How a New UN Cybercrime Treaty Could Lead to the Repression of Civil Liberties

Posted on Apr 20, 2023 by Glyn Moody

Spyware is arguably one of the most insidious threats to privacy today. While other forms of privacy invasion – CCTV surveillance or even browser cookies – are more or less obvious, spyware is designed to be hidden, and for you to remain unaware of its presence on your systems. That’s why the NSO leak back in 2021 caused such a stir. If you didn’t catch it, the NSO Group is one of the leading spyware companies, and the leak revealed information about who their targets were.

Since then, the world of spyware has not stood still. The NSO Group has continued to release new spyware that has been deployed against civil society targets around the world. Greece was rocked by a continuing scandal that centered on the use and sale of Predator spyware. And, as I reported back in January, Meta’s lawsuit against NSO for the latter’s alleged use of WhatsApp to spy on people is going forward.

The matter of commercial spyware is serious enough for governments to have taken notice, and now it seems they’re bent on taking action as well. Unfortunately, some parties are trying to use this opportunity to give authorities more power to do things like content moderation, invade citizens’ online privacy, and even restrict their freedom of speech.

Spyware Becomes a Matter of Sovereignty

Recently, President Biden has issued an Executive Order (EO) imposing a “Prohibition on Use by the United States Government of Commercial Spyware that Poses Risks to National Security”. This forbids any part of the US government to use spyware from a company whose products have been used to spy on US citizens without their consent, or

to collect information on activists, academics, journalists, dissidents, political figures, or members of non-governmental organizations or marginalized communities in order to intimidate such persons; curb dissent or political opposition; otherwise limit freedoms of expression, peaceful assembly, or association; or enable other forms of human rights abuses or suppression of civil liberties

The Electronic Frontier Foundation points out that the EO does not name any company specifically, which might lead some government agencies to think that they can use foreign spyware from less well-known vendors. In fact, rather embarrassingly, a few days after the EO was published, it was revealed that the US government had been using spyware from the NSO Group.

Building on Biden’s EO, the governments of Australia, Canada, Costa Rica, Denmark, France, New Zealand, Norway, Sweden, Switzerland, the United Kingdom, and the United States issued a “Joint Statement on Efforts to Counter the Proliferation and Misuse of Commercial Spyware”, which concluded:

Our efforts will allow us to work collectively for the first time as we develop and implement policies to discourage the misuse of commercial spyware and encourage the development and implementation of responsible use principles that are consistent with respect for universal human rights, the rule of law, and civil rights and civil liberties.

Fine sentiments, but moving from words to deeds is likely to be hard and slow. The lack of any coherent effort to stamp out or even simply control commercial spyware is confirmed by the fact that Poland, Greece and Spain were invited to sign the declaration, but according to an article in Foreign Policy declined to do so.

Regulating Spyware Can Turn Into Repression

That lends a particular importance to a UN Cybercrime Treaty that is currently under discussion. As an EFF timeline of the treaty shows, work began on this back in 2017, with a draft version of the treaty submitted by Russia. That in itself should be an indication that the proposed treaty is not quite what it seems.

As Human Rights Watch warned in 2021, instead of protecting people from cybercrime, if drafted in the wrong way, the treaty could undermine basic human rights like privacy and freedom of speech. How? By giving governments the right to tighten their control over the Internet.

In 2022, the EFF and ten civil society organizations published a letter supported by many other groups and academics around the world warning again that the treaty risks “running afoul of international human rights laws”. More recently, the EFF has written an updated and detailed criticism of key clauses in the treaty, including those affecting privacy:

The general expansion of surveillance powers in the draft includes squishy language that law enforcement could use to authorize hacking into our devices without further public debate. That language should be clarified to remove ambiguities about which powers are intended.

The draft treaty also oddly refers to allowing authorities to use “special investigative techniques” without ever defining what those are. The current language, indeed, could allow any type of surveillance technology – from malware to IMSI catchers [discussed previously on our blog], machine learning prediction, and other mass surveillance tools – as well as any tool or technique that may exist in the future.

Manipulating UN Treaty for Their Own Benefit

The EFF has other concerns too. For example, treaty negotiators have proposed a variety of provisions that would expand surveillance powers across international borders, as well as within each country. These include interception of content, real-time collection of data, and admission of digital evidence.

There is also a provision for “spontaneous information”, which refers to the ability of governments to share the results of their electronic surveillance with other governments whenever domestic law allows this. Although this capability is already present in many countries, the EFF believes that enshrining it in a UN treaty will encourage the practice, even with countries that have a poor human rights record.

The EFF has many other comments on the current state of the treaty. But its main point is that it doesn’t believe a UN Cybercrime Treaty is necessary, and that drawing one up comes with serious risks that it will make things worse, not better. In particular, the EFF calls for human rights such as the protection of privacy and freedom of expression to be “baked into” the treaty to ensure that they are respected, whatever the rest of the treaty may say. Doing so would also set a good precedent for future UN treaties dealing with the digital domain.

Featured image by Ad Meskens.