UN cybercrime treaty lead negotiator: US will suffer if it doesn’t vote yes

Avatar

There will be serious consequences if the United States does not vote in favor of a recently agreed upon and controversial United Nations cybercrime treaty, a key American diplomat said Friday.

The treaty — which would be the first cybersecurity legal framework accepted by consensus among all U.N. member states — is expected to sail through the General Assembly after it received unanimous approval by the body’s Ad Hoc Committee on Cybercrime in August. 

But in recent weeks, Biden administration officials have publicly acknowledged concerns about the treaty in its current state. Human rights advocates have warned that it would enable surveillance on a massive scale, and allow countries to spy on individuals in secrecy. The tech industry and the U.S. Chamber of Commerce also oppose the treaty.

“It would be unheard of for us to pull out of consensus after we led the system and joined,” said Ambassador Deborah McCarthy, the lead U.S. treaty negotiator for the ad hoc committee, during a discussion hosted by the Center for Strategic & International Studies. “There’d be huge disappointment if all of us in the U.S. were to say, ‘You know, we’re not part of this.’ And I think that would drive a big wedge at the U.N.” 

Calling a forthcoming U.N. General Assembly vote to ratify the treaty a “pretty much pro forma process,” McCarthy said that her team has polled other democracies and found that none of them plan to vote no.

Despite the intense pushback from industry and human rights leaders, McCarthy said the treaty is ultimately a good agreement governing cybercrime data sharing globally.

A wave of pushback

Critics say certain language in the treaty would allow countries like Russia and China to carry out human rights abuses. 

For example, crimes carrying sentences of four years or more, which the treaty labels serious crimes, will trigger a provision which requires governments to assist each other with investigations and share data, they say.

The treaty defers to individual governments to provide human rights protections, Deborah Brown, the deputy director for technology and human rights at Human Rights Watch, said via email.

“The treaty requires states to establish expansive electronic surveillance powers to investigate and cooperate on a wide range of crimes, even offenses where no information and communication system is involved in the commission of the crime,” Brown said. 

“With greater surveillance powers should come more robust human rights safeguards to protect against abuse,” she added.

Brown said that because the treaty fails to enumerate key human rights standards and requires governments to provide mutual legal assistance for any “serious crime” under national law, countries that criminalize behavior protected under international human rights law — including same-sex conduct, government criticism, investigative reporting, protesting and whistleblowing — will abuse the “powerful multilateral tools” the treaty establishes.

The tech industry also has fiercely opposed the treaty, sharing many of the concerns expressed by human rights advocates.

The treaty forces tech companies to retain user data for far longer than they do now and would require them to turn it over to law enforcement without standard legal procedures. 

It also could keep security researchers from reporting vulnerabilities they detect in networks and other tech systems because they will be more likely to fear prosecution under the treaty’s language, industry leaders say.

And industry shares concerns about the lack of transparency allowed by the treaty.

“There are eight references to keeping requests confidential in the treaty, and none to disclosure, even when it would not prejudice an ongoing investigation or prosecution,” Nick Ashton-Hart said via email, adding that the U.S. has changed its vote on treaties before. He leads the U.N. cybercrime delegation representing the Cybersecurity Tech Accord, which includes more than 100 cyber and tech organizations and several tech giants like Meta. 

McCarthy acknowledged that industry and human rights groups’ worries are legitimate, but said the treaty will spotlight the actions of authoritarian regimes.

“For those who have abused their citizens and abused every excuse to do so — including through a broad definition that anything that passes over the internet could possibly be considered a crime — this instrument [treaty] does not solve that, but it can shine a light on misuse.”

“By setting up mechanisms where we can share information on requests … it can help,” she said. 

Tough negotiations

The cost implications the treaty carries for industry are a concern, McCarthy said, but she noted that many other countries wanted the treaty to require service providers to respond directly to government requests for data. While she worked with industry to get that language removed, she did not succeed, McCarthy said.

Another hard-fought issue centered on how best to protect cybersecurity researchers, McCarthy acknowledged. While she said her team got “some language inserted,” the protections are not as robust as she would like, she said. 

Ultimately, McCarthy said it is important for the U.S. to ratify the treaty even if it is flawed because Russia and China are going to try and shape it to fit their interests and the U.S. needs to be in the room to stop them.

“The train has left the station and the train is going to go without us,” she said.

The U.S. tried “as hard as we could” to include elements allowing countries to reject requests for data when such sharing would harm dissidents and others whom repressive governments are targeting, McCarthy said.

“That includes Thailand’s responding to the junta in Myanmar, to be able to say no, again, with a strong foundation,” McCarthy said. 

But human rights advocates and industry leaders say that because the treaty allows states to cooperate secretly with no procedural law safeguards — such as the right to appeal and a requirement for warrants — it will be possible for states to ask for data on nearly anything they consider a crime.

Will the Senate ratify?

The treaty could and likely will sail through the U.N., but even McCarthy called Senate ratification an open question, citing the looming election and changes in Congress.

A two-thirds vote in the Senate will be required for the U.S. to participate in the treaty, a threshold which Greg Nojeim, director of the Security and Surveillance Project at the Center for Democracy & Technology, called a “tall order because the treaty is short on benefits to the U.S.” 

“Who would want to vote for a treaty that gives Russia a political win, and gives despots around the world access to data they can use to oppress?” Nojeim said via email. “Which Senators will vote to pave the way for foreign governments to access Americans’ private communications?”

Not privacy hawk Sen. Ron Wyden (D-OR) it would appear. 

The U.S. “shouldn’t have anything to do with helping China or Russia justify abusing surveillance to prop up their authoritarian states,” Wyden said in a statement.

From Wyden’s perspective, that’s what the treaty will do if it is adopted with its current language. He said he is working with Senate colleagues to ensure that the U.S. “change course and begin listening to human rights activists who have been sounding the alarm about this convention [treaty] for years.”

In her remarks Friday, McCarthy acknowledged that the treaty is not perfect but called it “definitely an advancement.” 

The treaty’s provision which automatically allows for the extradition of cyber criminals “without having to negotiate country by country,” is a win, McCarthy said.

The treaty is a “tool in the toolbox, and we shouldn’t just throw it out, but we should use it … never forgetting what the ultimate aim was, which is to fight cybercrime,” McCarthy said.

CybercrimeGovernmentIndustryLeadershipNewsPrivacyTechnology
Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Suzanne Smalley

is a reporter covering privacy, disinformation and cybersecurity policy for The Record. She was previously a cybersecurity reporter at CyberScoop and Reuters. Earlier in her career Suzanne covered the Boston Police Department for the Boston Globe and two presidential campaign cycles for Newsweek. She lives in Washington with her husband and three children.

 

Total
0
Shares
Previous Post

Russian state media company operation disrupted by ‘unprecedented’ cyberattack

Next Post

New Case Study: The Evil Twin Checkout Page

Related Posts

North Korean IT Workers in Western Firms Now Demanding Ransom for Stolen Data

North Korean information technology (IT) workers who obtain employment under false identities in Western companies are not only stealing intellectual property, but are also stepping up by demanding ransoms in order to not leak it, marking a new twist to their financially motivated attacks. "In some instances, fraudulent workers demanded ransom payments from their former employers after gaining
Avatar
Read More

CISA Adds ScienceLogic SL1 Vulnerability to Exploited Catalog After Active Zero-Day Attack

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added a critical security flaw impacting ScienceLogic SL1 to its Known Exploited Vulnerabilities (KEV) catalog, following reports of active exploitation as a zero-day. The vulnerability in question, tracked as CVE-2024-9537 (CVSS v4 score: 9.3), refers to a bug involving an unspecified third-party component that could
Avatar
Read More