In this series of articles, SMEX analyzes the objectives and limitations of the Cybercrime Convention adopted on August 8, 2024 as well as its political and legal implications for the SWANA region. This series explains how the convention may fail to achieve its purposes and offers possible solutions to cybercrime threats.
In 2019, when Russia, with China’s support, submitted to the United Nations the “Cybercrime Convention on Combating Cybercrimes,” the General Assembly of the United Nations (UNGA) established an ad hoc intergovernmental committee to study the proposal through its resolution 74/247.
Since then, UN member states and civil society actors have been debating the terms of this convention, especially the convention’s scope and the definitions of what constitutes cybercrime. There was no law or international agreement on this issue until UN member states adopted the Cybercrime Convention on August 8, 2024.
The convention has three main goals: to improve how cybercrime is prevented and tackled, to strengthen international cooperation against cybercrime, and to support technical assistance and capacity-building, especially for developing countries. In this series, we will examine how well the convention achieves these goals.
Cybercrime poses a significant and escalating threat to today’s world. It cost the world’s economy more than nine trillion US dollars annually in 2023, compared to 860 billion dollars six years ago. Cyber attacks take many forms, including ransomware attacks, Business Email Compromise (BEC), Data Breaches, Distributed Denial of Service (DDoS) attacks, Intellectual Property (IP) theft, financial fraud and identity theft, supply chain attacks, etc.
Beyond the staggering financial impact, cybercrime encompasses various malicious activities, including spyware use.
Spyware, such as the notorious Pegasus software developed by the Israeli firm NSO Group, is an example of the severe risks associated with cyber espionage. Pegasus can infiltrate smartphones without users’ knowledge, allowing the attacker to access text messages, emails, and photos and even activate the camera and microphone.
This spyware has been used in the surveillance of journalists, human rights activists, and political dissidents around the world.
Another example is FinFisher, also known as FinSpy, a spyware that various governments have used to monitor citizens. FinFisher can operate covertly on a victim’s device, recording keystrokes, intercepting calls, and collecting other personal data.
The widespread use of spyware threatens individual privacy and undermines democratic institutions and the rule of law. It creates an environment of fear and mistrust, where individuals may self-censor or avoid engaging in legitimate activities out of concern that their actions are being monitored.
This erosion of civil liberties is a significant aspect of cybercrime’s broader impact, extending beyond financial losses to affect the very fabric of society.
Cybercrime is transnational by nature. It requires cooperation between states to investigate and prosecute offenders. Without a universal cybercrime convention, no universally agreed-upon definition existed for cybercrime. Thus, the divergence on what constituted cybercrime among different countries had so far led to inconsistencies in enforcement and prosecution.
Despite sixty countries ratifying the Budapest Convention on Cybercrime in 2001, challenges persisted. Some states argue that the convention is outdated and does not adequately address current cyber threats.
According to the United Nations Conference on Trade and Development (UNCTAD), approximately 80% of countries (156) worldwide have enacted cybercrime laws, including Egypt, Syria, Kuwait, Saudi Arabia, UAE, Jordan, Iraq, Libya, Tunisia, and Algeria from the SWANA region.
Nonetheless, the quality and standards of these laws vary significantly from one country to another. The proliferation of cybercrime laws alone does not guarantee a fitting response to the evolving landscape of digital threats.
Rather, it highlights the urgent need for countries to collaborate on creating common frameworks and standards for more effectively addressing global cyber threats.
However, adopting a new Cybercrime Convention that has a globalized vision and objectives was not easy.
Complications to creating an international cybercrime convention
For many years, the proposition of a treaty or convention regulating cyber activities, particularly in warfare and criminal conduct, has been a source of ongoing debate. Russia has persistently advocated for such regulatory measures within the global arena, claiming they are imperative for maintaining international security and stability.
Western states, such as the US, have frequently opposed these initiatives, perceiving them as facets of Russia’s broader political agenda. This split in perspectives draws a fine line between geopolitical considerations and cybersecurity governance, with divergent interests shaping the discourse surrounding the formulation of cyber treaties.
The closest the world ever came to having a universal convention on cyber space is the “Budapest Cybercrime Convention,” formally known as the Convention on Cybercrime that was adopted in 2001. The process that led to the convention began in the late 1990s when the Council of Europe recognized the growing threat of cybercrime due to the rise of the internet. After several years of drafting and consultations with various countries, private sector representatives, and experts, the convention was opened for signature in 2001. It was designed not only for European countries but for global adoption and as such, the US also adopted the Budapest Convention in 2007.
The convention faced criticism related to privacy concerns and sovereignty issues. Critics argued that it allows for excessive surveillance and data sharing between countries without sufficient safeguards for personal privacy. Concerns have also been raised about the convention’s provisions on cross-border access to data. Some countries like Russia view it as undermining national sovereignty and lacking adequate oversight mechanisms.
Ironically, the recently adopted Cybercrime Convention raises exactly the same concerns, especially from the civil society actors. So what has changed and what are the problems in the provisions regarding cross-border operations in the new convention?
Could the convention enable international authoritarian collaboration?
With this new convention, the concern around cross-border operations shifts from issues of national sovereignty to the potential consensual misuse of its provisions for cross-border surveillance and the suppression of dissent.
A key issue lies in the treaty’s chapter on “international cooperation,” which allows countries to use intrusive surveillance to gather evidence based on their own laws, rather than limiting it to specific cybercrimes. This broad approach enables countries to exploit the treaty, using their laws to justify surveillance requests, even for actions protected under international human rights standards.
The problem is compounded by the “mutual legal assistance” provisions, which let countries assist each other in collecting digital evidence based on their definitions of crime, rather than a universally agreed standard.
The treaty allows cooperation for crimes punishable by three or more years in prison. This includes discriminatory laws in some countries that target LGBTQ+ individuals, enabling unjustified international surveillance for actions deemed “immoral” under their laws but not criminal elsewhere.
In short, member states can define cybercrime on their own terms, risking the legitimization of authoritarian cybercrime laws used for censorship.
The risks of a universal convention with broad definitions
A broad or all-encompassing definition of cybercrime could be misused by governments to suppress free speech and political dissent. They may also be used to crack down on marginalized groups and individuals, such as the LGBTQ+ folks. While those definitions will be analyzed in detail, for the purposes of clarity, it is necessary to define what are cyber-enabled crimes and cyber-dependant crimes.
Cyber-enabled crimes are traditional crimes that are made easier, more effective, or harder to detect through the use of computers and the internet. These crimes are not inherently digital but are facilitated by technology. Examples include but are not limited to fraud, identity theft, cyberbullying, and the distribution of illegal content.
On the other hand, cyber-dependent crimes are those that can only be committed using digital technologies, such as computer systems and networks. These crimes rely entirely on the existence of the internet and digital devices. Examples of cyber-dependent crimes include hacking, Distributed Denial of Service (DDoS) attacks, creating and distributing malware like viruses and ransomware, and conducting data breaches to steal sensitive information.
The problem lies in the use of cyber-enabled crimes in the Convention, as states have different criminal laws and different crimes. For example, homosexuality is penalized in some countries while being free in others. It is possible for those penalizing homosexuality to use the broadly defined cyber-enabled crimes inside the Convention to justify crackdown on LGBTQ+ activists.
In the SWANA region, some countries have already used vague cybercrime laws to censor and detain people unfairly.
Israel recently arrested more than 400 Israelis, primarily Arab citizens, for content posted on social media citing online activity deemed to incite or support Hamas as the reason. However, some of these citizens were merely arrested for changing their profile picture on social media to a Palestinian flag or posting a “cartoon” criticizing the international response to conflicts in Ukraine and Palestine.
Israel employs several legal frameworks to monitor and regulate online content, particularly targeting Palestinians. In the case of cyber-enabled crimes, Israel uses the Anti-Terrorism Law passed in 2016. The law provides broad definitions of terrorism and can include online expressions of support for Palestinian resistance or criticism of Israeli policies. The law allows authorities to prosecute individuals based on their social media posts, which can be arbitrarily interpreted as encouraging terrorism or supporting a terrorist organization.
Egypt’s 2018 Cybercrime Law contains provisions that are broadly defined, giving the state sweeping powers to block websites and monitor online communications. Article 7 of the law allows authorities to block any website deemed to threaten national security, public order, or public morals.
This has led to the suppression of independent news websites and the detention of journalists and activists for online posts critical of the government. Several activists and bloggers have been arrested under this law for allegedly spreading false news or insulting state institutions, which are broadly interpreted offenses.
Saudi Arabia’s Anti-Cybercrime Law, introduced in 2007, has been used to target individuals for online expression critical of the government. The law criminalizes the production, preparation, transmission, or storage of material that “harms public order, religious values, public morals, and privacy” without clearly defining these terms.
This overreach has resulted in the detention of activists, bloggers, and social media users who have expressed dissenting views or advocated for human rights. For instance, prominent women’s rights activists have been arrested and sentenced under this law for their online campaigns against the male guardianship system.
Digital rights organizations, such as EFF, AccessNow, and HRW, fear the adopted convention could lead to increased censorship, especially in regions where governments already exploit cybercrime laws for political control.
How will the convention impact SWANA states?
Civil society organizations (CSOs) and freedom of expression advocates in the SWANA already face challenges bypassing state-sponsored censorship.
Almost all SWANA states avoid using clear definitions of what constitutes cybercrimes and even oppose the inclusion of terms referring to human rights, as such provisions would make the existing cybercrime laws in those countries “illegal.”
While the focus of the Cybercrime Convention has been on curbing cybercrime, many cyber threats stem from governments engaging in espionage (spying) or launching cyber attacks on other states.
Currently, Israel is accused of using spyware against countries like Lebanon and Palestine. States such as the UAE and Saudi Arabia are also allegedly using spyware provided by Israel against dissidents in other countries.
Government-sponsored cyber attacks and the limits of the convention
Cyberattacks, in contrast to cybercrimes, are often initiated by state-sponsored hacker groups against the infrastructure of another country.
The Cybercrime Convention falls short in cyberwarfare and espionage. By introducing an international convention addressing the latter, the international community can help hold governments accountable for their actions in cyberspace and prevent the misuse of cyber tools for political or military purposes.
This political situation underscores the need for a broader approach to cybersecurity governance. Therefore, a revised convention that encompasses laws and regulations that govern state conduct in cyberspace would be more beneficial to ensure the protection of individual rights and promote stability and security in the digital space. However, such a treaty or convention is not easily achievable.
In the next article, we will tackle the specifics of the definitions in the Convention, along with its effects on activists and marginalized groups.
Cover Image: JAKUB PORZYCKINurPhotoNurPhoto via AFP
