Microsoft criticises proposed UN cybercrime treaty
Microsoft’s main concerns are that the treaty should not provide an avenue for authoritarian states to criminalise online content, introduce new surveillance powers, expand cross-border government access to personal data, or potentially criminalise common security practices because of ambiguity in the text.
Microsoft has voiced its opposition to a proposed UN cybercrime treaty. The broad scope of the draft UN treaty (drafted by UN Cybercrime Ad Hoc Committee on Cybercrime) released in May leaves too much to interpretation, which could create the ideal conditions for cybercrime to thrive, cautioned the tech giant. As UN committee gather to deliberate on the upcoming treaty draft this week, it is essential that they adhere to well-defined principles that strike a balance between safeguarding human rights and combatting cybercriminals effectively, added the company.
Microsoft’s main concerns are that the treaty should not provide an avenue for authoritarian states to criminalise online content, introduce new surveillance powers, expand cross-border government access to personal data, or potentially criminalise common security practices because of ambiguity in the text.
Microsoft’s recommendations (or criticism) resonate with some of the concerns recently voiced by human rights advocates. To learn more, visit the following link.
In more detail, the company is concerned that the current treaty draft prioritises state surveillance over its original purpose of combating cybercriminals – which, in turn, could turn the treaty into a tool for invasive data access and surveillance rather than focusing on prosecuting criminals. The draft allows broad government access to personal data, including real-time surveillance, with the discretion to request data related to any ‘crime,’ not just cybercrime. It lacks transparency safeguards, potentially allowing authoritarian states to suppress dissent under the guise of combating cybercrime. Moreover, the draft does not protect legitimate cybersecurity activities, like ethical hacking, and its provisions lack clarity on ‘criminal intent,’ which is essential for activities like penetration testing to remain legal.
The company has provided a set of recommendations that are relayed verbatim:
- Align the treaty with existing data protection standards to avoid conflict of laws, confusion, delays, increased costs, and potential cooperation breakdown.
- Criminalize core cybercrime offences such as illegal access to computer systems.
- Limit the scope of key treaty provisions, particularly those on data access, to a narrow set of crimes clearly defined in this convention.
- Avoid expanding the definition of cybercrime to broadly encompass online content, undermining human rights, including freedom of expression and the right to privacy.
- Incorporate human rights safeguards, such as independent oversight, right to appeal, and effective redress mechanisms to minimize conflicts with international human rights law.
- Avoid criminalizing the work of ethical hackers and cybersecurity researchers, i.e., only prosecuting acts with “criminal intent.”
- Streamline requests for e-evidence, limiting government access to data that is necessary for specific public safety and national security needs and by directing demands to “data custodians” – i.e., the most proximate data source and rights holders.
- Preserve the right of technology providers to challenge government demands for data on behalf of their customers.
- Increase transparency by allowing technology providers to give notice to users when their data is requested, unless doing so might compromise a criminal investigation.
- Clamp down on “safe havens” by strengthening extradition measures within the convention to ensure cybercriminals cannot evade prosecution and accountability.
About UN Cybercrime Ad Hoc Committee on Cybercrime
The UN Cybercrime Ad Hoc Committee on Cybercrime is presently in its sixth session, which is taking place from 21 August to 1 September 2023, in New York, United States of America.
The Ad Hoc Committee has been tasked to elaborate a comprehensive international convention on countering the misuse of information and communications technologies for criminal purposes. In order to fulfil its mandate, the committee will hold six sessions from August 2021 to the end of June 2024 and the concluding session in 2024; the committee’s work will be concluded once it presents a draft convention to the General Assembly at its seventy-eighth session in September 2024.
The Digital Watch Observatory comprehensive coverage of UN Cybercrime Ad Hoc Committee work. To learn more, please visit the dedicated page.