UN Cybercrime Draft Convention Dangerously Expands State Surveillance Powers Without Robust Privacy
by Katitza Rodriguez | Electronic Frontier Foundation
This is the third post in a series highlighting flaws in the proposed UN Cybercrime Convention. Check out Part I, our detailed analysis on the criminalization of security research activities, and Part II, an analysis of the human rights safeguards.
As we near the final negotiating session for the proposed UN Cybercrime Treaty, countries are running out of time to make much-needed improvements to the draft text. Delegates meeting in New York July 29 to August 9 are tasked with finalizing the convention’s text that, if adopted, could dramatically reshape criminal laws across the world in favor of more and wider surveillance and weaker human rights safeguards.
Countries that believe in the rule of law must stand up and either defeat the convention or dramatically limit its scope, adhering to non-negotiable red lines as outlined by over 100 NGOs. In an uncommon alliance, civil society and industry agreed earlier this year in a joint letter that the treaty as it was currently drafted must be rejected and amended to protect privacy and data protection rights—none of which have been made in the latest version of the proposed Convention.
The UN Ad Hoc Committee overseeing the talks and preparation of a final text is expected to consider a revised but still-flawed text in its entirety, along with the interpretative notes, during the first week of the session, with a focus on all provisions not yet agreed ad referendum. However, in keeping with the principle in multilateral negotiations that nothing is agreed until everything is agreed, any provisions of the draft that have already been agreed could potentially be reopened.
An updated draft, dated May 23, 2024, but released on June 14th, is far from settled, though. Tremendous disagreements still exist among countries on crucial issues, including the scope of cross border surveillance powers and protection of human rights. Nevertheless, some countries expect the latest draft to be adopted.
Earlier drafts included criminalization of a wide range of speech, and a number of non-cyber crimes Just when we thought Member States had succeeded in removing many of the most concerning crimes from the convention’s text, they could be making a reappearance. The Ad-Hoc Committee Chair’s proposed General Assembly resolution includes a promise of two additional sessions to negotiate an amendment with more crimes: “a draft protocol supplementary to the Convention, addressing, inter alia, additional criminal offenses.”
Let us be clear: without robust mandatory data protection and privacy safeguards, the updated draft is bad news for people around the world. It will exacerbate existing disparities in human rights protections, potentially allowing increased government overreach, unchecked surveillance, and access to sensitive data that will leave individuals vulnerable to privacy and data protection violations, human rights abuses, or transnational repression. Critical privacy safeguards continue to be woefully inadequate, and there are no explicit data protection principles in the text itself.
In this third post, we explore problems caused by the expansive definition of “electronic data,” combined with the lack of mandatory privacy and data protection safeguards in the proposed convention. This term has a very broad and vague reach. It appears to include sensitive personal data, like biometric identifiers, which could be accessed by police without adequate protections and under weak privacy safeguards. Worse, it could then be shared with other governments. This poses significant risks for refugees, human rights defenders, and anyone who travels across borders. Instead of this race to the bottom, we call for ironclad privacy and data protection principles in the text to thwart abuses.
Key Surveillance Powers Involving Electronic Data
Chapter IV of the draft, which deals with criminal procedural measures, creates a wide range of government powers to monitor and access people’s digital systems and data, focusing mainly on “subscriber data,” “traffic data,” and “content data.” These powers can be broadly described as forms of communications surveillance or surveillance of communications data. Traditionally, the invasiveness of communications surveillance has been evaluated on the basis of such artificial and formalistic categories.
The revised draft introduces a catch-all category called “Electronic Data” in Article 2(b), defined as “any representation of facts, information, or concepts in a form suitable for processing in an information and communications technology system, including a program suitable to cause an information and communications technology system to perform a function.” This extremely broad definition includes all forms of digital data, which in other contexts would enjoy specific protections based on the nature or origin of that data. For example, data related to the interactions with one’s attorney or doctor is subject to legal privileges. Both types of privilege are designed to ensure that individuals can communicate openly and honestly with their legal and medical professionals without fear that their private information will be exposed or used against them in legal proceedings. And other sensitive data, such as biometric identifiers, should require more stringent processes before being accessed due to the significant risks if collected without proper protections. But the proposed convention doesn’t mention any distinctions in the sensitivity of “electronic data” or the need to ensure that it is subject to obligatory robust privacy or data protection principles.
Three investigative powers—preservation orders (Article 25), production orders (Article 27), and search and seizure (Article 28)—relate to this broader category of “electronic data.” This includes non-communication data, information that hasn’t been communicated to someone else or stored with a service provider. The categories “traffic data,” “subscriber information,” and “content data” apply to communications surveillance, but these categories are not used—and no such distinctions are drawn—in the context of the preservation, production, and search and seizure powers. When data is stored, regardless of how it would have been classified for communications surveillance purposes, the Articles 25, 27, and 28 powers can be used to target it. That includes stored information that would have been regarded as subscriber, traffic, or content data in a communications surveillance context, as well as information (like on-device metadata or recordings, or a diary created locally but never shared) that could not be a target of communications surveillance at all.
Those three powers could potentially be applied to the entire array of data types that can be processed, stored, or transmitted by ICT systems. This includes all types of digital data—ranging from text, images, documents, and biometric identifiers, to software programs and databases. Examples of electronic data in emerging technologies could include training data sets used for machine learning models, including images, text, and structured data; transaction records and smart contracts stored in blockchain networks; sensor data collected from smart devices such as temperature readings, motion detection, and environmental monitoring data; 3D models, spatial data, and user interaction logs used to create immersive experiences; among others. It also includes sensitive information about people that might not always be interpreted as communication data, such as biometric identifiers and neural data, among others.
While there’s consensus that communications content deserves significant protection in law because of its capability to reveal sensitive information, it is now clear that other non-communication data, including those arising from a variety of “electronic data,” may reveal even more sensitive data about an individual than the content itself, and thus deserves at least equivalent level protection. The processing of this very sensitive electronic data, coupled with the absence of mandatory robust data protection principles and robust human rights safeguards in the convention itself, raises significant concerns about overreach, privacy invasion, and the unchecked power it grants to police.
Today, these types of information might, taken alone or analyzed collectively, reveal a person’s identity, behavior, associations, physical or medical conditions, race, color, sexual orientation, national origins, or viewpoints. Emerging technologies illustrate these risks clearly. For instance, data from wearable health devices can disclose detailed medical conditions and physical activity patterns; smart home devices can track daily routines and behaviors; and social media analytics can infer political views, social connections, and personal preferences based on patterns of interactions, posts, and likes. Other body-worn sensors like those in augmented reality devices may reveal physiological information related to conscious and unconscious emotional reactions to things we see, hear, or do.
Additionally, geolocation data from smartphones and Internet of Things (IoT) devices can map an individual’s movements over time, potentially identifying their location history, frequented places, and daily commutes, as well as patterns of whom they spent time with. Photo, video surveillance and face recognition data used in public and private spaces can identify individuals and track their interactions, while biometric data from various other sources can confirm identities and provide access to sensitive personal information.
As a result, all data, including electronic data, should be given the highest protection in the proposed convention to safeguard individual privacy and prevent misuse amid the rise of emerging technologies. But the existing convention text gives individual countries huge discretion in what kind of protection to afford to people’s data when implementing these powers. As elsewhere, we should have mandatory privacy safeguards (not just what domestic law might conclude is “appropriate” under Article 24) providing strong limits and oversight for access to all sorts of sensitive data.
Finally, the proposed convention’s vaunted “technological neutrality” also means that there is no built-in mechanism for imposing any new safeguards or restrictions on government access to new kinds of sensitive data in the future. If new technologies are more intimately connected with our bodies, brains, and activities than old technologies, or if they mediate more and more of our social or political lives, the proposed convention does not provide any road map to making the data they produce any harder for police to access.
Like Communication Surveillance Powers, Powers Related to “Electronic Data” All Lack Clear and Robust Privacy and Data Protection Safeguards
All three powers referring to “electronic data” share a problem which we’ve previously seen in other powers related to communications surveillance: none of them include clear mandatory privacy and data protection safeguards to limit how the powers are used. All of the investigative powers in Chapter IV of the draft convention rely on national laws to determine whether or not restrictions that govern them are “appropriate,” leaving out numerous international law standards that ought to be made explicit.
For the “electronic data” powers discussed below, this is equally alarming because these powers can potentially authorize law enforcement to obtain literally anything stored in any computer or digital storage medium. There are no kinds of data that are inherently off-limits in the the text of the convention itself (such as a rule that requests may not compel self-incrimination, or that they must respect privileges such as attorney-client privilege or doctor-patient privilege), nor even any that necessarily require prior judicial authorization to obtain, leaving such decisions to the discretion of national law.
Domestic Expedited Preservation Orders of Electronic Data
- Article 25 on preservation orders, already agreed ad referendum, is especially problematic. It’s very broad, will result in individuals’ data being preserved and available for use in prosecutions far more than needed, and fails to include necessary safeguards to avoid abuse of power. By allowing law enforcement to demand preservation with no factual justification, it also risks spreading familiar deficiencies in U.S. law worldwide. Article 25 requires each country to create laws or other measures that let authorities quickly preserve specific electronic data, particularly when there are grounds to believe that such data is at risk of being lost or altered.
- Article 25(2) ensures that when preservation orders are issued, the person or entity in possession of the data must keep it for up to 90 days, giving authorities enough time to obtain the data through legal channels, while allowing this period to be renewed. There is no specified limit on the number of times the order can be renewed, so it can potentially be reimposed indefinitely. Preservation orders should be issued only when they’re absolutely necessary, but Article 24 does not mention the principle of necessity and lacks individual notice and explicit grounds requirements and statistical transparency obligations. The article fail to limit the number of times preservation orders may be renewed to prevent indefinite data preservation requirements. Each preservation order renewal must require a demonstration of continued necessity and factual grounds justifying continued preservation.
- Article 25(3) also compels states to adopt laws that enable gag orders to accompany preservation orders, prohibiting service providers or individuals from informing users that their data was subject to such an order. The duration of such a gag order is left up to domestic legislation. As with all other gag orders, the confidentiality obligation should be subject to time limits and only be available to the extent that disclosure would demonstrably threaten an investigation or other vital interest. Further, individuals whose data was preserved should be notified when it is safe to do so without jeopardizing an investigation. Independent oversight bodies must oversee the application of preservation orders.
Indeed, academics such as prominent law professor and former U.S. Department of Justice lawyer Orin S. Kerr have criticized similar U.S. data preservation practices under 18 U.S.C. § 2703(f) for allowing law enforcement agencies to compel internet service providers to retain all contents of an individual’s online account without their knowledge, any preliminary suspicion, or judicial oversight. This approach, intended as a temporary measure to secure data until further legal authorization is obtained, lacks the foundational legal scrutiny typically required for searches and seizures under the Fourth Amendment, such as probable cause or reasonable suspicion.
The lack of explicit mandatory safeguards raise similar concerns about Article 25 of the proposed UN convention. Kerr argues that these U.S. practices constitute a “seizure” under the Fourth Amendment, indicating that such actions should be justified by probable cause or, at the very least, reasonable suspicion—criteria conspicuously absent in the current draft of the UN convention.
By drawing on Kerr’s analysis, we see a clear warning: without robust safeguards, including an explicit grounds requirement, prior judicial authorization, explicit notification to users, and transparency, preservation orders of electronic data proposed under the draft UN Cybercrime Convention risk replicating the problematic practices of the U.S. on a global scale.
Production Orders of Electronic Data
Article 27(a)’s treatment of “electronic data” in production orders, in light of the draft convention’s broad definition of the term, is especially problematic. This article, which has already been agreed ad referendum, allows production orders to be issued to custodians of electronic data, requiring them to turn over copies of that data. While demanding customer records from a company is a traditional governmental power, this power is dramatically increased in the UD.
As we explain above, the extremely broad definition of electronic data, which is often sensitive in nature, raises new and significant privacy and data protection concerns, as it permits authorities to access potentially sensitive information without immediate oversight and prior judicial authorization. The convention needs instead to require prior judicial authorization before such information can be demanded from the companies that hold it. This ensures that an impartial authority assesses the necessity and proportionality of the data request before it is executed. Without mandatory data protection safeguards for the processing of personal data, law enforcement agencies might collect and use personal data without adequate restrictions, thereby risking the exposure and misuse of personal information.
The draft convention fails to include these essential data protection safeguards. To protect human rights, data should be processed lawfully, fairly, and in a transparent manner in relation to the data subject. Data should be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
Data collected should be adequate, relevant, and limited to what is necessary to the purposes for which they are processed. Authorities should request only the data that is essential for the investigation. Production orders should clearly state the purpose for which the data is being requested. Data should be kept in a format that permits identification of data subjects for no longer than is necessary for the purposes for which the data is processed. None of these principles are present in Article 27(a) and they must be.
Search and Seizure of Stored Electronic Data
The draft’s Article 28, also agreed ad referendum, gives governments sweeping powers to search and seize electronic data, but without clear, mandatory privacy and data protection safeguards, poses a serious threat to privacy and data protection. Article 24 provides some limitations, but they are vague and insufficient, leaving much to the discretion of national laws, and subject to what each country deems “appropriate.” This could lead to significant privacy violations and misuse of sensitive personal information.
- Search or Access: Article 28(1) is a search-and-seizure power that applies to any “electronic data” in an information and communications technology (ICT) system (28(1)(a)) or data storage medium (28(1)(b)). Just as with the prior articles, it doesn’t include specific restrictions on these searches and doesn’t limit what may be targeted, for what purposes, or under what conditions. For example, this could allow authorities to access all files and data on a suspect’s personal computer, mobile device, or cloud storage account.
- Expanding the Search: Article 28(2) allows authorities to search additional systems if they have grounds to believe the data sought is accessible from the initially searched system. While prior judicial authorization must be a requirement so the judge can assess the necessity and proportionality of the search, Article 24 only mandates appropriate conditions and safeguards without explicit judicial authorization. In the US, for example, this power triggers Fourth Amendment protections, which require particularity—specifying the place to be searched and the items to be seized—in search warrants to prevent unreasonable searches and seizures, Article 28(3) empowers authorities to seize or secure electronic data accessed under the previous provisions, including making and retaining copies of electronic data, maintaining its integrity, and rendering it inaccessible or removing it from the system.
- Seizure or Securing Data: Article 28(3)(d) specifically allows authorities to “[r]ender inaccessible or remove those electronic data in the accessed information and communications technology system.” For instance, authorities could copy and store all emails and documents from a suspect’s cloud storage service and then delete them from the original source.
Additionally, Article 28(3)(d) raises additional significant free expressions and security concerns.
- First, it seems to allow a court order to permanently destroy the only copy of some data, as there is no requirement to make a backup or to be prepared to restore the data later if there is no court process or the person is not convicted of a crime.
- Second, with regard to publicly accessible data, this is a form of takedown process that can implicate free expression concerns. Articles 5 and 24 help mitigate these concerns. By applying these safeguards, Articles 5 and 24 aim to ensure that the implementation of Article 28(3)(d) does not infringe on free expression or result in disproportionate actions. However, due to the deficiencies in these articles, it remains to be seen how they will be applicable in practice.
As we have written before, Article 24, on conditions and safeguards, fails to protect human rights, by deferring safeguards to national law, rather than laying out strong protections to match the increased powers that the proposed convention provides. It fails to explicitly include crucial principles like legality, necessity, and non-discrimination. Effective human rights protections require prior judicial approval before surveillance is conducted, transparency about actions taken, notifying users when their data is accessed if it does not jeopardize the investigation, and providing ways for individuals to challenge abuses. By deferring those safeguards to national law, Article 24 weakens these protections, as national laws can vary greatly and may not always provide the necessary safeguards.
A safeguard in a treaty that defers to national laws risks inconsistency and abuse. Strong protections in some nations may be undermined by weaker laws in others, ultimately failing to provide the promised protection.
This creates a race to the bottom in human rights standards, where the weakest domestic laws set the global norm, jeopardizing privacy, data protection, and fundamental freedoms that the United Nations treaty aims to uphold.
International Cooperation and Electronic Data
The draft UN Cybercrime Convention includes significant provisions for international cooperation, extending the reach of domestic surveillance powers across borders, by one state on behalf of another state. Such powers, if not properly safeguarded, pose substantial risks to privacy and data protection. (While this post focuses on the safeguards for electronic data, equally concerning is the treatment of communication data, particularly subscriber data and traffic data, which also lacks robust protections and brings up concerning risks.)
- Article 42 (1) (“International cooperation for the purpose of expedited preservation of stored electronic data”) allows one state to ask another to obtain preservation of “electronic data” under the domestic power outlined in Article 25. For example, if Country A is investigating a crime and suspects that relevant data is stored on servers in Country B, Country A can request Country B to preserve this data to prevent it from being deleted or altered before Country A can formally request access to it. Country A may use the 24/7 network as outlined in Article 41(3)(c) to seek information about the data’s location and the service provider.The 24/7 network significantly extends its role beyond merely preserving stored electronic data in Articles 41(3)(c) & (d). The network 24/7 is also empowered to collect evidence when provided legal information, and locate suspects, as well as provide electronic data to avert emergencies if “permitted by the domestic law and practice of the requested Country. Alarmingly, Article 24, which sets out conditions and safeguards, does not apply to the powers exercised by the 24/7 Network. This absence of oversight means that the network can operate without the necessary checks and balances, potentially leading to abuses of power.
It is important to note that Article 23(4) only authorizes the application of Article 24 safeguards to specific powers within the international cooperation chapter. While one could argue that powers in Chapter V that closely match powers in Chapter IV are actually the same power (and ought to be subject to the same safeguards), significant powers in Chapter V, such as those related to law enforcement cooperation (Article 47) and the 24/7 network (Article 41) do not specifically cite the corresponding Chapter IV powers and so may not be covered by Article 24 safeguards. Consequently, critical aspects such as the handling of electronic data in an emergency, or turning over subscriber information and location, are left without adequate human rights protections. Additionally, Article 47 on law enforcement cooperation highlights the extensive sharing and exchange of sensitive data, further emphasizing the risks of misuse.
- Article 44 (1) (“Mutual legal assistance in accessing stored electronic data”) allows one state to ask another “to search or similarly access, seize or similarly secure, and disclose electronic data,” presumably using powers similar to those under Article 28, although that article is not referenced in Article 44. This specific provision, which has not yet been agreed ad referendum, enables comprehensive international cooperation in accessing stored electronic data. For instance, if Country A needs to access emails stored in Country B for an ongoing investigation, it can request Country B to search and provide the necessary data.
Ironclad Data Protection Principles Are Essential for the Proposed Convention
The basic powers for domestic surveillance are not new and are relatively straightforward, but the introduction of an international convention granting authorities new access to sensitive data—especially across borders—demands stringent data protection measures.
- Data processing must be lawful and fair.
- Data should be collected only for specified, explicit, and legitimate purposes and not processed further in a way incompatible with those purposes.
- Data collection must be minimized so that it’s adequate, relevant, and not excessive in relation to the government’s specific stated purposes.
- Data should be accurate and kept up to date.
- Data must not be kept longer than absolutely necessary.
- Data must be protected against unauthorized access and breaches.
- Individuals should be able to access information about the processing of their own personal data.
- Individuals should be informed about how their data is being used, the purpose of processing, and their rights.
- Data controllers must demonstrate compliance with data protection principles, with accountability mechanisms in place to hold them responsible for violations.
Respecting human rights is not only a legal obligation but also a practical necessity for law enforcement. As the Office of the High Commissioner for Human Rights (OHCHR) said in “Human Rights and Law Enforcement: A Trainer’s Guide on Human Rights for the Police,” law enforcement agencies’ effectiveness is improved when they respect human rights. Moreover, as the Vienna Declaration and Programme of Action note, “The administration of justice, including law enforcement (…) agencies, (…) in full conformity with applicable standards contained in international human rights instruments, [is] essential to the full andnon-discriminatory realization of human rights and indispensable to the process of democracy and sustainable development.”
Conclusion
The current draft of the UN Cybercrime Convention is fundamentally flawed. It dangerously expands surveillance powers without robust checks and balances, undermines human rights, and poses significant risks to marginalized communities. The broad and vague definitions of “electronic data,” coupled with weak privacy and data protection safeguards, exacerbate these concerns.
Traditional domestic surveillance powers are particularly concerning as they underpin international surveillance cooperation. This means that one country can easily comply with the requests of another, which if not adequately safeguarded, can lead to widespread government overreach and human rights abuses.
Without stringent data protection principles and robust privacy safeguards, these powers can be misused, threatening human rights defenders, immigrants, refugees, and journalists. We urgently call on all countries committed to the rule of law, social justice, and human rights to unite against this dangerous draft. Whether large or small, developed or developing, every nation has a stake in ensuring that privacy and data protection are not sacrificed.
Significant amendments must be made to ensure these surveillance powers are exercised responsibly and protect privacy and data protection rights. If these essential changes are not made, countries must reject the proposed convention to prevent it from becoming a tool for human rights violations or transnational repression.