Jessica Jahn

The world is witnessing an alarming rise in cybercrime. In what has been dubbed a “ransomware epidemic,” cybercriminals are increasingly encrypting data and demanding ransom payments, often directly affecting critical infrastructure with collateral damages to the economy. In fact, most crimes now qualify as a form of cybercrime since most activity can be digitalized, whether as content, meta, or other data, and electronic evidence is vital for the prosecution of nearly all offences. Yet, access to digital data continues to impede criminal justice responses partly because the required information is often stored in another country, such as the United States. In Canada, as elsewhere, law enforcement agencies are struggling to keep pace with the increasingly extraterritorial nature of evidence that is necessary for the investigation and prosecution of local crimes. Today, the central questions are how Canada and other countries can better cooperate to end the near impunity from which many (cyber)criminals continue to benefit and how we can prevent human rights safeguards from being eroded in the process.

On 28 February 2022, Canada and other UN Member States started the process of forging compromised global solutions to those questions and others over the course of at least six negotiating sessions towards the elaboration of a new UN cybercrime convention. Canada and like-minded states have much at stake in the negotiations and their ability to induce irresolute countries will not only help determine whether the process is successful but will likely shape discussions on a much broader range of issues, such as digital sovereignty, data nationalism, and online election interference, among others.

Yet, states hold widely divergent views in relation to cybercrime. This includes the fundamental question of whether such a UN treaty is even needed since many states are already committed to other multilateral cybercrime instruments. Canada, for instance, has ratified the Council of Europe’s Convention on Cybercrime (i.e., the “Budapest Convention”) and signed the Additional Protocol on racism and xenophobia in cyberspace. States’ existing international legal obligations and disparate policy positions, placed within the wider geopolitically polarized environment and the ongoing cyberattacks against Ukraine, suggest a fraught path forward for the upcoming negotiations and may even introduce the possibility that a common vision for a UN treaty may not be forged.

If the diplomatic process results in a UN cybercrime convention that enters into force, the treaty could help to remove obstacles to international cooperation. For instance, new cooperative provisions could cover matters not already addressed in other binding multilateral instruments and modernize mechanisms that are largely perceived as ineffective, especially the notoriously painful mutual legal assistance process.

However, the champions of the new process are some of the most repressive governments that have themselves sponsored cyberattacks, portending a greater likelihood of diluted human rights standards and expanded cyber sovereignty. A glimpse into the problematic provisions for which some states will advocate can be found in the draft convention submitted by the Russian Federation, which requested that the draft be used during the negotiations. Even if states attach little significance to Russia’s draft convention, there are a host of issues that will cause division.

At issue, for instance, will be whether and how the treaty might criminalize online content crimes, such as xenophobic material. Alongside online child sexual abuse material and intellectual property crimes, content crimes are typically those that generate the greatest discord among states and will continue to pose challenges during the negotiations. States are also likely to continue to struggle to address encryption and set parameters on unilateral action. Arguably the most controversial provision in the Budapest Convention – Article 32 on trans-border access to stored computer data, which is understood to be one of the reasons why Russia will not sign the instrument – exemplifies the limits of what can be agreed among states in this regard.

In 2017, cybersecurity expert Andrew Woods predicted that “if [the convention] is good, it will not be signed by all relevant parties, and if it is signed by all relevant parties, it will not be good.” Today, those scenarios remain likely and, in either case, the possibility of fragmentation and regression looms large.

As states continue to devise strategies and strengthen alliances during the negotiations, Canada must seek to position itself as a continued defender of human rights, the rule of law, and international cooperation. With like-minded states, Canada should take a decisive and active leadership role during the process by adopting at least the following five positions:

First, Canada must remain firm in its commitment to the Budapest Convention, which is generally regarded as the most comprehensive multilateral instrument against cybercrime. This is crucial because incoherence with existing laws opens the possibility for competing legal regimes, which may spell future conflict. In what may be the best-case scenario, the negotiation process could produce agreement on a treaty that somewhat resembles the Budapest Convention. But delineating how the new UN treaty will fit among the range of other rules and efforts to suppress cybercrime will be part of the challenge, one from which Canada must not capitulate.

Second, Canada should concentrate primarily on the urgent need for improved international cooperation in criminal matters. Indeed, the purpose of any transnational criminal law treaty is to promote international criminal justice cooperation for the prevention and suppression of crime. However, experience from negotiating the United Nations Convention Against Transnational Organized Crime (UNTOC) shows that delegations will bring their own motivations and interests to the process. Whether to link organized crime offences with terrorism, enact harsher laws for border control, or otherwise, delegates around the table in the late 1990s were negotiating UNTOC for diverse reasons. So, too, will the delegates around the negotiating table today. Like the approach adopted by Keith Morrill, Canada’s Chief Negotiator of UNTOC, Canada should concentrate on the so-called cooperative provisions in the new cybercrime treaty and attempt to modernize the mechanisms for cooperation, especially trans-border data sharing.

Third, Canada must be prepared to adopt an intentional position against the harmful expansion of the treaty’s scope. A review of states’ submitted position papers demonstrates that some are eager to expand the negotiations to cover not only criminal justice matters, but also a range of issues related to cybersecurity and cyberspace more broadly. Even though cybersecurity and cybercrime coalesce in various ways, Canada and its allies must be prepared to draw an intentional line between the two. Without careful deliberations on such a line, the process could provide cover for some states to criminalize a range of harmful acts.

Fourth, Canada’s overall position should be guided by a rights-based, technology-neutral, and gender-sensitive approach. More specifically, Canada cannot waver from the protection of human rights, such as freedom of speech and privacy. As well, the language of the new treaty should be “future-proof,” meaning that it must be capable of withstanding various technological evolutions and novel vulnerabilities that criminals will inevitably exploit. The technology-neutral principle was adopted in drafting the Budapest Convention, which continues to demonstrate its relevance after more than 20 years. Equally important, Canada can continue to lead global efforts to mainstream gender equality and women’s empowerment by integrating a gender perspective into the treaty. As my colleague Eileen Skinnider explained elsewhere, there are a number of gender-sensitive resources available to Canada and others involved in drafting the cybercrime treaty, including the Gender Impact Assessment.

Fifth, and importantly, Canada should remain receptive to inputs from civil society and actively promote the inclusion of non-governmental organizations, private entities, academics, and others during the negotiations. Indeed, negotiating and implementing standards and norms must be a collective effort to which civil society has much to contribute. Whether during the main negotiating sessions or intersessionally, civil society can help inform the debates by contributing independent research, including on the possible impact of certain elements under consideration, as well as reiterate the crucial function of review mechanisms in assessing the implementation and impact of transnational criminal law treaties, including the new cybercrime convention.

Over the course of the negotiations, Canada’s positions on specific matters will undoubtedly evolve in response to the deliberations and the red lines that other states will draw. But Canada and like-minded states must attach high political priority to the process. If nothing else, the negotiations will test the strength of Canada’s resolve to cooperate in criminal matters and uphold human rights in the process.

Photo by Gaël Gaborel on Unsplash.