The UN Cybercrime Convention Could Help & Harm Victims

Uploaded on 2023-08-16 in NEWS-Cybersecurity News, FREE TO VIEW

In 2019, the UN General Assembly voted to establish an Ad Hoc Committee (AHC) to develop a convention on countering the use of Information and Communication Technologies (ICTs) for criminal purposes. The AHC has met twice since January 2022, convening UN member state delegations in Vienna and New York to negotiate the future cybercrime convention.

The mandating resolution expressed concern about the impact of crimes committed in the digital world on the well-being of individuals. Just as cybercrime is borderless, the impacts of cybercrime on the security of vulnerable groups are inexact.

Vulnerable and marginalized groups offline face newfound, rapidly evolving, and ill-defined threats online.

Determining who is vulnerable in cyberspace – and their levels of protection – is an intersectional exercise; however, as the second session of the AHC has shown, it is also a political and culturally-determined one.

Most states agreed that provisions for protecting vulnerable groups are important. However, continued disagreement on defining and protecting vulnerable groups has resulted in tension, particularly in discussions around gender considerations, combatting child sexual abuse materials (‘CSAM’) and victim and witness protection.

These tensions are the product of divergences in national cultural norms, political values, and existing anti-cybercrime frameworks.

The Vienna Spirit?

In early June, UN member states met in Vienna to share views on three chapters in the future convention (General Provisions, Provisions on Criminalization, and Law Enforcement and Procedural Measures), each of which has direct consequences for the protection of vulnerable groups in cyberspace.

From the get-go, many state and non-state representatives agreed the future treaty needs to include provisions for vulnerable groups and victims, although many states did not make the distinction between the two terms.

Many shared proposals to strengthen international cooperation to counter child sexual abuse material (‘CSAM’) and gender-based violence online; others recommended provisions for improving victim protection.

Why Protecting Vulnerable Groups Is At The Core Of Cybercrime Policymaking

An individual’s social and political identities can expose them to different harms and vulnerabilities. These vulnerabilities are often amplified in cyberspace.

Vulnerability and oppression online – and, conversely, empowerment and privilege – is determined by intersecting identities, including gender, race, sex, sexuality, disability, religion, caste and geography. This is why an intersectional and human-first approach is central to all stages of the anti-cybercrime lifecycle: from policymaking to implementation.

As elaborated in this paper on gender mainstreaming the convention, women and girls are more likely to be victims of the non-consensual sharing of intimate images online, although it is generally unhelpful to synonymize women with victims. Similarly, young men – especially immigrants living in cities – are more likely to experience other forms of cybercrime.

At the national, regional, and international level, there are already several instruments that address cybercrime risks faced by vulnerable groups, like the Council of Europe’s Budapest Convention. However, many instruments fall short of providing adequate protections for vulnerable groups, including the Budapest Convention, which has been criticized for not having stronger safeguards for human rights.

Recognizing shortcomings of current provisions, in July the Law Commission of England and Wales recommended reforms that would make it easier to prosecute sharing non-consensual images and deepfake pornography, crimes which disproportionately affect women.

How Is The AHC Addressing Vulnerable Groups In Cyberspace?

Reflecting interest from states, the AHC chair requested comments on how the future convention should consider gender perspectives. While most states demonstrated an understanding of some gender issues in cybercrime, there was disagreement about whether gender-specific provisions were necessary. Some states - like Armenia -  note that while gender perspectives are a priority, the convention does not need gender-specific provisions.

Recognizing gaps in knowledge about the gendered dimension of cybercrime, Australian and Canadian delegates recommend provisions including appointing a gender adviser and encouraging states to broaden their understanding about gender and cybercrime. Others (notably, the Philippines) push for broadening gender provisions beyond ‘women-specific’ measures, advocating against synonymizing gender with ‘women’, as many states have done so far.

‘Considering gender perspectives’ carries different meanings for different countries. Diverging approaches were demonstrated by discussions on sexual extortion and non-consensual sharing of intimate images. While most agree ‘sextortion’ is a serious issue, delegations disagreed on whether to include or exclude these acts, and why to do so: Jamaica – on behalf of CARICOM – is an advocate for inclusion, whereas EU states cite concerns about the freedom of expression if interpretations about what constitutes these behaviours (and ‘consent’) differs nationally.

Discussions on protecting children in cyberspace and combatting CSAM face similar issues. Despite consensus that children must be protected online, states disagree on what language to use to describe the offence. Terms range from CSAM (a term favoured by Australia, New Zealand, and others) to ‘child pornography’ (the term used in Russia’s proposed text).

Despite consensus that children must be protected online, states disagree on what language to use to describe the offence.

Terminology matters: ‘pornography’ might assume consent, but children – by definition – cannot consent. A ‘child pornography’ provision could have damaging consequences by establishing a higher threshold for criminalization and not covering other exploitative offences, like grooming and harassment.

On the national level, how ‘children’ and ‘protection’ are defined further complicates this issue. Most states agree children are ‘18 and under’, but many EU countries recommend flexibility on ages of consent in accordance with national laws, which compounds existing vulnerabilities if ‘consent’ is already ill-defined.

Marriage laws and cultural expectations around maturity differ between countries (and between boys and girls within countries), which could lead to serious harmonization risks for the future convention.

There is further divergence between states on how to criminalize the access and viewing of child sexual abuse material; while states agree clear ‘intent’ is required, a handful of states argue against criminalizing ‘artistic expressions’ (referring to comics or cartoons), based on their national approaches to freedom of expression.

Strong support among states to include a reference to victim rights and protections is promising. States are willing to borrow language from the UN Convention against Transnational Organized Crime (Articles 24 and 25), which mandates appropriate measures to protect, relocate and compensate victims and witnesses.

States may face definitional issues (a ‘witness’ in cyberspace is more ambiguous than a ‘victim’) but UNTOC appears a productive starting point, demonstrating the merit of adapting language that enjoys international consensus in existing anti-crime frameworks.

Looking Ahead To New York & Beyond

Despite calls from the Secretariat to de-politicize the negotiations, the AHC process - and especially how to define and protect vulnerable groups - has been determined by political, social, and cultural priorities. The next negotiating session in New York may be no different.

States must find a common ground between norms and precedents on gender, protecting children, victims, and witnesses in cyberspace, ensuring that the future treaty (whether narrow or broad) contains adaptable provisions for addressing cyber-dependent and cyber-enabled crimes disproportionately affecting vulnerable groups.

Agreeing to narrow definitions and making explicit reference to vulnerable groups is vital, as is establishing baselines for best practices (with reasonable flexibility in interpretations and implementation). The AHC should welcome experts from diverse disciplinary backgrounds to share national and cultural approaches.

Designing specific, adaptable mechanisms to protect vulnerable groups will be invaluable for the convention’s longevity and efficiency – and contribute to a strong, appropriate cybercrime treaty for all.

Isabella Wilkinson is Research Associate, International Security Programme at Chatham House

Amrit Swali Research Associate, International Security Programme at Chatham House

You Might Also Read:

Online Safety Act Places US  Adults At Risk:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Staying Ahead Of Cyberthreats
How SMEs Can Achieve Cyber Resilience »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Sucuri

Sucuri

Sucuri have offered holistic website security solutions since 2008 including malware removal, malware monitoring and website protection services.

EuroISPA

EuroISPA

EuroISPA is a pan European association of European Internet Services Providers Associations and the world’s largest association of ISPs.

CYBER 1

CYBER 1

CYBER 1 provides cyber security solutions to customers wanting to be resilient against new and existing threats.

OSSEC

OSSEC

OSSEC is a scalable, multi-platform, open source Host-based Intrusion Detection System (HIDS).

Redspin

Redspin

Redspin provide penetration testing, security assessments and consulting services.

Securitybulls

Securitybulls

Securitybulls is an information security firm offering an encyclopedic penetration testing & IT security assessment service for your organization.

Sigma IT

Sigma IT

SIGMA IT is one of the largest IT services organizations in EMEA region providing a full range of solutions and services including cybersecurity, data protection and business continuity.

Global Incubator Network Austria (GIN Austria)

Global Incubator Network Austria (GIN Austria)

GIN Austria is the connecting link between Austrian and international startups, investors, incubators and accelerators with a focus on selected hotspots in Asia.

neoEYED

neoEYED

neoEYED helps banks and fintech to detect and prevent frauds using a Behavioral AI that recognizes the users just by looking at “how” they interact with the applications.

Luxembourg House of Financial Technology (LHoFT)

Luxembourg House of Financial Technology (LHoFT)

Offering start-up incubation, co-working spaces including a soft-landing platform, the LHoFT connects and creates value for the entire Luxembourg FinTech ecosystem.

Astrix Security

Astrix Security

Astrix enables security teams to instantly see through the fog of connects and detect redundant, misconfigured and malicious third-party exposure to their critical systems.

Secfix

Secfix

Secfix helps companies get secure and compliant in weeks instead of months. We are on a mission to automate security and compliance for small and medium-sized businesses.

PeoplActive

PeoplActive

PeoplActive is an IT consulting and recruitment services organization with leading capabilities in digital, cloud and security.

Foresights

Foresights

Foresights is a Nordic company utilizing advanced intelligence tradecraft and extensive cyber security capabilities to deliver services and advisory tailored to our client’s critical requirements.

Arcfield

Arcfield

Arcfield protects the nation and its allies through innovations in systems engineering and integration, space and mission launch assurance, cybersecurity, and missile support.

Federal Office for the Protection of the Constitution (BfV)

Federal Office for the Protection of the Constitution (BfV)

The Federal Office for the Protection of the Constitution (Bundesamt für Verfassungsschutz - BfV) is the domestic intelligence services of the federal government of Germany.