Session

Experts debate UN Cybercrime Convention’s impact on rights and cybersecurity ahead of final negotiations

The online expert discussion convened to scrutinize the United Nations Cybercrime Convention ahead of a pivotal final session where member states are expected to negotiate the outcome of a multi-year process. The dialogue focused on whether states could reconcile their differences to address the global cybercrime threat collectively. Key questions included the nature of the disagreements, stakeholder expectations, and the implications of the convention for various groups, including civil society and industry.

Experts expressed significant concerns regarding the current draft of the treaty. It was highlighted that the draft could legitimize surveillance and criminalization practices that would infringe upon human rights, particularly affecting marginalized communities. Industry representatives emphasized the need for an internationally harmonized framework to effectively combat cybercrime, while also ensuring the inclusion of robust safeguards to protect human rights and support the activities of ethical hackers.

The conversation recognized the potential benefits of the convention, with some experts advocating for the inclusion of provisions based on the Budapest Convention within the future treaty. However, there was a shared consensus that the current draft is deficient and could lead to deleterious outcomes if ratified without substantial amendments.

Predictions for the outcome of the negotiations were approached with caution. Some experts harbored hope for a treaty that would uphold international human rights standards, while others expressed trepidation that political pressures might result in a compromised and potentially damaging treaty. The discussion concluded with an emphasis on the importance of sustained dialogue and the necessity of addressing cybercrime without compromising human rights or cybersecurity.

Noteworthy observations from the discussion included the recognition that the Budapest Convention has already influenced cybercrime legislation globally, suggesting a global treaty could further this impact. However, concerns were raised about the broad scope of the proposed UN treaty, which could potentially encompass any crime involving ICT, thus expanding beyond traditional cybercrime and potentially stifling freedoms and rights online.

Another salient point was the potential impact on the cybersecurity community, including researchers and ethical hackers, who could find themselves at risk of criminalization under the proposed treaty’s current provisions. The need for clear definitions and intent requirements was highlighted to ensure that legitimate security work is not penalized.

The discussion also touched upon the complexity of the negotiation process, which has seen an unprecedented level of stakeholder engagement, reflecting the multifaceted nature of cybercrime and its governance. The potential for a treaty to serve as a legitimizing tool for oppressive regimes was a recurring concern, with civil society representatives urging states to consider the broader implications of their support for the treaty.

In conclusion, while the need for a global framework to address cybercrime is widely acknowledged, the current draft of the UN Cybercrime Convention raises significant issues that require careful consideration and resolution. The final session of negotiations will be pivotal in determining whether a consensus can be reached that balances the need for effective cybercrime measures with the protection of fundamental human rights.

Anastasiya Kazakova:
Welcome everyone. Thank you so much for joining. Hello, hello. So we’re happy to see you all at our online expert discussion today. We focus on the UN Cybercrime Convention ahead of a final session where states will reconvene to negotiate the outcome of the several-year process. Will states give in disagreements for the sake of a global common threat? Where do the main disagreements lie? What are the expectations of stakeholders, including from civil society and industry, for the final round of the UN negotiations? These are the main questions for our discussion today, and we also particularly plan to focus on different aspects covering different stakeholder perspectives, and we will ask our experts what are their predictions for the outcome of the process. My name is Anastasiya Kazakova. I’m a Cyber Diplomacy Knowledge Fellow at Diplo Foundation. I’m really excited to moderate today’s discussion and hear the views of experts and also to learn from them. We have an amazing lineup of brilliant minds to help us navigate through these nuances in the negotiation process, so please welcome our experts. Tatiana Tropina, Assistant Professor in Cybersecurity Governance at Leiden University. Alexander Seger, Head of Cybercrime Division at the Council of Europe. Katitza Rodriguez, Policy Director for Global Privacy at Electronic Frontier Foundation. Paloma Lara-Castro, Public Policy Coordinator at Derechos Digitalis. And we have two experts representing industry today, Yuliya Shlychkova, Vice President of Public Affairs at Kaspersky, and Nemanja Malisevic, Director of Digital Diplomacy at Microsoft. Our team has been also closely monitoring the developments from the ad hoc committee to elaborate this comprehensive international convention, so for those who would like to dig even deeper into this topic, please follow our dedicated page at the Digital Watch and our latest blog post where we share the reporting from the previous IGS sessions. We also invite you to be part of the discussion today, so please feel free to share your comments and questions in the chat. Bojana Kovac, researcher at DIPLO, is also here and she will moderate the discussions in a chat. So coming directly to the topic, I’d just like to remind that since 2019, UN member states have been negotiating this comprehensive treaty to address cybercrime threats and the session which was scheduled for the late January, early February this year was meant to be a concluding one but states did not reach the consensus. So my first question would be what actually happened, what went well during the process and most importantly what didn’t, where the major disagreements lie between states and why and I’d like to invite Alexander first to help us unpack this a little bit and then probably also to share inputs from Tatiana. So Alexander, over to you.

Alexander Seger:
Thank you Anastasiya, I was hoping that Tatiana would speak first but never mind, a pleasure to be here. I have been following this process on and off since 1989 because that’s when discussions started, so about 35 years ago. Perhaps a word on the status where we are right now with this treaty negotiations, the updated working documents were circulated about two weeks ago, they are dated 23rd of May and what we have is an updated draft text of a future treaty, a draft resolution, a resolution that the Parliament, that the General Assembly of the United Nations would adopt with this draft text of the convention as an appendix and also some interpretative notes where it’s a bit unclear what the status will be of those notes and all of this dated 23rd of May, circulated two weeks ago and those documents will be the basis for discussions and perhaps also as background why it has there has been no agreement for the past 35 years on the United Nations treaty and namely the concerns that this would lead to greater international polarization, more divisions, that it would enhance the digital divide, that it would focus on the control of information rather than the question of crime and that a broad scope of criminalization and procedural powers without safeguards would lead to risks regarding human rights and the rule of law and this concern that this treaty is not so much or would not be so much about dealing with cybercrime but more about redesigning the architecture of internet governance, focusing on sovereign internets under the control of governments versus a free and open internet with multi-stakeholder governments. So these are concerns for many, many years, in particular since 2010 when this came again to the forefront and during the UN Crime Congress in Brazil and the negotiations since February 22 have confirmed that these concerns are still valid. You should also keep in mind that unlike the UN Convention on Organized Crime and Corruption that were launched by consensus, the resolution leading to the current process was a contested decision with the relative majority in December 2019. What further complicated the matter and was not very positive for this outcome is that the actual negotiations started on the 21st of February 22, which was the same day that Russia commenced its full war of aggression against Ukraine. The very same day. with the Russian ambassador then, underlining that the future treaty has to hold up the principles of sovereignty and territorial integrity, and that was of course not taken seriously. Nevertheless, members of the Budapest Convention, but also the Council of Europe as an organization, we decided to support the process because of the spirit of multilateralism. What went well, I must say, is that the parties and friends of the Budapest Convention have been coordinating extremely well during this process, which is fine. What went also well is that we’ve seen agreement among all the negotiators at a fairly early stage that provisions that are based on the Budapest Convention on cybercrime in terms of the list of offenses, the list of procedural powers, the specific provisions for international cooperation, have basically been agreed upon. There’s still of course discussion about some aspects of it, aspects of text, there have been some modifications, but overall there was early agreement that this should be included in the future treaty. It has also been clear from the beginning that none of the provisions of the first and second protocols to the Budapest Convention would make it in the United Nations treaty. What is interesting is that in terms of underlying concepts, definitions, they are based on the definitions of the Budapest Convention, they just have a different name, they’re termed differently for political reasons. So a computer system is now an information and communication technology system, but the definition is almost the same as that of computer system in Budapest Convention. Computer data is now called electronic data, but with the same definition. So this is fine, at least here in this respect, we don’t see major inconsistencies. Where there are disagreements, and which prevented then the ATOG committee in February to conclude its work and submit the whole package to the General Assembly, is the list of offenses. Russia in particular insists on a long list of additional offenses to be included, terrorism, extremism and many others, drug trafficking online and many other offenses. And if not, to go ahead with the protocol to the Convention. So that I mentioned earlier, there is a draft resolution also, and that resolution will also include a decision to move ahead straight away with the protocol, which means the process would not be concluded in August with an agreed treaty and then submitted to the General Assembly, but next year the whole thing will continue with work on a protocol on some very contested issues. Also, major disagreements is the balance between scope of how shall this Convention go, what is the obligation to cooperate for any crime or just for the list of offenses in this treaty, or only with regard to electronic evidence related to serious crime versus human rights safeguards. Russia, Iran, Egypt and others keep underlining that this is not a human rights treaty, that such safeguards have not been included in other UN Conventions, but then of course we know that this draft has much broader implications, much greater impact than a UN Treaty on Corruption and Organized Crime. Strangely enough, what is also controversial are aspects of the article on child sexual abuse materials. Normally this is something that should be quickly agreed upon, because everyone knows we have to deal with this, but there are some concerns, there are some differences of opinion. regarding the incrimination of children for distributing self-generated materials among children. That sort of question, where many countries then come and say, this is a question of morals, this is not consistent with the value of our societies, we cannot have children have sex with each other, and that sort of things. So, strange enough, this article, what now is Article 13, is one of the most difficult ones in this treaty. The major risks that I see, and I will finish in 30 seconds, I don’t see the dramatic risk in some of the specific investigative powers. What I see is the combination of articles, a very broad article to fraud, much broader than what is in the Budapest Convention, on money laundering, on confiscating assets and so on, that this combination of articles will be used to target private sector companies, in the future. Let’s say we have Nemanja here, you know Microsoft is publishing something that is no problem at all in the western part of Europe, but in some other countries this may be considered extremism and so on, and then this treaty may be used to then go for the assets of Microsoft in third countries. So, the United States or Western European countries may not cooperate in that case, but other countries may be under pressure to cooperate, and then the assets may be targeted. So, that for me is a priori the main source of concern, that this combination of articles on crime proceeds will be misused in the future. I leave it at that, and Tatiana has certainly much more to add.

Anastasiya Kazakova:
Thank you so much, Alexander, for such a really good overview of all the challenging areas in this negotiation process, and it’s really a big question, what are states will be able to resolve so much at the final concluding session. But Tatiana, over to you. The same questions, what went well during the process, and most importantly, what didn’t, and what do you believe? major disagreements lie between states and why?

Tatiana Tropina:
Thank you, thank you, Anastasiya, and thank you, Alexander. I was secretly hoping that Alexander will go first because he has been dealing with this for longer than I have, because my track record is only maybe 25 years and no more. So what went well in these particular negotiations? To me, first of all, inclusion of stakeholders. And I know that it’s not a full inclusion. There were slots when non-governmental stakeholders able to speak and only during these particular slots. But to me, it’s a major step forward, taking into account the significance of this work. I would also say that what can be commendable in the whole process is the work of the chair, who was really trying to push for consensus, to bring together positions. And the fact that many countries try to negotiate in good faith, many, but not all. I also think that the fact that this process was suspended to resume is also a success because the states who respect human rights, who don’t want negative effect of this convention, pushed back during the last session and disagreed on the draft. And I really commend those states who stood up and said, no, this is not going to go. This draft is not acceptable. It’s really good that non-governmental stakeholders pushed for this suspension. So to me, it was a good sign. To me, it is something that went well, although it’s really hard to put, weird to put it right in the went well label, but it would be much worse if this draft was adopted in January. That would be a huge disaster for criminal justice, for human rights. Now to major disagreements. Alexander did already a very good job outlining where the major disagreements are in terms of what kind of specifics of tackling cyber crime is targeted by particular parts of the convention. Like we can look at the scope of criminalization, procedural. measures, international cooperation, but to me, there is one common denominator where all disagreements lie, it is human rights. Even if we look at the scope of criminalization, when you look at what countries can possibly agree on, of course, we can talk about child abuse material, rights of children to share self-generated images, and other crimes. But the human rights consequences are much broader. If we look at paragraph five of this draft resolution, we will see that indeed, it pushes countries to agree already to develop an additional protocol for additional criminalizations. Like kind of, let’s agree that this convention is not complete, let’s commit ourselves to add additional crimes. And we all well know, know what kind of additional crimes would be pushed for there. It’s going to be terrorism, it’s going to be extremism, it’s going to be crimes that crack down on free speech. And of course, it’s again about human rights. And the same goes for procedural powers. To me, there is just simply not enough safeguards. Some of the very important safeguards are just diluted. And of course, the scope of international cooperation, which will allow any country design anything, designate anything as a serious crime, more than five years of imprisonment, and then cooperate. So it’s just enabling human rights abuses to the extent we have never seen legitimized. Of course, we see human rights abuses all around. So to me, the major disagreement, whatever part you take, you can take the formal side of it and say, okay, it’s all about the legal access and protection of security researchers. Okay, it’s all about protection of children to share self-generated material. But if you look at what’s at the core of it, it would be protection of human rights. And I will stop here. Thank you very much for having me.

Anastasiya Kazakova:
Thank you so much. Indeed, the human rights, one of the areas that I believe we will also hear later from Katica and Paloma, specifically from civil society perspective, but also probably from Yulia and Nemanja. But I also would like to follow up, Alexander already highlighted the Budapest Convention. And indeed, before the start of these negotiations, there’ve been already some regional instruments, and they continue to exist, partially or completely addressing the same issues. And again, the Budapest Convention probably would be sort of the gold standard in this regard. But I wonder, given that these instruments do exist already, what will you, do you believe a global comprehensive convention could add in addressing cybercrime threats? The same question to Alexander, Tatjana, but also we invite other speakers to share their reflections.

Alexander Seger:
Yes, thank you. I’m not sure that Budapest Convention can be called a regional convention. Just one need to make this point. Let’s face it, the reason we have this process is because Russia wanted it, right? That’s probably the only reason. When it comes to countering cybercrime, again, Russia is one of the major sources of cybercrime around the world, and we cannot assume that once this treaty is there, that cybercrime from Russia will stop. I mean, Russia would not need this treaty to do something more about cybercrime coming from the Russian Federation. There is, with this treaty, some sort of maybe abstract political benefit. For the United Nations, it would be a major success to have this treaty in the form of the 23rd of May version, or similar. That would be a huge success, and I think it would also politically be important to have it. So I’m not sure about the practical relevance in the very near future, but politically it would be an important achievement. The value would be that, over time, that also states that would not be able to join the Budapest Convention, either for political reasons or because they don’t meet the requirements, that they are not able to join, and then they would still have a framework to cooperate with each other. I think anything that permits more cooperation should be welcome. Of course, we are keeping in mind, of course, also the other risks. I’m wondering, I mean, so far the process has had a major benefit for the Budapest Convention, because we have more requests for accession, more parties joining now than ever before since this process started, because many governments have become aware of it during these negotiations and have also seen the benefit. I’m wondering, and I’m wondering what will happen once there is a treaty. So, it may well be that even more countries want to join, because the elephant, the political elephant of a UN treaty is out of the room, in a way. It’s not an obstacle, because countries will not have this situation as, oh, we cannot join Budapest because we have to wait for a UN treaty, and otherwise we will have a bad reputation. So that will be out of the way. But it may also be that once there is an alternative treaty, an additional treaty, namely the United Nations Treaty, that parties to the Budapest Convention may say, okay, so now there is a treaty, we don’t have to be so open anymore. Maybe we can have higher thresholds for states that want to join the Convention, and it may become more restrictive in that way. future. We have now 75 parties and another 20 states that have been invited to exceed. 95 states is a lot, it’s good, and it may be more difficult for other states in the future to join. This is not my decision, although I’m involved in this, but this is not my decision to make, it’s up to the parties, but that may still be the case. What I don’t know is whether, let’s call it democratic states or so, will sign and ratify this treaty once it’s there, depending of course on the shape it takes, but that remains to be seen because, as I said before, there are risks in the treaty. Over to you, Tatiana.

Tatiana Tropina:
Thank you, and I have a clarifying question for Anastasiya . Anastasiya , do you also want me to talk about measuring effectiveness of the instruments, or is it the next question?

Anastasiya Kazakova:
Yeah, that would be good, actually, because I wanted to follow up also.

Tatiana Tropina:
Yeah, so let me just start with, you know, kind of, I see the first part of your question as a bit twofold, right? So from a theoretical perspective, right, of course, having a global comprehensive instrument with robust human rights safeguards that is developed with inclusion of various stakeholders, builds up upon existing instruments like the Budapest Convention, of course, it would probably have added value, right, in an ideal world, bringing countries on the same page, building trust, perhaps, streamlining existing mechanisms, building capacity, perhaps, in the countries which really lack capacity, theoretically, maybe reducing punity. But when I see the series of drafts that we have on the table, since like last half a year, I just don’t see how it’s going to happen with those drafts. We are not in an ideal world. And those drafts leave a lot to be desired. First of all, I just want us to be clear, it’s not a cybercrime treaty. It’s a global criminal justice treaty. There is a lot about collection and cross-border transfer of electronic evidence, and virtually for any crime. And it is well known that states do use criminal law for oppression, to silence political opponents, oppress various groups, including marginalized groups, restrict freedoms, restrict rights. So basically, we are not in an ideal world. And this treaty, if it happens, to me, of course, the positive effect, it will probably boost the adoption of the Budapest Convention, because Budapest Convention is just way better, miles better than what we have now here on the UN level. It might marginally improve situation with capacity building and collection and transfer of electronic evidence. But the question is, at which price? Alexander, what I was absolutely right, it’s not only about human rights, it’s also about private industry. Look at Article 18, which was agreed at our referendum, and it can be interpreted, it looks like a very normal article about liability of legal persons. But if you put it in the context of all digital, good God, you can have it to punish and how hostages, just private providers. So to me, the effect of this convention, if this draft is adopted as super marginal, but the damage is very big. And now to the second part of your question about assessing the effectiveness of existing instruments. I would say it’s very hard. We don’t have really a methodology for this. I mean, we can’t even measure the cost and effect of cybercrime with reliable methodology. So what about the instruments? I would also say that it’s hard to define effectiveness itself. So if you look at what I would call and many call suppression conventions, suppression conventions that criminalize certain conduct on the international level, make starts committing to this criminalization, provide investigative instruments and provide for international cooperation. To assess effectiveness, we have to look at all these three parts. And if I look at the Budapest Convention, it’s an absolute success in this way. If you look how countries either change their legislation after ratifying the convention, some of the countries who never joined the convention just adopted their legislation in the way that is close to the Budapest Convention. So basically it is a golden standard in development of cybercrime legislation. And if you look at the UN draft, of course they took everything from there. Isn’t it success? As to mutual legal assistance, I would say that to me, the reference to existing cybercrime instruments is it’s not marginal, but it has to be seen in the context. Many countries cooperate based on mutual legal assistance agreements, which sometimes streamline these mechanisms regionally or bilaterally much more than we see in the Budapest Convention without the second additional protocol. For the second additional protocol, we still have to see how it would go. And I’m sure that it’s going to be a huge success. So all in all, it is hard to evaluate when we talk about cause effect relationship. Did cyber, have we reduced cybercrime using Budapest Convention or Malabo Convention or any other convention? To me, the answer is we don’t have any relevant and reliable methodology to say that yes. However, we certainly can see that the countries developed cybercrime legislation both based on Budapest Convention mostly and some other instruments. The countries strengthen procedural frameworks based on Budapest Convention and other instruments. The countries build trust in negotiations, in accession, in ratification, in cooperation. And certainly to me, this counts as success. Thank you.

Anastasiya Kazakova:
Thank you so much, Tatiana. And I’d like to go back to Alexander indeed to zoom in into this possibility to have available data on how actually the existing instruments help reduce cybercrime. And indeed within the Budapest Convention Council of Europe, there’s a lot of capacity building within Glasgow project, if I’m not mistaken. And thank you so much for sharing that the number of the requests has increased over the years during the negotiations in the UN. That’s really interesting. So, Alexander, maybe you would share any thoughts on this question.

Alexander Seger:
Yeah, I mean, if you talk about criminal justice, we talk about law, we talk about action, investigations, prosecution or cooperation, whatever, based on law. And as Tatjana said, if you look at how countries have implemented the Budapest Convention, we can indeed note, I consider that a huge success. And we found a way, also via capacity building, to engage with governments. It’s not always easy. There are cases where we are completely unhappy with laws, we are completely unhappy in some cases with interpretations of domestic law by some countries, which may lead to abuses. I’m happy that in many instances, we are also able then to change that and point out that something is going wrong and governments engage with us, which is a great sign of success. Because making laws is a sovereign prerogative of governments and parliaments. And for us to go and talk to countries and have this interaction with countries is huge. So there we can indeed see, we have the data for that, you know, whatever, 140 countries around the world have aligned, have provisions corresponding to those on the Budapest Convention when it comes to the offences. And about 100 or so, 110, have also the procedural powers in place. And we also see cases where procedural powers have not been adopted fully, that they run into major difficulties, like you’ve seen with the Panama Papers the other day, and so forth. So this I consider a big success. But I would like to come back to another point related to all of this. Public authorities, criminal justice authorities, don’t all use the same tool, the same treaty, the same basis for cooperating with others. They have a multitude of treaties. So in some countries they say we don’t use the Budapest Convention 24-7 because we have for years worked under the G7 24-7 network. Although now it’s more or less, it’s increasingly identical. Other, some countries say we never ever used the UN Convention on Transnational Organized Crime. And people from the neighboring countries said we use it every single day. You know, that’s how it works in practice. So you will not see a UN treaty adopted, signed, ratified by country, and the next day they all use those provisions. They will use those as an additional tool. If they have a case, they look around, what do we have? What can we use to cooperate with the country? And here we may have a situation where countries now are parties to this future UN treaty, where they say, okay, that’s what we have. We’ve worked with them on that basis. That’s how it will work in practice. And here, treaties like Budapest Convention have been in place for 20-odd years. We engage people every single day, you know, through capacity building activities. For a long time to come, they will give priority to the Budapest Convention. because they know how this works, but they may also then increasingly use with other countries that are not part of this framework also the UN treaty. That’s how it works in practice.

Anastasiya Kazakova:
Super, thank you so much. Alexander, we have I guess another question to you from Vlada regarding the process and additional protocols. So if you could look at the chat, will the convention be put to General Assembly before further negotiations of additional protocols or will it go as a package at some point eventually?

Alexander Seger:
Yes, the chat is so lively, I have to find the right question. The current proposal is that the draft text will be put at the same time to the General Assembly as this draft resolution. So the General Assembly would adopt this draft convention and decide at the same time that the work on the protocol will start. And again, my concern, a principle, something like that is not completely excluded. It’s rare, but it’s not excluded. The problem is that achieving consensus on the current treaty will be a huge success, will be very difficult. There’s a lot still to be done over these two weeks at the end of July, early August, a lot to be done. It would be a miracle still to succeed, but it would be a huge success. And then immediately work would start on a protocol which will deal with the most contagious issues around. So that will lead again to complete polarization because there will not be agreement on that, not within two sessions as it says in this draft resolution. So that is for me completely counterproductive that you forge a very difficult consensus and this extremely complicated international consensus, and the next day you start with something that makes the whole things fall apart again.

Anastasiya Kazakova:
Yeah, yeah, indeed. The bigger question would be also how this will be ratified if adopted, what measures we will see at the national level. I’d like to turn to Tatiana, and then we will… I’ll zoom into the civil society perspective.

Tatiana Tropina:
Thank you very much. Just to briefly follow up on what Alexander said about an additional protocol. I absolutely agree with everything, but I think there is also another side to this, another aspect. So basically at the beginning of negotiations, if you trace back the positions of the countries who wanted protection of human rights, safeguards, and so on and so forth, they said, okay, we would agree to a broader scope of international cooperation and more invasive procedural measures if there is a very narrow scope of criminalization. So at the end, if this resolution with paragraph five is adopted as it is, these countries are giving up on everything. Not only they are agreeing on the broad scope of international cooperation and quite intrusive procedural measures, they’re also recognizing that this scope of criminalization is incomplete and they’re committing to work on the second additional protocol. So what’s left then? What’s left then from those fierce fighters in negotiations? I don’t know, but I do consider it as an additional twist in this plot. Thank you.

Anastasiya Kazakova:
Thank you so much. So now trying to hear also the perspective from civil society, and my main million dollar question would be to you, Paloma and Katitza, what would be the desired elements of a good result from a perspective of your organizations or broadly the civil society after the concluding session that we will see later in the month? So I’d like to invite Katitza first and after Paloma.

Katitza Rodriguez:
Thank you for the chance to speak today. Maybe because we are approaching the final session on negotiation, it’s clear to me that the states are running out or have run out of time for achieving a good result at this point. It’s full of disagreements on crucial issues like from the scope to human rights. safeguards, subtle edits, and many articles that have not been agreed yet at referendum highlight these ongoing concerns. I think the test, in my opinion, is simply too flawed to be adopted. Countries that believe in the rule of law must find ways to make the treaty more narrow. Key provisions are still in red, showing a lack of consensus on critical issues, like scope, as I mentioned, human rights safeguards, but also intrusive powers, like real-time collection or interceptional communication, that is not a combined link or a combined with a strong, robust, human rights, mandatory human rights safeguards. The wide range of disagreement among member states show that any potential compromise, and this is to the point of Tatiana, could mean a race to the bottom of human rights protection. And that’s the main concern at this point. Even the provisions that haven’t really been agreed, approved, and have consensus are deeply problematic. For instance, in this context, including Article 20A4, which compels states to adopt legislation and other measures to empower their authorities to compel any engineer or any individual with knowledge of computer systems to provide any necessary information for conducting certain seizures. This provision can be abused to force security experts, software engineers, and even employees on tech companies to expose sensitive or proprietary information. It could also encourage authorities to bypass normal channels with companies and coerce individual employees under threat of criminal prosecution, and to provide assistance in subverting technical access control, et cetera. This paragraph should have been removed, but it has been agreed at referendum. So that’s done. Another big disagreement that we see and why we think it is flawed is that the title of this convention is misleading. Acquitting cybercrime with any crime committing using ICT is harmful, but also not only conceptual, it’s a conceptual harmful, but also the practical standpoint. Cybercrime should focus on acts against computer data, networks and data. Efforts in several countries, as Diana Alexandre was saying, to expand the definition to include other have gone hand in hand with the criminalization of expression in many, many countries and human rights abuses. On the practical level, where there are gray areas with respect to the application of the treaty, acquitting cybercrime with any crime committing through ICT will encourage an expansive interpretation. It also means that the treaty can be expanded to cover any lawful offenders as being appropriate through the future protocol that Diana was mentioning, essentially involving any crime that can use ICT. And that’s problematic itself, just acquitting it, because there is this trend in national law on trying to expand the meaning of cybercrime and has come with very draconian cybercrime law. The convention also fails to protect security researchers and investigative journalists. The current article in 610 essentially criminalized legitimate cybersecurity activities like vulnerability disclosure or vulnerability testing and reporting. There are safeguards that are optional, not mandatory. All the lessons learned from the last years over this provision could be lost just because these safeguards have been weighing over years of years of court litigation and negotiations at the domestic level. So exporting these provisions to the world without mandatory safeguards creates several risks. many other problems. One is Article 6.2, which is related to the human rights. It’s a diluted version. Tatiana was mentioning about how they dilute articles. It’s a diluted version of an early proposal by Canada. It fails to include the article on human rights. It fails to include a crucial provision that would prevent discrimination or persecution based on individual characteristics. This omission means that states can still collect evidence against individuals simply for being themselves, for raising a rainbow flag, as long as their domestic law considers such serious crimes serious, as defined in Article 2 of the Convention. While positive additions are in this, it’s a positive to have included this article, this provision does not reduce the scope, but merely suggests respecting human rights within the broader scope of international cooperation chapter, which, in our opinion, is insufficient. Article 24, which is the article on human rights safeguards, fails to explicitly include crucial principles like legality, necessity, and non-discrimination. Effective human rights protections require prior judicial approval before surveillance is conducted. Transparency about actions taken and notifying users when the data is accessed, if it does not jeopardize the litigation, or at least notify later, and provide a way for individuals to challenge those abusers. The new text now deferred to national law instead of linking it to international instruments like the Budapest Convention does that. We can indeed safeguard as national laws can change very greatly country by country and may not provide always necessary protection. There is also broad definitions, and this is a problem that I see in the definition of electronic data in article. two, together with the intrusive powers and the lack of data protection have not robust taken. So Article 25, 27, and 28, regarding reservations, production orders, and seizures of electronic data, in compact, a definition that includes every sensitive data, such as biometric data, or neural data, brain data, it’s very, very broad. The problem is that processing such sensitive data, like biometrics, should be subject to mandatory data protection principles in the text itself, and robust safeguards that are mandatory, like when you access content of communication. But nothing of this is included in the treaty. So for me, that is problematic, too. There is also this new provision, which is the Article of the Scope of the Criminal Procedure Measures, 23.4, which selectively applies Article 24 of the safeguards to the international cooperation chapter, leaving some of the powers in the chapter of international cooperation out of protection. So I’m talking about the Article on Law Enforcement Cooperation, or the Article about 24.7. These selective applications, yes, leave this without protection. Moreover, the broader scope of the international cooperation, we are talking about 35.1c, continue to pose real risk to the LGBTQ plus community, and on gender rights in general. Despite many calls from us, civil society, the current draft not sufficiently addresses the unique vulnerabilities of this community. This article could be explored to target individuals based on their gender or sexual orientation, especially domestic law. criminalize this act as serious crime, because it deferred to national law to whatever that country defined that act of expression as serious crime. This is particularly concerning given the story of cybercrime laws being misused to persecute marginalized communities, as we have seen in many of the countries who participate in this process. While the convention allows to refuse cross-border MLA requests, there are certain grounds, potentially allowing such requests to be a standard for invoke those grounds of refusal is very high, which may potentially allow such requests to proceed, because it’s just you have to provide with a high evidence to be able to reject the request. And finally, I would say that while this process was supposed to be transparent and inclusive, and I will say, though this process though the process of drafting this convention was supposed to be transparent and inclusive, though the process has been more transparent, as I agree with Tatiana on this, than other cybercrime international processes, particularly in terms of access to state draft, tracking of changes, or even be able to access to talk to representative, it effectively exclude many civil society and other stakeholders. I think these approach undermine the legitimacy of the negotiation and needs to be improved, and contradict inclusive nation. So I will just finalize here, and give access to my colleague Paloma, but I think that countries that believe in the rule of law should be very skeptical on this treaty at this point. I see that are still unacceptable provisions when it comes to the broader scope of criminalization and the human rights safeguards, and I’m worried that compromising on that will just create a… a race to the bottom of human rights and privacy protection. Thank you.

Anastasiya Kazakova:
Thank you so much, Katitza, also for actually helping us to see this direct impact from this future convention on the safety and security of regular users for all of us. And I also would like to invite everyone today at the discussion to also check the submissions and the documents, quite elaborate ones, from both Electronic Frontier Foundation and Directio Digitalis, who actually help us navigate through all of this human rights-related provisions and more. But I’d like to turn to Paloma with the same question. What would be the ideal elements of the future convention if this happens? And how you see that the future convention, I don’t know, would actually be in a positive way impacting the safety and security of regular users? What those elements ideally should be on the table for states?

Paloma Lara-Castro:
Thank you, Anastasiya. Well, first of all, thank you for the invitation to participate in such important space. Just as we are coming through the final negotiations, we are at a critical point. I would have to start with echoing the words of Katica in terms of what the risks of this treaty are, especially in relation to the compliance with human rights international law, which is an obligation for states. We share the concerns. We are very concerned of how this treaty will be used. And as its actual form, we are seeing it as a treaty that could legitimize surveillance and criminalization practices that are already a big concern worldwide, and specifically within our region, which is Latin America, which is where Directio Digitalis works. During the last years from civil society, we have consistently emphasized that the fight against cybercrime must not come at the expense of human rights. equality and the dignity of the people whose lives will be affected by this convention. As Tatiana perfectly put it, one of the main lacks of consensus is on human rights and I would add specifically on gender as well, which is sort of our main focus of area within the Cybercrime Convention as we have worked together with other civil societies. We have worked together to visualize different risks of how this treaty could and will possibly be implemented and what will be its potential risks. In that sense, it is important to understand that neither criminal systems nor technology are neutral. What this means is that they are inserted within societies that pre-account for structural inequalities. Bearing this in mind, we have held that one of the central elements of this convention should be the integration of an effective gender mainstream and I would really like to emphasize on the word effective within the gender mainstream category because as has been already recognized by other international instruments, the best way to really achieve the gender mainstream is to have a dual or multiple implementation. What this means is that the convention should not only have as an objective, as a sole objective to achieve gender equality because as we know it is a prevailing issue in our society, but on the other hand it should also analyze how each article could be affected with a gender perspective, some of which areas have already been mentioned or referred by Katica, so I don’t want to be repetitive but I do want to just emphasize that although this is something that has been recognized in other treaties, like for example in other documents of human rights, like for example the CDGs have this multiple way of implementing gender mainstreaming, also this has been recognized recently in the GDC, in the Global Digital Compact, as to pursue as an objective and also to analyze within each implementation article. In this convention we have seen a lot of concerning pushback regarding human rights and specifically gender. Although there are some advances within the text, like for example, the inclusion of gender mainstreaming within the preamble, which we celebrate and find that absolutely positive, I would like to go back to the effective, which I mentioned before. We are concerned that just having the gender reference within the preamble, it would be more of a checklist rather than what will actually be implemented during the convention. So that’s what we have been pushing for, the inclusion of the gender mainstream within other articles. In some cases, there have been some states that have really acted as champions on this matter and that have really pushed forward, pushed through, including these sort of references. For example, Uruguay, I would like to stand out in regarding to the human rights article mentioned by both Tatiana and Katica, Uruguay has pushed for the inclusion of gender within the human rights spectacle but has not received enough support, even though we’re not talking about numbers in this report, but just the overall spirit of the negotiations regarding gender. In some other articles, certain provisions that were referred to before, for example, in relation to capacity building, have been removed. So we have been really seeing how the gender perspective has been weakened and weakened and weakened throughout the whole, not only what it is in the text but what we’re able to observe as well within the discussions of states that have predominantly been sharing their views on how this is not a human rights treaty and this is not a gender treaty, which raises concerns about the already accepted and supposed to be obligatory human rights standards that have to be accomplished by each state. So this raises concerns about how an international treaty is going to work with. sufficient already standards on gender procedures. And also, as we see in the local context of the loss, we have been seeing that these cybercrime laws are not only ineffective in protecting people, and especially historically marginalized communities such as women and LGBTQI, but are actually putting them at risk. In this sense, I would like to point out that during these negotiations, in order for us to bring evidence-based arguments, we have developed a research that maps out how cybercrimes around the world, and it’s important to point out this, even though this is an international cybercrime convention, and also the Budapest exists before this, this does not mean that it’s going to be the beginning of local legislations on cybercrime. Cybercrime local legislations have been happening for a long time. They’re actually multiplying within regions, and they have already been recognized, as Katica mentioned, by UN bodies. There’s a trend of using these legislations to stifle dissent, to criminalize human rights defenders, journalists, and security researchers, and to stifle dissent. And this has specific impacts on gender, which is why we did this research where we map out 11 cases globally. The last thing that these laws have in common is overly broad definitions, which is also being seen in the convention, as Katica well explained it. Lack of compliance to the internationally recognized criteria of legality, necessity, and proportionality. And on the third, lack of a gender perspective. What this entails is that it’s not only, does not only have consequences individually, but when we look at it socially, we were able to see within, improve within this research, that this has consequences on politically historically marginalized groups that have been historically excluded from public debate. So this is not only entailing individual consequences of being persecuted, but also social consequences that will impact freedom of expression in general, and specifically on gender equality. Bearing this in mind, what we need to show with this is that we are not talking about potential risks. This is not something that we’re going to analyze when the convention is being implemented. But we are talking about concrete harms that can already be seen within the local legislation frameworks and its implementation. This raises the concern of how we’re going to advance on an international treaty without considering this context, and without considering what this context tells us. We need bigger safeguards. We need human rights protections that don’t allow for arbitrary interpretation, that don’t allow for criminalization, and that don’t impact on human rights of users individually and collectively. Going back to what Katica mentioned regarding serious crimes, we should also take into account not only as Katica mentioned, the LGBTQI community and what has been considered that sexual expression or gender expression is a crime in several countries. Also, when we think about sexual and reproductive rights within women, this raises the same concern. So this is very serious implications of what this may have. And also, just on a final note, as we’re talking about lack of safeguards within the treaty, and that goes back to local safeguards, we can find that there’s no local safeguards within the existing legislation. This is a very big concern. It’s a very dangerous treaty. I’m sorry I’m not ending on a very positive note. We are very concerned about how going back to negotiations, the few things that we managed to advance, like, for example, content-related crimes, can be, again, be open up the door within the protocol that’s been mentioned. The same thing regarding gender inclusion and gender perspective and the pushbacks, and also considering criminalization and surveillance as key issues within this treaty. So I’m going to end it on a call for action, saying that it’s important for all of us to become aware of how this treaty is going to affect and impact our lives. lives. It’s important to talk to local governments. It’s important to create awareness. It’s important to be attentive to what will happen in the next following negotiations. And we’ll just end up on a note that there are international obligations that have been agreed upon. There has been a long way and a long fight for these rights to be recognized and upheld, and especially consider the democratic setbacks that we are seeing globally. It’s important that we hold on to the international human rights law that has been agreed upon and hold our states accountable. And holding our states accountable also means that they should make sure that the treaty does not violate what has been agreed upon and that the aim should be to guarantee more rights, not to generate law that will serve as a tool for undermining rights. And I’m going to leave it at that, perhaps to continue this conversation.

Anastasiya Kazakova:
Thank you, Paloma and Katitza, for raising the voices of the civil society, the perspective that’s really helpful. And thank you also highlighting the need for the safeguards and also for evidence-based argumentation. So Paloma, if I heard correctly, if you have the links to the recent status or the activities that Direchos Digitales did, so please feel free to share that. I think that would be extremely helpful for many of us today. And I’d like to now to zoom into the industry perspective. And we’re glad to have with us, I think, one of the most active industry players being involved in this process and from the multistakeholder community. So Yuliya and Neno, I have a question to you. Do you, as the industry representatives, anticipate any positive changes with that option of the International Cybercrime Treaty, if it happens again? And the second question, what should an effective international governance in general look like to address cybercrime threats? Or maybe you would say that you’re pretty satisfied with the status quo. So any reflections on that would be very helpful. I’d like to invite Yulia first and then to turn to Neno. Thank you.

Yuliya Shlychkova:
Thank you. It’s really an honour to be part of this very important discussion. So my thoughts will be coming from a technical perspective because Kaspersky is a cybersecurity company and our experts are working around the globe and helping assist Interpol, other regional law enforcement agencies, local law enforcement agencies, providing threat intelligence data and helping with the investigation. So I will be coming, let’s say, from a more practical, down-to-the-earth perspective. And in our view, international harmonized framework is really, really very needed because what the feedback which I’m receiving from my colleagues is that when an investigation is happening within Europe, it works. The procedures are there, also thanks to the Budapest Convention. But when more countries beyond Europe are involved, because cybercrime is global in nature, you can have command and control centers in one place, victim in another, attacker in the third country. So when more countries are involved, the current lack of legal instruments, so mutual legal agreements, which were mentioned in our opinion, is not enough. So we really welcome this process of working on international harmonized framework. So technically speaking, to investigate cybercrime, there needs to be evidence. Evidence in form of storage data, network data, memory dumps. And this evidence needs to be seized very quickly because of volatility of digital evidence. It can be changed any minute, and the chain of custody can be broken. So the preservation of the evidence data has to happen really quickly. And from this perspective, we really welcome that in the current text of convention, there are dedicated provisions about expedited preservation of digital evidence. So, this is really good. At the same time, what we also see in practice that for this evidence to be accepted in the, in the court. There are local demands of for the toolkits, using which the evidence has to be taken. And currently we have the patch patchwork of these requirements for different toolkits to be used in different jurisdictions, which means that even if the evidence is collected and then transferred, it might not be accepted in the court because the toolkits was used, not the one which is accepted in the current jurisdiction. So, the Anastasia you asked about what is the ideal governance should be. So, the ideal is so we also need to agree globally on the acceptance of the toolkits to be used to preserve this evidence. In majority of cases, for example in digital in digital forensics hardware and software used which has to be physically delivered to the company where incidents happens, right. In times of COVID, this actually was really, really hardly doable. And for example, Kaspersky has worked with other industry partners on request by Interpol to to work on open source online remote forensics tool, but again, it is good it’s efficient it’s cheap it’s open source it can be found on the GitHub, but it’s not acceptable at the court because it’s not the one. Because requirements are different. So it would be great. Those are nuances but those nuances has to be addressed as well. At the same time, what is worrying is that a real time access to network data to traffic data. data and provisions focusing on this currently are really, really broad. And I echo what other panelists said that safeguards needs to be implemented to ensure that law enforcement powers are strictly limited. And we believe that also better transparency and accountability has to be placed both on the governments and on the private sector to ensure that while we are focusing on investigating cyber crime, no damage are caused to human rights and companies can be transparent about how they address law enforcement agencies request. And if sensitive data are asked to be disclosed like biometric data, definitely there has to be court orders in place before any disclosure is done. So such safeguards has to be put in place to ensure that we are not causing more trouble while focusing on cyber crime investigations. Also, I think other panelists mentioned that currently ethical hackers and researchers are left vulnerable. And I agree with this. So in ideal scenario, it would be great to provide more proactive shield and protection for such community, cybersecurity community members. On one side, this is good that there are provisions in place which say that authorized penetration testing should not entail persecution. On one side, this is good. On the other side, really often freelancers, ethical hackers, those who are freelancers, they act without authorization. Therefore, we believe that there has to be provisions which puts focus on bad intent and proof of criminal intent as the key criteria and not authorization to protect ethical hackers and ethical researchers. I also agree with Tatiana the good thing is that multiple stakeholders, multi-stakeholders were involved in discussion of convention and the working groups for for years and that stakeholders are recognized in the text of convention. At the same time, we believe that in the section dedicated to technical assistance, private sector can be recognized and mentioned more because we can help with capacity building initiative, help with investigation, especially such support is really demanded in countries where capacity is very under-resourced, I would say. So I would stop here and ready to

Anastasiya Kazakova:
pass the mic to my industry colleague from Microsoft. Thank you so much, Yuliya. Neno, also over to you. Microsoft has sent numerous submissions as well, helping to unpack different nuances in the earlier draft, so that will be also quite helpful to hear the Microsoft perspective on these questions.

Nemanja Neno Malisevic:
Awesome, thank you very much, Anastasiya. So after nearly three years of negotiations and really with only one session remaining, which I think in itself is indicative of just how far apart positions among member states are on key issues, Microsoft remains gravely concerned that states have not yet reached consensus on some of the most fundamental issues, including the very purpose and scope of the convention itself. States have now also included additional provisions calling on immediate protocol negotiations to broaden the scope of the convention, as we’ve heard multiple times already. So looking ahead to the final session, we will again urge states to clearly and narrowly define the scope of this treaty and to significantly improve safeguards throughout the convention. To once again be unmistakably clear, we worry that in its current form this treaty will erode data privacy, it will threaten digital sovereignty, and it will undermine online rights and freedoms globally. Or to respond more directly to your questions, Anastasia, this treaty does not currently provide for effective international governance to address cybercrime and it is still very far from such a projection as we’ve also heard from Katica and others. Let me provide some additional details and I will focus on four key concerns in the interest of time, but there are more. So first of all, the draft convention will undermine national security because the current draft text allows for unauthorized disclosure of sensitive data and classified information to third states. You already heard Katitza speak about this, but I want to echo this. For example, article 28.4 permits an IT professional from one state or any other individual with, and I quote, knowledge about the functioning of the system in question, end quote, while traveling in another state to be compelled to provide necessary information for conducting searches and seizure of computer systems. This provision can and will be abused to force individuals with knowledge to reveal proprietary and sensitive information, and I want to echo something that Paloma said because these are not hypothetical scenarios that we worry about. These are not potential risks. These are risks we already see, and alarmingly the current draft leaves the door wide open for such abuses. Secondly, the draft convention will weaken human rights online and will put individuals at greater risk for being prosecuted for exercising their digital rights. So Microsoft continues to strongly oppose a convention that would apply to an undefined and unlimited limit of activities that leverage digital technology. A bunch of speakers already spoke about this. A cyber crime convention should apply to crimes unique to cyberspace and not cover any crimes simply because it has an ICT element. The scope of this treaty remains too broad as we have argued for the past two plus years. And case in point, we continue to be super concerns that many states continue to push for a broad scope by advocating to apply this convention to other offenses without ever defining these other offenses. That’s a real problem. Importantly, this latest version of the text now has also made several human rights safeguards subject to domestic legislation which can vastly weaken their effectiveness as national laws vary significantly. And many of them simply will not provide adequate human rights protections. I don’t know how else to say this, but a safeguard that contains a domestic law exemption is not a safeguard. Again, just to be super clear about this. Thirdly, the draft convention will weaken global cybersecurity by compromising critical security measures and criminalizing practices that secure the digital ecosystem. I wanna echo what others have said and speak a little bit about cybersecurity researchers because today a legitimate cybersecurity solutions include innovative and highly advanced practices that provide a crucial line of defense against the constantly evolving threats of cybercrime. The world greatly benefits from these practices. Work conducted by security researchers, penetration testers, and ethical hackers who have a crucial role in securing information technology systems. And in fact, recognizing their importance, some states have recently legalized ethical hacking through dedicated legislation. However, the current conventions threatens to provide no meaningful protection for these individuals. And last, but certainly not least, and this is something that really is. is an additional curve ball thrown into this last session. Additional protocols open the door to further broadening of the scope and prove that positions among member states are still too far apart from reaching consensus on key issues. A whole bunch of my previous speakers with whom I all agree have spoken about this. To again, be very clear, there is now a provision calling for protocols on additional cyber crimes to be covered before the scope of the convention has been agreed upon. Now, this appears to be at best an inadequate compromise on the scope of the convention itself. At worst, it proves that positions among member states are simply too far apart to reasonably deliver a useful cyber crime treaty today, including protocol negotiations for undebated and undefined additional crimes immediately after the end of the ad hoc committee as proposed in the draft UNGA resolution, broadens the already overly broad scope of the convention and should not be used as a compromise on the scope of the convention itself. So, in closing, as member states enter the final final negotiating session of the ad hoc committee on cyber crime, it has become, in our opinion, increasingly clear that states remain divided over fundamental components of what should be included in this convention, including, and this is really important, including the very purpose and the scope of the convention itself. Now, it is my hope that ahead of this last session, member states will recognize the severe flaws that still exist raised by civil society and industry alike throughout almost three years of negotiations. Let me point to one thing here. Again, you’ve heard folks from international organizations like the Council of Europe, you’ve heard civil society, you’ve heard industry. By and large, working in this space for 20 plus years, I have never seen industry and civil society be as aligned on their concerns as we have seen in this negotiation. By and large, we could read each other’s statements at the UN. Tatiza’s remarks and mine are very similar, and how often does that really happen in this space? It doesn’t happen all that often, and that in itself should give member states pause, that we’re all agreeing that these are really big problems that still need to be resolved. So Microsoft believes that a treaty focused on core cybercrime offenses with real and robust safeguards and clear intent requirements would be a useful outcome. However, the current draft of this convention is still very far from that, and if adopted, would make cyberspace less secure, erode data privacy, and severely threaten online rights and freedoms globally. So there’s a whole lot of work that still needs to be done in July and August. And on that happy note, back to you, Anastasiya. Thank you for having us.

Anastasiya Kazakova:
Thank you so much, Neno. Indeed, it’s a happy note, and we will see whether the miracle will happen. And I’d like to just highlight to all speakers that there’s an excellent opportunity today to share all of your relevant documents, positions, submissions with the broader community, so please feel free to use the chat. And before we turn into the chat for the questions, I have a final question to all of you, and probably we’ll start first with Neno and Yuliya for this. We’ve heard a lot of the concerns, including from you, but now the main question, what would happen, as you believe, after this concluding session? What are your hypothetical scenarios and the predictions that might happen after the negotiations, and what probably possible impacts you envision for your organizations and other stakeholders? So I’d like to start with Nana, you first, and then to Yulia, and then we will proceed with other experts.

Nemanja Neno Malisevic:
Okay, so I want to pivot slightly because I don’t want to presuppose that there is going to be an outcome. I feel there are still a lot of problems in this convention and in terms again I can tell you what the way it’s the way it is intended to go is that in the remaining two weeks that countries have that they go through the text that hopefully they agree within the first week iron out all the challenges which I agree with Alexander would would be a miracle for that to happen and then basically just use the second week to read through the text and do all the admin that is required for the UN to pass a a a a treaty and then basically follow the the follow the the the way that that this goes so that it gets approved um at with an with with an UNGA resolution now I the impact of all of this let me just be really clear this the sending function of a of a of a UN treaty the is is massive so whatever is included in this will impact what states do in this space some of the previous speakers I was I’m I can’t remember I think it was Tatiana who mentioned that uh legislation didn’t just start now or maybe it was Katica or Polam I’m not not entirely sure but the point is super valid there are cyber crime legislations in place but in those places where they are not in place those countries will look at the UN um at a UN treaty and use it as an inspiration which is why again we need to be aware of the signaling function of a treaty like this and we need to make sure that if a treaty is passed that it is actually useful that it actually makes the situation better this current draft does not make the situation better so I don’t want to presuppose and and acknowledge that it’s a foregone conclusion that there needs to be and will be a treaty I think we need to see where states are after the end of this negotiation in July um and and August and see if they are actually able to agree on something that does make the situation better um and then obviously the question that needs to be asked and Alexandra asked this earlier is countries need to ask themselves depending on whatever gets agreed on here is this something they can actually get through their national parliaments and actually ratify down the line and again with industry and civil society being as concerned as we have been in this space I think that is a big question for countries that they need to ask themselves because again those concerns that industry and civil society have will not just magically disappear we have been following this with great concerns for three years um and we are still as you can hear from all of us super concerned where things are and the fact that industry and civil society are as aligned as we are are, in itself, should amplify these concerns. And I’ll stop here.

Anastasiya Kazakova:
Many thanks, Neno. Yuliya?

Yuliya Shlychkova:
So in my opinion, it’s important to do things right rather than fast. So I think important safeguards needs to be placed before materialization of procedures. And at the same time, this is important dialogue, and it has to continue. And let’s hope that when the outcome will be mutually recognized and accepted by everyone, it will drive really good change for all of us in terms of tackle cybercrime, because we need to address it. There is no sign of slowing down cybercrime, so we need to address this.

Anastasiya Kazakova:
Thank you so much. I’d like to turn now to the civil society representatives, and start with Paloma, and then turn to Katitza.

Paloma Lara-Castro:
Thank you. Well, echoing what has been said before, I think we can’t anticipate what is going to happen. There has been surprises within the last negotiations. We can hope that states will uphold their international commitments and strengthen human rights and safeguards within the convention. We can hope the additional protocols won’t happen. We can try to continue guiding with international framework, and hopefully states will uphold their commitments. But at the same time, we also have to be prepared to another possible outcome that is the outcome that has been building up in the last years and has been demonstrated throughout negotiations and in the latest text. So we do need to think about how to organize. in the implementation of the treaty, what other avenues do we have? How do we uphold international human rights within local legislation? How do we keep fighting for our rights to be respected and acknowledged? And also how are we going to deal with the situation of the most affected communities within this treaty? So I would say, keep working together has been a key area that has worked within civil society and also industry as have been mentioned. We have been working together, raising concerns, common concern, and that has been proven effectively. So that proves that we can continue to work together and find common points as a positive note. And then also as a call for action, as I mentioned before, we should keep fighting. This is not the end of our rights. We should just keep fighting other ways and more creative ways within the law as well to uphold the states accountable and really demand their comprisement of human rights. So thank you.

Anastasiya Kazakova:
Thank you very much. Katitza, what would be your predictions?

Katitza Rodriguez:
Well, I have a scenario planning, but I think many things could happen, but I think that the current draft as written remains fundamentally flawed. It spans from the last powers without robust check and balances. It undermines human rights and poses difficult risks to marginalized communities and cybersecurity research. But I believe what is worse is that countries that believe in the rule of law should not lend their support to provide, to adopt a treaty, to provide a legal basis for international cooperation that could lead to transnational repression, especially in those countries where expressing who you are for raising a rainbow flag. for expressing yourself as part of the LGBTQ plus community is considering a serious crime. So that’s the main issue. If countries adopt a treaty with such a broad scope and not concrete role safeguards, they are lending their name to provide a legal basis that could lead to transnational repression. And they should think twice about what they’re doing now. Thank you.

Anastasiya Kazakova:
Thank you very much. Tatiana and Alexander. So again, the question to you, what would be your predictions? And I’d like to also take the question, I think the relevant one from the chat, how likely you believe the treaty will just go through given it is now already in the final stages and given it has a strong support from certain large countries. So your predictions again, after the concluding session.

Tatiana Tropina:
Thank you, Anastasia, for your question. And I would say that it is hard to make prediction in this process. I don’t have predictions. I don’t assume that there would be convention and I don’t even believe that when I look at the current draft that we need this treaty at all. Honestly, I don’t have predictions but I do have fears and hopes. And my fear is that there was so much effort put in these negotiations. Also by the countries who respect the rule of law and who have been trying to fix the things, would have been trying to put human rights safeguards to improve the text, to reach consensus. My fear is that with so much effort already put in there and for the spirit of being good multilateralists, the countries will give in here and there and we will end with a treaty which might not be ratified down the road somewhere. further polarize, my countries might water down safeguards. So concluded for good, but not providing it with robust safeguards, and this is my fear. This is my main fear. But my hope is that it’s not going to happen. My hope that there would be countries, if things go as they are, if this draft is not fixed, my hope is that countries and other stakeholders will stand up and speak against this draft and that there would be no treaty. So this is my hope. And I also want to highlight one thing, and this speaks to what Katitza said. I think that there is this widespread idea, oh, but these countries are doing it anyway. They will continue oppress LGBT or political opponents even without this treaty. Yeah, right, that’s true, they are doing it anyway. But doing it without the cybercrime treaty and doing it by the virtue of cybercrime, by virtue of cybercrime treaty, there are two different things. So I hope that this treaty will not legitimize all the abuse that we have now already. I hope that this will not happen, thank you.

Anastasiya Kazakova:
Thank you, Tatiana. And Alexander, we definitely heard from you as well that there’s already some positive impacts for the Budapest Convention and for Council of Europe as the process raises awareness among other countries on these issues. So whether you anticipate that the treaties get adopted or maybe countries will agree on one more concluding session and what would be your thoughts on this?

Alexander Seger:
Thank you, from what I understand is that there is no appetite by anyone to continue negotiations beyond 9th of August. While it was still possible in February to suspend the session, this will not be possible anymore because the mandate of the Autarkomite expires on the 9th of September. So 9th of August is the last day to agree on a text and it has to be very quickly edited, translated and so on and then process and then submitted to the General Assembly to reach it before the 10th of September, so on the 9th of September. If there is no treaty now at the UN, there will be no treaty in my opinion in the foreseeable future, unless, and this is the risk, that one or more member states of the United Nations decide to submit their own version of a treaty to the United Nations General Assembly and hope that somehow it finds its way through. So that risk is also there if there’s no treaty now. We should also be realistic that I don’t believe that there’s any chance to further improve this text beyond, you know, cosmetics here and there. I don’t believe there is a chance to further improve whatever, Article 6, Paragraph 2, you know, on human rights. There is a big risk that these provisions will be removed because there will be a lot of pressure. from countries to vegan safeguards. That is a very important thing to keep in mind. So it would probably, if for political reasons, there is agreement on a treaty, I guess it will be at the level of signature and ratifications. The then states may then say, we don’t do it. We don’t go along with it. That’s how I see the situation. There was an interesting question by Vladimir in the chat about scenarios and divides and so on. I have personally always thought that Russia, when promoting all of this, would not necessarily want a treaty where 193 UN member states become a parties to that. But that they wanted to create their own club of countries, their club, with the legitimacy of a UN treaty as opposed to Budapest Convention Club. But that is a bit of an old-fashioned way of looking at the whole thing. Because as I said before, countries use different tools. I believe that countries will say, OK, we are a party to Budapest. Maybe we also join the UN treaty in addition. They rely on multiplex relations, as we see now also in connection with the Ukraine and with the Ukraine war, where countries don’t express themselves clearly. They try to do it right with all sides of it. And it will also happen with the treaty once it is there. So looking at the many red and yellow parts, even with the best will of everyone, it would be very difficult to reach agreement. Somehow, I still hope that there will be a treaty so that the question is out of the way for quite a long time then. Although it will not be out of the way because they also want to work on protocol. So I don’t know. Let’s see. Any of you going to New York? Would be good to see you there.

Anastasiya Kazakova:
Thank you so much, Alexander. I think we indeed have been left with a lot of hope, but still a lot of alarming thoughts and concerns. But I’d like to invite my colleague Bojana to summarize what’s going on in the chat and whether we have any other open questions.

Bojana Kovac:
Yeah, hello, everyone. So there has been a lot of discussion in the chat. of the comments that has been put on is that with a lot of protocols in the treaties, obligation, monitoring amendments and remedial actions become very difficult, so simplicity may provide solutions. So that was one of the comments. Now with regards to the questions, there was one on how will a cyber crime treaty stop some countries from sponsoring cyber criminals as most of the big attacks come from these groups. How will this help as we already have mutual legal assistance treaties? Shouldn’t there be a broader cyber war treaty? And the second question is about what about crimes committed through the use of AI technologies? Is the current convention focus enough to address these emerging threats?

Anastasiya Kazakova:
Thank you very much. Anyone would like to address these questions regarding the cyber war treaty? I think that’s really getting quite easy to get confused with all the cyber definitions and definitions is definitely one of the challenges in this process. But maybe even follow up on the cyber war treaty, whether you believe that if there’s success in this process, would there be any success for a burial process that takes place in the first committee between states to discuss responsible behavior in cyberspace? So any responses to these questions? And the other question about the emerging technologies as well.

Alexander Seger:
And maybe I start?

Anastasiya Kazakova:
Yes, please.

Alexander Seger:
Indeed, cyber war treaty or whatever one would call it would indeed fall under the first committee. The idea of this treaty is that it’s a criminal justice treaty. The problem is that the current title, which is a very awkward title, because it’s very long, doesn’t only talk about cyber crime, but you know, crimes committed by ICT and so on, could be confused and create some confusion in that respect and would point towards a broader treaty that deals with cybersecurity matters, which is not the purpose in principle, but that risk is there. So again, cyber war matters of international security would have to be, if at all, sorted out in a separate treaty or in a separate instrument that would fall under the first committee, not the third committee as this current version of the treaty. And on emerging technologies, good question. It doesn’t talk about artificial intelligence. It doesn’t talk about quantum computing, this treaty, but this is fine. I would assume, and we also want to undertake this exercise in connection with the Budapest Convention, we want to do a bit of a mapping to the see how the current provisions of the convention and the protocols, Budapest Convention protocols would also apply to crimes committed by artificial intelligence, whether evidence collected via AI would also, what conditions would have to be met, whether current procedures would function in that context, a lot of work ahead. But a treaty has to be neutral in terms of technology and and so many of the things may be covered already in this new future UN treaty, as many things are probably already covered under the Budapest Convention.

Anastasiya Kazakova:
Thank you very much. Also highlighting this, I think, important aspect about the provision to ensure that any future legal instrument would actually be technology neutral, as much as possible, of course. Any other comments from other experts?

Katitza Rodriguez:
Yeah, I do want to make a comment that crimes committed using AI, I always want to say, should be viewed similarly to crimes committed using other tools or technologies. Like, for instance, the issue should be, the core issue should be the criminal act itself and not necessarily the tools used to commit a crime. While I can see that AI will introduce certain complexities on the issues, it’s important that we don’t lose the fact that they could use AI for attacks, which could be Article 6 to 10, for things like that. And so for fraud or for other criminal offense that maybe is already legislated in the country. I just want to put like that, because we get very excited with the new technology. And this is what we see in the cybercrime treaty, that they want this very broad scope, like it’s criminalization of the use of ICT for criminal purposes. So I feel that the technology is a tool to commit a crime, and we should focus on the criminal act itself. And that’s my thought. Yeah.

Anastasiya Kazakova:
Thank you so much, Katitza. Tatiana?

Tatiana Tropina:
Yeah, just to echo what Alexander and Katica said, from the first look and second look and more deeper analysis to me, the Budapest Convention and technology neutral legislation covers all the threats that I see in AI and use AI of crime commission as they stand now and criminal law cannot be predictive. We cannot predict what will happen next and criminalize something out of the blue. So to me, almost everything is covered, at least on the international level by the Budapest Convention right now, because as Katisa said, to me, the explanation is simple. Criminal law should deal with harms that is caused to human, to data, to society, to whatever, rather than with technology that caused this harm. And the only thing that is not covered by the current legislation, which is outside of the scope of the Cybercrime Convention, but is brought by new technology is sexual assaults in metaverse, for example, when rape is virtual, but the effect is physical. So this is not covered, but this is outside of the scope of the Cybercrime Convention on the UN negotiation and whatever. This is something that national legislators are going to deal, psychological harm and physical harm versus what we define as physical harm crimes. But this is outside of the scope of high technology crime as we know it. Thank you.

Anastasiya Kazakova:
Thank you very much. Alasko, are there any other comments as well? But I also see a really good question from Vlada, which goes to a very simplistic situation, but I think that’s a situation that might happen, hopefully not, but still, to any regular user. Let’s imagine an entrepreneur in Albania running a business by selling good through Instagram accounts, who gets hacked by say a criminal in Togo, vice versa, and loses own business and revenue. So the question, hypothetically, whether now or after this global convention again, if it happens, if that’s adopted, there would be more opportunities for the law enforcement and police of the two countries to work more effectively and hopefully to get more security for users. So maybe very shortly, if anyone has any reflections. I see Alexander is well responded in the chat.

Alexander Seger:
Yeah, I respond to that. We’ve had this type of situation, but not between Albania and Togo, but between another country, actually the one I’m sitting in right now, in Romania, and another West African country that is a party to the Budapest Convention. And it has been used along these lines, not necessarily via police to police, but police police first, but then via traditional, between traditional authorities and so on, it has worked out quite OK. So yes, that is covered. And since similar provisions have been copied into the Budapest Convention, it could also function under, in the UN treaty, it can also function under a UN treaty from that aspect. Again, this is practical speaking. We, of course, have to keep in mind all the risks that have been mentioned by Petitza and others during our discussion today.

Anastasiya Kazakova:
Thank you very much. I don’t see any hands further, but I’d like to probably conclude at this point. Thank you so much to all our experts, but also, most importantly, to everyone who listens to us and also share the comments and the questions in the chat. Well, we are at this point, I guess, we’re left with a lot of concerns, a lot of thoughts to think about. But let’s see what happens later in July. And we, from outside, at the DiPLA team, we will also keep monitoring the situation and we’ll get back with the reporting for the broader community. But again, I’d like to thank to all our experts for helping us to unpack a little bit all these nuances in this process. It’s certainly been not a complex, the most complex, probably, process involving so many stakeholders at once. Thank you so much. And we wish the good rest of the day to everyone. And again, hopefully, we will see more positive, less pessimistic outcome of this process.