UN Cybercrime AHC - Day 2 notes
Lot of hacking through Otter to make notes. How many days I can keep this up, i don't know, but I will continue running it into Otter. https://joly.substack.com/p/51969f5d-7820-4672-9bec-0df5dd5cf3ef Day 2 had delegates getting into the body of the draft text, discussing some sections that were hopefully just about ready for primetime. Any which didn't gather consensus were 'parked' i.e. punted off to 'informal' sessions.. Also, the Chair introduced a 3 minute timer, after which speaker's microphones would be automatically cut. Before we got into it, Costa Rica got in its 2c on human rights and gender in the preamble. Costa Rica believes that human rights are not simply just rhetoric. It is
not an item of the agenda that can be included or deleted. Human rights are intrinsically related to the dignity of human beings. This is why they are present in a cross kind of way in all international documents. So, taking this into account, we do not see it possible for the preamble of the convention not to have a solid reference to the importance of protecting human rights in cyberspace. Costa Rica strongly believes that all rights are applicable in cyberspace and should be guaranteed in the same way as they are outside of cyberspace. It would not be possible to build an instrument that establishes a commoncriminal policy with the purpose of protecting society from cybercrime, as mentioned in paragraph four in the preamble, without taking into account the protection of human rights, we cannot leave outside a specific mention in paragraph 10, on the importance of incorporating a gender perspective, in all efforts to prevent and combat crime in cyberspace. Because Costa Rica regrets that gender violence online is just as serious as real gender violence, it's very important for this convention to take into account the adverse and diverse differentiated impact of gender violence that also extends to cyberspace. This is why we support the dimensions that included in the preamble should be maintained in the next version of the text. We aspire to a free, open, safe and peaceful cyberspace for all people.
Then we were on to Chapter I - General provisions - Article 1
Article 1. Statement of purpose The purposes of this Convention are to:
(a) Promote and strengthen measures to prevent and combat [cybercrime] [the
use of information and communications technologies for criminal purposes] more efficiently and effectively;
(b) Promote, facilitate and strengthen international cooperation in
preventing and combating [cybercrime] [the use of information and communications technologies for criminal purposes]; and [agreed ad referendum]
(c) Promote, facilitate and support technical assistance and
capacity-building to prevent and combat [cybercrime] [the use of information and communications technologies for criminal purposes], in particular for the benefit of developing countries.
A lot of countries wanted the inclusion of 'technology transfer' in c), however not the U.S, which thought it should go in Article 54, a whole section dedicated to technical assistance. Some countries agreed. This was eventually parked til 54 itself be fully defined. Then, on to Chapter II - Criminalization. This contains articles 6 to 16, much referred to later, which listed criminal behaviors.
Article 6. Illegal access Article 7. Illegal interception Article 8. Interference with [computer data] [digital information] Article 9. Interference with [a computer system] [an information and communications technology device] Article 10. Misuse of devices Article 11. [Computer] [Information and communications technology]-related forgery Article 12. [Computer] [Information and communications technology]-related theft or fraud Article 13. Offences related to online child sexual abuse or child sexual exploitation material Article 14. Solicitation or grooming for the purpose of committing a sexual offence against a child Article 15. Non-consensual dissemination of intimate images Article 16. Laundering of proceeds of crime
The chair asked delegates to be "flexible' Noting that in Article four of this convention, we reiterate the principle
of sovereignty of states, and therefore, no one takes away your right to make laws within your domestic jurisdiction. It will however, be difficult for us to reach consensus if we continue to insist that what is peculiar to us must also be imposed on every other person.
However, many of the articles have the wording:
Each State Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law
The USA noted that Article 16
is drafted can be read to include money laundering offenses that have no connection whatsoever to cybercrime,
so
To remedy this, we would propose a new paragraph three that would make clear that in offense is only considered an offense under the article where the predicate offense is an offense established in accordance with articles six to 15.
They also noted a tautology in the article
Each State Party shall include as predicate offences, relevant offences established in accordance with this Convention;
since article 16 itself is in the Convention! Russia complained about the lack of time spent on preparing these articles, adding
once again, we have to note with great regret the lack in the draft of the convention, articles that we proposed as recognizing as offenses using ICTs, for terrorist purposes, for the proliferation of weapons, drugs, incitement to illegal activities, or other activities. inducement to suicide, rehabilitation of Nazism, justification of genocide and illegal impact on critical infrastructure.
before they were cut off by the timer. The Chair responded suggesting delegates focus on what was in the draft, not what wasn't. Russia got back on the mic and, somewhat grudgingly agreed. Articles 6 & 7 contains the phrase "dishonest intent". Russia wanted it changed to "unlawful aim", Mauritania "illegal intent",. Cameroon "criminal intent". The Chair insisted that states could use whatever language they wanted, but Cameroon responded
Mr. Chairman, what we're doing here, no, don't don't try to present this as kind of light or or inconsequential work, we are expressing positions as sovereign states. So, please let us go to the end of what we're trying to express. You can't just say that afterwards, each state can do as it wishes, no, once we have a convention, if we adopt a convention that each state has already agreed to this, the specific provisions, so Mr. Chairman, I really would like to support your methodology. However, the adaptions of ad referendum, which are increasing in number, will ultimately, could actually, muzzle states. So, we should not in any way restrict the sovereign right of states to to express their views on the wording or the provisions of this convention.
without mention of 6, 7 was parked. On to article 8 - Interference with data, which is
when committed intentionally and without right, the damaging, deletion, deterioration, alteration or suppression of [computer data] [digital information].
Russia wanted "copying," added before "damaging". However the U.S, suggested copying was covered in Article 6 (Access), and other delegates. Russia wouldn't back down. .Parked. On to Article 9 - Interference with a device. No objections. On to Article 10 - Misuse of devices This essentially pertained to hacks aka "devices". Russia objected to
A State Party may require by law that a number of such items be possessed before criminal liability attaches. .
as vague. Parked. On to Article 11 - Forgery
deletion or suppression of [computer data] [digital information] resulting in inauthentic data with the intent that they be considered or acted upon for legal purposes as if they were authentic, regardless of whether or not the data are directly readable and intelligible
One would imagine this would include deep fakes etc, but that is creation rather than "deletion or suppression". Senegal took this up.
We have a proposal for the wording of the criminalization of the use of falsified computer data. We think that there should be a specific offense here through the insertion of a specific text that criminalizes the fact of using computer data that is falsified.
The Chair suggested they draft it as a separate offense, They agreed. Russia wanted to delete para 2
A State Party may require an intent to defraud, or a similar dishonest intent, before criminal liability attaches.
but was laughed off by EU, US, and even Egypt, since "may" indicates the provision is voluntary. No further objections. On to Article 12 - ICT related theft or fraud Again, Russia wanted "dishonest" changed to "illegal", but Australia pushed back.
We believe it's confusing and circular to add an additional unlawful intent element. And that dishonest intent is appropriate here. Dishonest intent provides clear parameters about when conduct will be an offence, where it is done with dishonest intent and not limited only to intentional conduct. So we consider that the existing references to dishonest intent actually enhance the flexibility of the convention, applying to a range of different legal systems.
There was much discussion on 'fraud' vs 'theft'.. Some wanted theft removed, however India, Iran, China and Russia all wanted to retain. At this point the session timed out and Meeting #3 was concluded The afternoon session Meeting #4 started out on Chapter IV - procedural measures and law enforcement,
Article 23. Scope of procedural measures Article 25. Expedited preservation of stored [computer data] [digital information] Article 26. Expedited preservation and partial disclosure of traffic data Article 27. Production order Article 28. Search and seizure of stored [computer data] [digital information] Article 29. Real-time collection of traffic data Article 30. Interception of content data
On Article 23 - scope SIngapore kicked things off by suggesting that the scope be tightened to the offenses define in Articles 6 to 16, A lot of countries supported this. The US had reservations: 1) 6 to 16 still being defined 2) "we don't yet know the fate of article 17" Article 17 reads
Article 17. Offences relating to other international treaties States Parties shall adopt such legislative and other measures as may be necessary to ensure that offences established in accordance with applicable international conventions and protocols also apply when committed through the use of [a computer system] [an information and communications technology device].
CARICOM wanted Article 17 to be moved out of the Criminalization Chapter to elsewhere in the Convention, Iran wondered about the meaning of the word 'specific' in the phrase "specific criminal investigation". Others responded that it was required as a safeguard against creep. Russia opposed Singapore, saying
We do not think that law enforcement bodies at the national level, we don't believe that they shouldn't have the opportunity to use all possible authority and measures to prevent and counter this kind of these kinds of offenses.
They also wanted some mention of 'prevention', and to delete 'specific', suggesting it would lead to "legal uncertainty". However, nobody else supported them. Article 23 was parked. On to Article 25. Expedited preservation of data. This includes the wording
State Party shall adopt such legislative and other measures as may be necessary to oblige that person to preserve and maintain the integrity of [those computer data] [that digital information] for a period of time as long as necessary, up to a maximum of ninety days, to enable the competent authorities to seek its disclosure.
Many countries, led by Russia, wanted 'maximum' changed to 'minimum'. India wanted 'person' changed to 'legal person'. On Article 28 - Production, Austria Before Russia was cut off earlier, they talked about this, and wanted emphasis on "state party's territory" for clarity. It would seem that this clause does not mean that that States are required to produce for external case, however Austria later cautioned
If you say that the competent authorities should search or similarly access in the territory of that state party, that means that the access is going to take place in the territory of the state party, but the data or the computer system might be anywhere else in the world. And I was wondering, those delegations who hold sovereignty aspects very dearly, whether they would want to live with this effect that access is going to take part in Austria, for example, but the data or the computer system would be in Russia or in China. I don't think we want to have that effect. Right? I hope we can all agree to that.
Russia said they would think about that. On articles 29 and 30, the 'snooping' clauses, the EU withdrew it's earlier objections, based on proposed safeguards in Chapter V - International cooperation. Malaysia, Switzerland, Mexico voiced similar concerns. Norway noted that all these articles are dependent on Article 20 - Statute of Limitations as a safeguard, but Article 20 actually calls for extending or even suspending SoL's for 'serious cybercrimes'. Australia argued that determining the "serious' threshold should be left to states, rather that the definition in Article 2 (h)
“Serious crime” shall mean conduct constituting an offence punishable by a maximum deprivation of liberty of at least four years;
Then focus turned to articles 31 to 34
Article 31. Freezing, seizure and confiscation of the proceeds of crime Article 32. Establishment of criminal record Article 33. Protection of witnesses Article 34. Assistance to and protection of victims
Article 31 - Japan regretted that its earlier proposal to limit confiscations to serious crimes had not garnered support, but was trying again. Sweden, Albania, &.Iceland support. EU supports and wants to limit the scope to 6 to 16. Costa Rica, Korea, Vanuatu and Paraguay supportalso for 32, 33. Nigeria, Iran oppose. China opposes as premature / repetitive Russia also opposes saying:
in fact,we don't understand what doubts countries can have the country the reference to to specific articles rather than the scope of the current convention.
Re; "serious" language, presumably in japan's proposalUS notes para 10 wording
Nothing contained in this article shall affect the principle that the measures to which it refers shall be defined and implemented in accordance with the provisions of the domestic law of a State Party.
I guess, agreeing with China & Russia that there is no real reason to be specific, since states can define for themselves. Article 32-33. Singapore wanted scope changed to 6-16. Russia wanted the opposite, 34 too..Australia wanted to delete "in good faith" pertaining to witnesses, for more flexibility. Presumably bad faith witnesses also need protecting? Tanzania wants to change 'domestic law' to 'domestic legal system' and also add the word 'prosecutive' to the existing 'investigative'. Article 34 ( Victims) Egypt wanted to get rid of "with relevant stakeholders', and drop the "particular circumstances' para 8 entirely (gender). Argentina and Tanzania wanted to add "subject to its domestic law." Canada spoke up for gender. USA wanted to limit the scope from "Convention" to Articles 6 to 16, and yay to gender, NZ, Colombia, Iceland, Ecuador, Costa Rica, Panama, Albania also yay to keeping gender in there. Nigeria is non-committal, saying
Nigeria is paying very close attention to the reference to gender in article 34 paragraph four, I understand that different jurisdiction have different understanding of gender, especially in this context. For Nigeria, gender in this context means sex, and if perhaps, it cannot any other meaning other than what is defined in domestic legislation. Perhaps it may be important to further clarify that as we make progress.
Norway said
we have supported at the last session more inclusive language in Article Five, we did agree to delete the language there, but that was really that was really because we saw that it was included other in other places. So deleting it also here would would not be acceptable.
On 33 and 34, Burkina Faso wants to add protection for whistleblowers, experts, and witnesses. Russia, Canada, Mauritania, Nigeria support.. Finally, Yemen argues for applicability to trump scope restrictions
We are now discussing offenses that had to do with information, and if they are serious, and they develop from day to day, and there are new crimes that appear every day. And we are looking here at an expanding in applicability, especially that the crimes referenced from six to 16 are not are not all of the crimes in ICT. So therefore, we were for expanding the applicability and the scope of application in procedural and content as long as the purpose here is to promote cooperation in fighting cyber crimes. So therefore, we believe that combating it, combating these crimes would would include all crimes electronic or content, even at any level or at the minimum level, as we say, and because we discover new crimes and these crimes develop and they they reappear and therefore, if we were to resolve the scope of applicability,
--
participants (1)
-
Joly MacFie