The Negotiations for a Global Cybercrime Convention, Global Public Goods and AI Cyber Risk

An ad hoc committee of the United Nations is currently debating a Comprehensive International Convention on Countering the Use of Information and Communications Technologies for Criminal Purposes. Cyber safety is a public good as the benefits of preventing, detecting and prosecuting cybercrime accrue to all. Designing and enforcing a global treaty require powers that should be subject to democratic oversight. At the same time, reducing cybercrime requires cooperation from the private actors who provide technologies and technological services. The networks through which technologies and services are provided are global, and so are the crimes committed through the networks. The treaty process is imperilled by global diplomatic tensions stemming from the Ukraine conflict, a conflict that itself demonstrates the need for international resistance to cyber-attacks and aggressive use of artificial intelligence (AI). 

The details that are available in the Committee’s drafts thoroughly, if not yet comprehensively, address first generation cybersecurity issues such as defining cybercrimes, proclaiming jurisdiction, and elaborating cross-border cooperation obligations. The assumptions underlying the treaty were formulated in early 2000s and, while it represents a refined form of the approach to cybercrime over the past two decades enabling police agencies and courts to investigate and prosecute crimes committed online, the approach that the Committee has adopted is essentially reactive. It does not require technology providers, however well resourced, to engage in prevention. 

Nor does it address emerging threats such as AI cyberisks. AI is increasingly being used to launch cyberattacks and is also a target of attacks. These are within the ambit of the treaty, if barely. However the treaty’s criminal provisions require that a perpetrator intentionally target a particular device or network. There is an increasing likelihood that AI systems will be created that would become dangerous without human direction, possibly selecting targets and attack vectors themselves. There is no provision that includes liability for creating AI systems that might begin to disrupt networks without directions from humans — the possibility is not in the imaginary of the draft treaty.

Notwithstanding the narrow focus on cybercrime rather than cyber safety, the treaty process provides a rare example of cooperation to provide a global public good. The growing economic and social centrality of the Internet and associated technologies has increased the necessity of related global public goods. These include global regulation of the anti-competitive and privacy infringing business models of corporations operating dominant platforms. However, the post-COVID-19 turn away from multilateralism and towards protectionism, as well as the concomitant rise of mercantilist trade agreements undercuts the cooperation necessary for production of global public goods.

Why another treaty on cybercrime? There are already several. The most successful, the Budapest Convention on Cybercrime was finalised by the Council of Europe in 2001 and came into force in 2004. Although negotiated by the Council of Europe, the treaty has seen a high number of accessions by non-Council members including Brazil, Japan, and the United States. Although it has provisions for cross-border information sharing these are inadequate in a world in which data is routinely located in other jurisdictions. Due to 16 years of preparatory work, the Budapest Convention incorporates presuppositions on how technology functions that were already dated at the time it came into force. An additional criticism was that it failed to protect human rights.

Rather than join a treaty that they had no part in negotiating, African states preferred to draw up their own convention. The result was the African Union Convention on Cyber Security and Personal Data Protection, often referred to as the Malabo Convention. Although negotiated in 2014, the Convention took nine years to obtain the 15 ratifications for it to come into effect on 8 June 2023. However, critics of the cybercrime chapter point to a number of shortcomings, notably the failure to address the issue of jurisdiction. The provisions on cross-border data sharing are insufficient to enable effective responses with the current volume and speed of cross-border data flow.

The major impetus for the current negotiations is that many countries had reservations about signing on to the Budapest Convention, since they had no part in negotiating, although it was planned to apply worldwide from the outset. This is more than rhetorical about sovereignty but a practical necessity to prevent the imposition of legally binding obligations through an indirect process. This practice of indirect imposition is exemplified by the failed Anti-Counterfeiting Trade Agreement (ACTA) that was produced in secret discussions by a closed coterie of countries with the intention of using trade pressure to require developing countries to sign on to its provisions once they been set even though doing would have further limited access to medicines in developing countries. ACTA was mainly prevented from inflicting casualties from treatable diseases in Africa by massive street demonstrations in Europe which forced a consequent rejection by the European Parliament. 

Until now the Committee’s negotiations have focused on criminalising certain conduct and providing mechanisms for acquiring and sharing evidence across borders, eschewing imposition of responsibility on service providers to ensure that their systems are secure, and to respond rapidly to and report breaches. Designating responsibilities for private actors would likely prove contentious. But there are greater challenges to reach consensus around the status of human rights. International human rights are international law, binding on Member States, and any new international agreement is subject to them. Any United Nations-sponsored treaty cannot derogate from the twin human rights conventions. 

Given the extensive criminalisation of online conduct and the increased police powers demanded by the draft treaty provisions, there is a concern that, unless appropriately limited, implementation of the treaty will infringe on human rights like the presumption of innocence, fair trial, due process, privacy, and freedom of expression. A related concern is that the broad offences will criminalise cybersecurity research, whistleblower activity, and even journalism. The draft permits limits on these but leaves it to individual countries to decide them, an approach that undercuts the harmonisation the treaty is meant to achieve. Lastly, the draft fails to provide the requisite capacity to countries that require it, even those are explicit aims of the putative treaty. 

These concerns make achieving consensus challenging, especially since not all of the participating countries are democracies, aspire to be democracies, or are committed to human rights. Some authoritarian countries want the treaty to reflect their own systems, like criminalising speech that is critical of the regime in power, even when that speech takes place outside their borders. These differences would have made consensus difficult to achieve in the best of times but the tensions from the conflict in Ukraine have reduced the tolerance and trust of negotiating parties. South Africa, together with Brazil and Mexico, have attempted to keep the process on track and find common ground, but can there even be common ground when some parties reject the human rights framework that anchors the United Nations? Hopefully their efforts will result in a treaty that provides the global public good of protection from cybercrime. Despite the shortcomings of the treaty it would, if agreed, provide the most widely accepted and detailed attempt to do so. 

Thanks to Dr. Scott Timcke for his insightful comments.