and oversight pose significant risks to human rights and vulnerable communities.
This is also particularly concerning on how it can boost transnational repression. The specific function of the Convention, if ratified, will be to create a means of requiring legal assistance between countries that do not already have mutual assistance treaties and lacks other cooperation agreements.
This could include repressive regimes who previously had been hindered in their attempts to engage in cross-border surveillance and data sharing in some cases because their concerning human rights records have excluded them from MLATs.
The Treaties International Cooperation Chapter compels countries to collect and share private data across borders, effectively require them to assist each other in electronic surveillance for a wider range of serious crimes, whether or not technologies involved in the crime. The cross-border evidence gathering applies to any crime that a state chooses to punish with at least four years of imprisonment. Imprisonment under its national law, subject to certain restrictions proposal to define more restrictively serious crimes were not accepted.
So, this broad discretion granted to states under the UN Cybercrime Treaty is a deliberate design intended to secure agreement among countries with varying levels of human rights protections. This flexibility in certain cases allows the states with the strong protections to uphold them. But also permits those with weak standards to maintain their lower levels of protection.
The Convention's underlying flaw is the assumption that in accommodating all countries' practices, states will always act in good faith. But what the history and patterns of transnational repression teach us is that this does not hold true, and that mandatory human rights safeguards ineffective oversight of whether these safeguards are fulfilled are absolutely essential.
After learning that unfortunately and alarming it's not reflected in the text of the UN Cybercrime convention. Thank you.
>> JOEY SHEA: Thank you, Veridiana, for those important remarks. And I think it's very important that we look at multiple different case studies to see how the rights impacts of this treaty globally.
I would like to turn now to Fionnuala, if we could get her up on screen as well. I will just take a moment.
>> FIONNUALA NI AOLAIN: Hi, everyone.
>> JOEY SHEA: Brilliant. Fionnuala, you are on our screen even though you can't see the room. Thank you so much for joining us.
I'm wondering if you could speak a bit more about the treaty, but specifically how the broader securitization policies and practices by member states may be impacted and the relationship of treaty in those -- the relationship between the treaty and those policies and practices.
>> FIONNUALA NI AOLAIN: Sure. Everyone, I am delighted to be joining you today albeit remotely, and pleased to offer an assessment I think of what might be described as selective human rights pieces of the UN Convention against cybercrime and really to reflect on in some ways the fundamental incompatibility of parts of this treaty with international human rights law.
I think it's also really fair to say that due to the scale, scope, subject matter of the convention, the convention poses distinct human rights risks that really should have required heightened scrutiny and safeguards rather than lesser scrutiny and safeguards. And here I align my remarks with the views of the UN High Commissioner for Human Rights and in their submission to the treaty process in July of 2024.
And my focus is really to start by looking at the nitty-gritty language of the treaty. And I do that because I think it's really important that we are not simply abstract in thinking about how this treaty really has failed to grasp with and create obligations for states under human rights law, but the deliberate and avoidance and obfuscation of human rights language and human rights requirement and I think this represents something of a broader challenge that human rights is facing, particularly in the intersection of new technologies in human rights globally is the way in which human rights language or what I would call human rights light constructions of new treaties really serve to undermine existing treaty language in practice.
And the second is the treaty, I think, represents another pattern, which is the failure to address or be acknowledgment of fundamental and existing patterns of abuse by states. And so that the treaties in fact, it's like the emperor's new clothes, an unwillingness to address what we know about state behavior in a particular -- and address it through treaty law.
The third is the important point, builds on the human rights light standards is the weakening of exist treaty framework standards, human rights treaty frameworks by creating de facto spaces of opt-out or spaces where, critical spaces where states essentially get to exclude human rights protection.
And the broader point is that new technologies have effectively, particularly in this area of security and new technology, have been given a path on the application of international human rights law often based on arguments of exceptionality, that these spaces are exceptional, that they require exceptional, fast and particular kinds of responses, creating, I think, enormous disjunction in our overall protection schemes.
Let me go to some of the language and I want to start with Article 4 of the treaty that requires States Parties to criminalize offenses under quote, other applicable UN conventions and protocols when committed through the use of information and communications technology system, end quote.
This provision is the practical effect of extending scope of the offenses under other conventions to encompass cyber means without formally amending each of those conventions. It's quite an important sleight of hand, a move that I think is quite significant.
Now, there might be reasons to legitimately extend some events under earlier conventions and to update earlier conventions but I think Article 4 is objectionable for two fundamental reasons.
One is because it's inherently vague and uncertain in scope and it doesn't identify the specific conventions or the offices that will be updated and there are dozens of instruments and many more offenses in them that might be effective and when the treaties were negotiated each of the offenses was carefully negotiated giving due legal scrutiny to the particular elements of each substantive and (?) under the convention.
As a fairly doctrinal lawyer, I think I'm really concerned that Article 4 requires wholesale and indiscriminate potential extension of every offense under every convention without close drafting scrutiny of whether it's appropriate or possible or even necessary and what more particularly what the human rights implications or adverse consequences of doing that would be.
So, this haphazard extension of a wide range of criminal offenses seeking a variety of really different purposes is just not good practice on drafting critical criminal instruments. And I think gives rise to not just inconsistency and unpredictability but is at odds with a fundamental tenet of human rights law.
And I think the second challenge we see in Article 4 is criminalization of offenses and this criminalization of offenses committed through information and communication technology systems is ambiguous. It's just ambiguous. And it doesn't really tell you in which circumstances cyber means should actually be unlawful. And this idea of commission through the use of information could encompass a whole range of conduct and interactions, and that some of those could be intentional, some might not be, some of them might be unconscious, indirect or even offline connections with information and communication systems.
And I think this is really, really problematic from a fundamental criminal law perspective and a human rights perspective, because it undermines that absolute obligation in international human rights law of legal certainty.
If you are to be made the subject of a criminal offense, you need to know what offenses -- they have to be clearly defined in advance in a way that you could regulate your conduct so you don't end up being in violation of the law inadvertently and that's not the case here. Individuals may end up being in violation not just because the law is not clear but because it suits estates have the law unclear because the actual level of uncertainty actually puts individuals and I would say particularly human rights defenders and others, civil society actors on the defensive and, therefore, preemptively regulating their conduct for fear that they might run afoul of something that's not clear.
And I think what we might end up with is considerable variance at national level about what kind of offenses are produced at national level, a kind of a way that you get double criminality. And when we get to the parts of the treaty that deal with extradition and mutual assistance, actually you run into even further complicated problems.
And I do want to flag that I think between the cybercrime offenses Articles 7 to 12 are well quite problematic and it's really not clear when you look at the nature of these offenses, again, they appear to be overbroad and capture a range of conduct that not, in fact, that's not, in fact, sufficiently serious to warrant criminalization. But actually these offenses risk targeting a whole range of other actors, and the actors I want to highlight are those actors like whistleblowers being criminalized or those engaged in disclosure of information that expose ill illegality or fraud, risks those taking action to prevent criminal, it risks criminalizing hectares, cybersecurity researchers and those who are in the work in the digital infrastructure ecosystem to actually protect us. And probably the most and most substantial fear that I think previous comments have picked up also, is the danger that this kind of criminalization is going to get at, protests and freedom of expression online.
And I also think I would want to endorse the comments about the lack of sufficient safeguards and conditions of safeguard and the risks that this pose for civil society actors.
I also want to pay attention to the way in which the general human rights safeguards that we find in Chapter 2, 5, 6 and 7 are simply inadequate. Because, actually, when you look at the treaty, it looks like a Swiss cheese. You get, like, human rights language in one piece, but not in others. And I think that should provoke our curiosity and reflection on why human rights clauses were put in some places and not in others. And I think the lack of consistency of human rights safeguards throughout the treaty, so, for example, their exclusion in Chapter 2 or the limits on it in Chapter 7 and Chapter 6, tell us, in fact, again there really was a Swiss cheese effort here to not ensure consistent human rights safeguards across the board but to do a pick and choose, an a la carte menu of human rights protection in the treaty.
I also want to highlight Chapter 7 and I want to particularly flag Article 35 which is the general principle on international cooperation, where there's simply no mention of human rights.
And I think this point that you are leaving out human rights protection in those places, particularly in the context of transnational repression where we see, like, the gaps in protection being particularly problematic, their exclusion here underscores this broader problem of an unwillingness by states to address the actual practice of transnational repression, which is increasingly being framed under the language of assistance and cooperation among states, and, again, brings us back to this human rights, this sprinkling of human rights, the human rights light approach.
Two final comments on human rights La Kuna I would include as Article 34 the limit on assistance and protection of victims where, again, the failure of the treaty to implement existing and growing human rights law and the rights of victims is simply not present. We see the same in Chapter 6 on prevention measures where we see actually a failure to implement the massive advantages that -- or massive protections that we have seen developed over several decades.
And I would close by saying that one of the parts of the treaty that concerns me most is the focus on technical assistance and capacity building, and under Chapter 6 and which refers to training, exchange of information, technical assistance, and technology transfers between states.
And, again, the striking absence of fundamental human rights activity -- protections in these activities stress to us the ways in which human rights entirely sat at the margins of the conversations in this treaty, weakening it in fundamental ways, but also having the reverse effect of weakening back to the fundamental human rights treaties, the absence of their inclusion in this important step by states to regulate the cyber arena.
Let me stop there and thank you for your time.
>> JOEY SHEA: Thanks very much, Fionnuala, for those important remarks.
I want to turn now that to Nick. If you can get Nick up on the screen from our technical team.
>> NICK ASHTON-HART: Hopefully you hear me all right.
>> JOEY SHEA: Nick, if you can hear us, we are working to get you up on the screen. But just as we are working to do that, Fionnuala had mentioned the impact of the treaty on cybersecurity researchers, and I know throughout the course of your work, you work very closely with cybersecurity researchers. So, I'm wondering if you could, when we finally get you up on the screen, if you could, sort of, discuss and give us your thoughts on the importance and value of protecting these researchers and why the convention may be harmful for their work, but just give us one moment as we try to bring you up on the screen.
>> NICK ASHTON-HART: Can you hear me okay in the meantime?
>> JOEY SHEA: To our technical team, Nick is down at the bottom. There we go.
Well, thanks again. We have you up on the screen now, Nick. So, again, that question, could you just, sort of, touch on the importance of cybersecurity researchers throughout the course of your work and how the treaty may be harmful to their work.
>> NICK ASHTON-HART: Thank you very much. That's actually the very first point I want to address. You can spend a long time talking about the problems of the Convention, but this is one of the two most important areas for us anyway.
And thank you for inviting -- thank you for organizing a session on this subject at the IGF and for the invitation to speak on it.
I should say up front that the cybersecurity Tech Accord along with the global business community very broadly has publicly opposed signature ratification or accession to the convention of the text as it stands, along with a very broad array of civil society and voices as been said more than one throughout the negotiations there was such unanimity across the board from business and civil society that none of us had ever seen that level of agreement before, which, unfortunately, the negotiators did not really take enough of a warning from.
As you mentioned, there is considerable additional legal risk from cybersecurity researchers, for cybersecurity researchers in the Convention. The article on illegal access requires countries to criminalize accessing computer systems without permission of the system's owner using the same language that the Budapest Convention uses, but without the context of the explanatory report to Budapest, which makes clear that actions which are in the public interest should not be criminalized, meaning that security researchers, investigative journalists, whistleblowers and others are at risk of criminal prosecution in this Convention in a way that is not the case in Budapest.
Without the work that security researchers do, criminals and others will find it easier to exploit vulnerabilities to breach sensitive systems, spread malware and engage in ransomware and other attacks and those risks become even more important when you consider the red teaming that is needed to test AI systems for bias, but also to test that guardrails against misuse of those systems, work not only in the languages of those who develop the systems but in global language sets, for example.
Some member states have said publicly that security researchers are protected because of the reference to them in Article 53.3E of the convention, but this is simply not true. And a plain language reading of that article will tell you it's not true because all that it does is recognizes the importance of security researchers. It does nothing to protect their work.
And you don't have to take our word for it. The global security research community wrote a letter to the negotiators in February, warning them that the Convention endangered their work. Unfortunately, the negotiators did not act in any way to address that problem.
It allows authorities to force any person or company to facilitate access to computer systems or stored electronic data in Article 28.4, which you have heard about from others today, in a manner that is far broader than Budapest. The office of the UN High Commissioner for Human Rights has warned that this would directly threaten the global availability of encrypted communications and encrypted services, which we agree with that assessment. And undermining encryption threatens the safety and security of citizens globally.
Government or private sector technology workers on holiday with access to secure systems could be compelled to provide access to those systems and system owners would not know until it was too late.
On safeguards as they relate to the private sector, many are copied from Budapest and other treaties generally verbatim. The safeguards and protections were copied and generally weakened. Many states OECD states have said the Convention sets new standards for safeguards because it contains protections that are new to international criminal justice law, which is true, but misleading, because the foundational protections in the Convention are weaker than prior instruments not stronger and those foundations undermine the new protections which rely on them, in particular Article 24.2 is copied from Budapest and is an essential foundation of all other protections. In Budapest, all parties must have these procedural law protections, but in this Convention those protections are to be, quote, in accordance with and pursuant to the domestic law of each state party, end quote. Meaning they are essentially optional.
Procedural law is absolutely fundamental to users in human rights but also to firms, because these are the provisions that allow services providers to go to court to contest request for user data when we think they are unuseful or disproportionate. They are what requires a state to ground requests in applicable law and which provides for warrants rather than simply allowing a demand for data without judicial authorization.
In many countries you have heard in detail earlier in this session from my -- the previous speakers, warrants aren't required to demand data from services providers. Requests are kept secret, and providers may not object to them.
Several UN member states at the committee level and at the third committee when it was adopted by the first stage of UNGA stated on the record that they will treat every safeguard provision in this convention as entirely subject to their existing national legislation.
This means we do not have to guess whether this convention will be abused. States have told us that they will do so on the record multiple times before the convention has even been adopted by the UNGA plenary.
While the convention requires confidentiality in the operations of its powers in eight articles, it requires transparency in none. States may use the Convention's powers, all of them, in perpetual secrecy. What this means is firms operating globally get demands for data which must be kept secret and there will be no recourse to courts to push back against them even if the firm knows they are breaking the law in a different jurisdiction if they grant the request.
This will all be legitimized because a treaty with the UN's name on it allows for it to happen.
I want to talk about something in addition today which we haven't talked about yet, and which doesn't get enough attention, which is that the Convention's provisions are assets, seizure and forfeiture. The Budapest convention does not have these preventions.
As said by the Council of Europe in its briefing to Budapest member states on 4th July of this year, and I quote, risks arising from the current draft text of the Convention are stemming from provisions on money laundering and asset forfeiture. In some states, targeting assets is a primary means to target opponents or businesses and to restrict fundamental rights.
This entails the risk of abusive criminalization, investigation or seizure of assets. For example, the combination of broad jurisdiction with low thresholds for liability of legal persons, low threshold and intense standards for participation and attempt could elevate noncriminal and unintentional conduct by services providers to a predicate offense and lead to the freezing of assets or for political reasons individuals and organizations may be targeted for fraud and their assets may then be confiscated domestically or via international cooperation.
All of what you have heard today begs a question of, why didn't these many problems addressed during the negotiation especially given stakeholders were in the back of the room consistently raising them. The answer is that the process allowed for voting on the substance. This is a major and terrible precedent. Treaties have been previously decided by consensus.
Negotiators on OECD states were always worried that they didn't have the votes for more robust safeguards. We know this because they told us again and again, whenever we proposed fixes to these problems. It turns out that they were wrong, and we know this because Iran demanded several votes to remove safeguards in human rights provisions in August before the Convention was adopted. And the most votes they could get in favor of this was 31, when they needed more than 90.
In short, we recommend that all states do not sign or ratify the convention now. The UNGA Resolution adopting it will authorize the current negotiating committee to develop a protocol. And we believe national negotiators should be tasked with fixing the problems in the Convention during that negotiation. And if they are successful, then states could join the Convention and the protocol together.
We know we will get better results this time, or we can, because of Iran with its votes showed that the opponents of safeguards and rule of law protections don't even have a course of votes that they need. That's all I have time for but I look forward to the discussion and the questions.
>> JOEY SHEA: Thank you, Nick, for that intervention.
We are nearing the end of our time so I want to open it up to the floor in the room first. We have at least one question online. But I just want to see from our audience here if there's any questions to our panelists about the treaty and the rights implications globally and also in the various case studies that were presented today.
No. If there's no questions from the room. I know that we have one question online. So, from Monica through our Zoom call here, Monica asks to our panelists, how would human rights codify a national based fundamental law prevent authorities from a country to transfer data to another treaty signatory? Deborah, do you want to?
>> DEBORAH BROWN: I can start, and I'm very happy for others to weigh in as well.
So, the treaty does include an article that allows governments to refuse to provide mutual legal assistance on human rights grounds. I will read, I think it's 4022, I will read the text now. It says nothing in this convention shall be interpreted as imposing obligations to afford mutual legal assistance. If the requested state meaning the state who receives the request for evidence has grounds to believe that this request has been made for the purpose of punishing a person based on their sex, race, education, religion, nationality, ethnic origin or political opinions. And it goes on a bit on that.
But so there is -- as we said, this treaty provides flexibility. And as Fionnuala put it, Swiss cheese. You see human rights sprinkled in here and there. You can read into it if you are really committed to not allowing the treaty to be abused. There are ways you could use it and justify refusing cooperation.
The point is, it doesn't require states to refuse cooperation. They need to be proactive about it. There's both a reality, like, from what we heard from Lina and from Veridiana, there's countries around the world who expressively don't want or respect human rights and are looking for ways to engage in repression, transnational or otherwise, and there's no shortage of evidence to provide the negotiators reasons to provide stronger human rights protections.
And there's also a practical issue here. This essentially creates mutual ecosystem treaties globally. Rather than on a bilateral level or multilateral level it would for all signators require a mutual exist for crimes based on domestic law with a prison sentence of four years or more. You are going to have a massive number of requests coming in. And to be able to find the requests that one can interpret as posing an obligation of sorry of providing substantial grounds for belief that the intention of the request was to repress human rights, is a lot of ifs. First to define the case, to be looking for the case, the purpose of punishing or prosecuting a person on the basis of these protected classes is a high threshold. And it's all voluntary. Again, it provides flexibility to do so but no requirement to do so.
And so between the high volume of requests that will be incoming to already overloaded mutual legal assistance authorities and just the reality that a lot of governments are looking for ways, there's been a lot, numerous reports in recent years on transnational repression by Human Rights Watch, by Citizen Lab, by Freedom House that are showing clear trends. Rather than responding to those trends and creating a stronger threshold, this treaty essentially gives a lot of latitude for governments to find ways to cooperate.
So, I think I answered the question as to how one could find a way in the treaty, but I think the reality is that those are going to be the exceptions, not the rule.
>> JOEY SHEA: Deborah, I'm wondering if any of our panelists online would like to weigh in and, perhaps, our tech team, who seem to no longer be here, could help them -- help us get them on screen.
To our online panelists, we can hear you, so if you want to intervene, please go ahead while we try to get you up on the screen.
So, as we are -- oh, so we do have one more question from -- yeah, so we have one question from the audience here. But I'm going to pass the mic.
>> PARTICIPANT: It is an Internet Governance Forum but beleaguered by lots of technical challenges. That's very not funny.
Anyway, basically all of the speakers, my name is Hawley Monsoor, I serve as a member of the Oversight Board for Meta.
And my question is all of you paint a very bleak picture, that the train has left the station and it's racing. 40 countries signed or ratified this treaty. It's done. It's a done deal.
So, what can be done to convince the reasonable actors in these rooms to reconsider or add some more forcible safeguards to this? I mean, between now, not the signing, which might happen before Christmas or new year, but between now and 40 countries ratifying that their way, legally speaking and politically speaking and in terms of advocacy as well. Thank you.
>> DEBORAH BROWN: Joey is in the IT booth, so I'm going to take over moderation. I have scenic on the screen which is convenient because I think Nick has thoughts on this, but also happy to hear from others.
>> NICK ASHTON-HART: It is like the key question. I think the first thing is to remember that in international judicial cooperation, a great deal of the data that most of the country needs is located in a relatively few jurisdictions. The U.S. in particular, who have always said that they have no plans to seek ratification or to sign the convention in any reasonable, in any they are not going to do it soon, at the very least. They are going to wait and see what countries do.
But the EU has not -- the EU commission has said that they want to sign, ratify, and the parliament has to agree to this. So, there's an opportunity for Europe not to do that, because Europe is the next most popular destination to get data from.
Throughout the negotiations, we were told by many developing states, who genuinely want to cooperate on cybercrime, on actual cybercrime, that the U.S. and the EU member states joining was of fundamental importance because that's where most of the data they needed is.
So, were those states to team up and use the protocol negotiations to address some of these issues, we know they have the numbers because of the voting situation that I just recounted for you. But we know that they would have support from many other states who need them to join the treaty for it to be a viable instrument.
So, I think really now is the key, is to get member states to say that they are not going to sign -- they are not going to sign or ratify the Convention as it stands. They supported its adoption but they are not going to join it, and they are going to use the protocol negotiations to address its flaws.
It's worth pointing out that the reason protocol negotiations exist at all in this is because the many states who are of a more autocratic bent insisted on having protocol negotiations because they want to go and add even more crimes and even more scope to the convention, which makes it doubly important for OECD member states and their allies to say, well, that's not going to happen. In fact, the opposite is going to happen. We are going make this about actual cybercrime and an actually workable result that all states who genuinely want to work on cybercrime will participate in, which I think also goes to the question, Monica, that you asked or part of the question that you asked.
I don't see any other -- the only other thing that could be done to address the Convention is to work through the conference of the parties once it has entered into force, once 40 states have ratified it. And that's far more -- for less likely to have a successful result than the protocol negotiations allow for.
>> JOEY SHEA: Thanks, Nick. It's very concerning, your note about how ratification may lead to authoritarian states adding even more crimes to the treaty.
I want to go back to Lina for just one moment. We only have a few more minutes left in our session. There's been a lot of, sort of, discussion about transnational repression and how the treaty, you know, can facilitate and contribute to transnational repression.
Could you speak a bit about the history of transnational repression and how the treaty may interact with those gaps and domestic legislation to, perhaps, lead to further transnational repression. And also in case we don't have time, I would encourage you to also speak, given that there are so many policymakers in the room here today, folks from industry and government, what your message is with regard to the treaty on, their engagement going forward as ratification comes.
>> LINA AL-HATHLOUL: Thank you, Joey. That's a lot to cover. But I try my best.
Just maybe first of all regarding transnational repression, I mean, what we have been monitoring are different trends. So, it's usually either the government collaborating with other governments in order to commit human rights violations.
But there are also other kinds of transnational repression also linked to the digital rights, also the use of spy ware technologies and through the Pegasus, for example, on for numbers and we have it -- I mean, the founder of (?) has been targeted by Pegasus and is now trying the company and the state in UK courts.
Can you maybe just remind me the last part of your question?
>> JOEY SHEA: Yeah, last part of my question, Lina, was any, sort of -- anything you wanted to say to the policymakers here in the audience. You know, we have folks from government and industry here, and any sort of recommendations you would have for them on how they should be engaging with the treaty going forward as it moves towards ratification with respect to human rights?
>> LINA AL-HATHLOUL: Yeah, the first thing is to listen to civil society.
We cannot just, yeah, regulate such topics without knowing what's at stake. And I think that everyone in this room, in your room, Joey, and everyone else, realizes how dangerous it is. It's not even ratified, that I cannot be there in person.
So, I think that everyone has the duty really to push for civil society to be present, to be protected in discussion -- in discussing these topics and that it should not be seen as a bubble, because it will backfire. It is against everyone's interest to have these discussions behind closed doors and not seeing the consequences it could have on everyone.
>> JOEY SHEA: Thank you very much, Lina. We just have a few moments left so I want to, actually, put that question to the rest of our panelists. Maybe we can start with the rest of our online panelists. Nick or Veridiana, if you have any recommendations for the folks here in the room with how they can engage with the ratification process.
>> VERIDIANA ALIMONTI: I can start and, well, considering everything that we discussed so far, the way that we see and, of course, CFF also opposes sitting ratification in the text as it is now and has been urging states to vote no when the UNGA votes the UN Cybercrime Treaty. So policymakers and industry that are part of this panel and have been listening in our discussion, we would like to extend the call to pay attention to the concerns that we shared here.
At this point of the vote in the General Assembly and nonetheless, if the tax passes and we have, then it's the process inside each country where the policymakers and the industry are also to point out, to point out these concerns and in another state where this is being discussed internally, if it passes, as it is, but we -- what would be a problem in our perspective. Also discuss the least harmful way to incorporate this internally, considering the maze and the human rights safeguards a la carte that we mentioned in this panel that should be embraced in the context -- in each context that this treaty goes on.
But what I would like to highlight is that in our position or in our view, we shouldn't get in the NFF's view, we shouldn't get to the point of incorporating this treaty international law with its current text. We should be able to make its safeguards more robust globally as the investigative powers are robust right now globally. So, that's it. And thank you for the opportunity to be part of this discussion and to share our thoughts about the Cybercrime Convention.
>> JOEY SHEA: Do you have anything closing to add in terms of advice for the folks in the room? And we just have a few moments so we will keep it short, Nick, and then we will close with Deborah. Nick, can you hear us? If you have any closing remarks, please go ahead.
>> NICK ASHTON-HART: Sorry. I thought it was a general call. I didn't hear it was me because you are quite faint for some reason on my end.
I mean, nothing in particular that you haven't heard. I hope people who aren't familiar with this are concerned. You should be. And the best thing that people can do is communicate to their governments what their concerns are and ask that they not be willing to assign this until improvements are made.
And to engage actively in the forthcoming negotiation process on the protocol, to make that possible. Because that's really the only practical way that there is to change the content of the Convention. Otherwise, it would be only five years after the Convention enters into force could the conference of the parties entertain amendments to it. And I think by then, it will be very difficult to get much support for amending it again.
So, this is really -- this is really the time, is to not sign it. And to remain -- and for states to remain engaged in process. And this time around work with the civil society and private sector and come up with proposals in advance that the back of the room can actually support, and to be bold, because the states who need the data and the states who have the data are far and away enough to get meaningful changes adopted over the objections of the relatively small number of states who are on the other side of all of the issues that you have heard today. That's the good news, is there isn't a majority for a lot of these provisions and now we know that and we should take advantage of that knowledge to change the text.
>> JOEY SHEA: I know we only have three minutes left. There are important protocols and opportunity. It's worth mentioning even if a state hasn't ratified the treaty they can participate in those negotiations as opposed to the Conference of State Parties so that is an argument to both not ratify but also to participate in the protocol. This was a relatively open process for a multilateral treaty negotiation meaning that civil society and industry were in the room. Though a lot of these concerns that have been raised today we had proposals to address. And so I think there's a gap there also with the UN Office of the High Commissioner for human rights which had very tangible expert advice on how to plug the human rights gap in this treaty. Moving forward there's been ideas floated I think by the U.S.'s explanation or position to have, like, a legislative guide or implementation guide, so to really lean on the expertise within the UN System would be incredibly important for that.
And then also to listen to national stakeholders or in the case of the EU, regional stakeholders, of course, each member state has a different process to get to ratification. And it's really important to listen to domestic stakeholders on how to whether they support the treaty and what action to take and within the context of the EU, it would be wonderful if there was an opinion requested by the European Court of Justice and also to listen -- to request and consider recommendations or opinions from the EU data protection supervisor who had issued an opinion on a draft version of the text which was quite critical.
So, I think I will -- I will end there. I think we are more or less at time. Joey, any final remarks?
>> JOEY SHEA: Just to say thank you to all of our panelists online for participating in this important discussion and especially to Lina, who really should be here in the room with us today. How unfortunate it is that they are not able to be with us here today.
But thank you, everyone, for joining us. And, yeah, I hope you have a wonderful rest of your IGF.