The UN Cybercrime Convention Could Help & Harm Victims

Uploaded on 2023-08-16 in NEWS-Cybersecurity News, FREE TO VIEW

In 2019, the UN General Assembly voted to establish an Ad Hoc Committee (AHC) to develop a convention on countering the use of Information and Communication Technologies (ICTs) for criminal purposes. The AHC has met twice since January 2022, convening UN member state delegations in Vienna and New York to negotiate the future cybercrime convention.

The mandating resolution expressed concern about the impact of crimes committed in the digital world on the well-being of individuals. Just as cybercrime is borderless, the impacts of cybercrime on the security of vulnerable groups are inexact.

Vulnerable and marginalized groups offline face newfound, rapidly evolving, and ill-defined threats online.

Determining who is vulnerable in cyberspace – and their levels of protection – is an intersectional exercise; however, as the second session of the AHC has shown, it is also a political and culturally-determined one.

Most states agreed that provisions for protecting vulnerable groups are important. However, continued disagreement on defining and protecting vulnerable groups has resulted in tension, particularly in discussions around gender considerations, combatting child sexual abuse materials (‘CSAM’) and victim and witness protection.

These tensions are the product of divergences in national cultural norms, political values, and existing anti-cybercrime frameworks.

The Vienna Spirit?

In early June, UN member states met in Vienna to share views on three chapters in the future convention (General Provisions, Provisions on Criminalization, and Law Enforcement and Procedural Measures), each of which has direct consequences for the protection of vulnerable groups in cyberspace.

From the get-go, many state and non-state representatives agreed the future treaty needs to include provisions for vulnerable groups and victims, although many states did not make the distinction between the two terms.

Many shared proposals to strengthen international cooperation to counter child sexual abuse material (‘CSAM’) and gender-based violence online; others recommended provisions for improving victim protection.

Why Protecting Vulnerable Groups Is At The Core Of Cybercrime Policymaking

An individual’s social and political identities can expose them to different harms and vulnerabilities. These vulnerabilities are often amplified in cyberspace.

Vulnerability and oppression online – and, conversely, empowerment and privilege – is determined by intersecting identities, including gender, race, sex, sexuality, disability, religion, caste and geography. This is why an intersectional and human-first approach is central to all stages of the anti-cybercrime lifecycle: from policymaking to implementation.

As elaborated in this paper on gender mainstreaming the convention, women and girls are more likely to be victims of the non-consensual sharing of intimate images online, although it is generally unhelpful to synonymize women with victims. Similarly, young men – especially immigrants living in cities – are more likely to experience other forms of cybercrime.

At the national, regional, and international level, there are already several instruments that address cybercrime risks faced by vulnerable groups, like the Council of Europe’s Budapest Convention. However, many instruments fall short of providing adequate protections for vulnerable groups, including the Budapest Convention, which has been criticized for not having stronger safeguards for human rights.

Recognizing shortcomings of current provisions, in July the Law Commission of England and Wales recommended reforms that would make it easier to prosecute sharing non-consensual images and deepfake pornography, crimes which disproportionately affect women.

How Is The AHC Addressing Vulnerable Groups In Cyberspace?

Reflecting interest from states, the AHC chair requested comments on how the future convention should consider gender perspectives. While most states demonstrated an understanding of some gender issues in cybercrime, there was disagreement about whether gender-specific provisions were necessary. Some states - like Armenia -  note that while gender perspectives are a priority, the convention does not need gender-specific provisions.

Recognizing gaps in knowledge about the gendered dimension of cybercrime, Australian and Canadian delegates recommend provisions including appointing a gender adviser and encouraging states to broaden their understanding about gender and cybercrime. Others (notably, the Philippines) push for broadening gender provisions beyond ‘women-specific’ measures, advocating against synonymizing gender with ‘women’, as many states have done so far.

‘Considering gender perspectives’ carries different meanings for different countries. Diverging approaches were demonstrated by discussions on sexual extortion and non-consensual sharing of intimate images. While most agree ‘sextortion’ is a serious issue, delegations disagreed on whether to include or exclude these acts, and why to do so: Jamaica – on behalf of CARICOM – is an advocate for inclusion, whereas EU states cite concerns about the freedom of expression if interpretations about what constitutes these behaviours (and ‘consent’) differs nationally.

Discussions on protecting children in cyberspace and combatting CSAM face similar issues. Despite consensus that children must be protected online, states disagree on what language to use to describe the offence. Terms range from CSAM (a term favoured by Australia, New Zealand, and others) to ‘child pornography’ (the term used in Russia’s proposed text).

Despite consensus that children must be protected online, states disagree on what language to use to describe the offence.

Terminology matters: ‘pornography’ might assume consent, but children – by definition – cannot consent. A ‘child pornography’ provision could have damaging consequences by establishing a higher threshold for criminalization and not covering other exploitative offences, like grooming and harassment.

On the national level, how ‘children’ and ‘protection’ are defined further complicates this issue. Most states agree children are ‘18 and under’, but many EU countries recommend flexibility on ages of consent in accordance with national laws, which compounds existing vulnerabilities if ‘consent’ is already ill-defined.

Marriage laws and cultural expectations around maturity differ between countries (and between boys and girls within countries), which could lead to serious harmonization risks for the future convention.

There is further divergence between states on how to criminalize the access and viewing of child sexual abuse material; while states agree clear ‘intent’ is required, a handful of states argue against criminalizing ‘artistic expressions’ (referring to comics or cartoons), based on their national approaches to freedom of expression.

Strong support among states to include a reference to victim rights and protections is promising. States are willing to borrow language from the UN Convention against Transnational Organized Crime (Articles 24 and 25), which mandates appropriate measures to protect, relocate and compensate victims and witnesses.

States may face definitional issues (a ‘witness’ in cyberspace is more ambiguous than a ‘victim’) but UNTOC appears a productive starting point, demonstrating the merit of adapting language that enjoys international consensus in existing anti-crime frameworks.

Looking Ahead To New York & Beyond

Despite calls from the Secretariat to de-politicize the negotiations, the AHC process - and especially how to define and protect vulnerable groups - has been determined by political, social, and cultural priorities. The next negotiating session in New York may be no different.

States must find a common ground between norms and precedents on gender, protecting children, victims, and witnesses in cyberspace, ensuring that the future treaty (whether narrow or broad) contains adaptable provisions for addressing cyber-dependent and cyber-enabled crimes disproportionately affecting vulnerable groups.

Agreeing to narrow definitions and making explicit reference to vulnerable groups is vital, as is establishing baselines for best practices (with reasonable flexibility in interpretations and implementation). The AHC should welcome experts from diverse disciplinary backgrounds to share national and cultural approaches.

Designing specific, adaptable mechanisms to protect vulnerable groups will be invaluable for the convention’s longevity and efficiency – and contribute to a strong, appropriate cybercrime treaty for all.

Isabella Wilkinson is Research Associate, International Security Programme at Chatham House

Amrit Swali Research Associate, International Security Programme at Chatham House

You Might Also Read:

Online Safety Act Places US  Adults At Risk:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Staying Ahead Of Cyberthreats
How SMEs Can Achieve Cyber Resilience »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

CDNetworks

CDNetworks

CDNetworks is a global content delivery network with a fully integrated cloud security solution, offering unparalleled speed, security and reliability for the almost instant delivery of web content.

S21sec

S21sec

S21sec is a leading European pure play cybersecurity consultancy, services and solutions provider.

VerifyMe

VerifyMe

VerifyMe is a global technology solutions company delivering brand protection offerings to mitigate counterfeiting, product diversion, and illicit trade.

CSL Group

CSL Group

CSL solutions provide complete end-to-end connectivity services for Security, Fire, Telecare and other mission critical M2M/IoT applications.

Uniwan

Uniwan

Uniwan is an IT services company specializing in networking and security.

Telelogos

Telelogos

Telelogos is a European provider of Enterprise Mobility Management software, Digital Signage software and Data Transfer and Synchronization software.

Utility Cyber Security Forum

Utility Cyber Security Forum

The Utility Cyber Security Forum offers a focused venue in which utility executives can network one-on-one with colleagues facing issues in protecting against cyber attacks.

ValidSoft

ValidSoft

ValidSoft is a security software company, providing telecommunications-based multi-factor authentication, identity and transaction verification technology.

Cohesity

Cohesity

Cohesity radically simplifies the way businesses back up, manage, protect, and extract value from their data—in the data center, at the edge, and in the cloud.

Aversafe

Aversafe

Aversafe provides individuals, employers and certificate issuers around the world with a first line of defense against credential fraud.

Traced

Traced

At Traced, our aim is to redefine mobile cyber security to provide the best possible protection to everyone against breaches of privacy and security.

US Marine Corps Forces Cyberspace Command (MARFORCYBER)

US Marine Corps Forces Cyberspace Command (MARFORCYBER)

US Marine Corps Forces Cyberspace Command (MARFORCYBER) conducts full spectrum military cyberspace operations in order to enable freedom of action in cyberspace and deny the same to the adversary.

Magna5

Magna5

Magna5 is a managed IT service provider focusing in network and server monitoring, backup and disaster recovery, cybersecurity, help desk and SD-WAN.

Acora

Acora

Acora provide a range of best-in-class managed services, Microsoft-centric business software, and cloud solutions designed to help mid-market organisations succeed in the digital economy.

Protos Labs

Protos Labs

Protos Labs enables insurers & enterprises to make better cyber risk decisions through holistic, real-time risk management tools.

SecureLake

SecureLake

SecureLake (formerly Managni) is one of the most trusted US-based IT security and infrastructure companies.