The UN Cybercrime Convention Could Help & Harm Victims

Uploaded on 2023-08-16 in NEWS-Cybersecurity News, FREE TO VIEW

In 2019, the UN General Assembly voted to establish an Ad Hoc Committee (AHC) to develop a convention on countering the use of Information and Communication Technologies (ICTs) for criminal purposes. The AHC has met twice since January 2022, convening UN member state delegations in Vienna and New York to negotiate the future cybercrime convention.

The mandating resolution expressed concern about the impact of crimes committed in the digital world on the well-being of individuals. Just as cybercrime is borderless, the impacts of cybercrime on the security of vulnerable groups are inexact.

Vulnerable and marginalized groups offline face newfound, rapidly evolving, and ill-defined threats online.

Determining who is vulnerable in cyberspace – and their levels of protection – is an intersectional exercise; however, as the second session of the AHC has shown, it is also a political and culturally-determined one.

Most states agreed that provisions for protecting vulnerable groups are important. However, continued disagreement on defining and protecting vulnerable groups has resulted in tension, particularly in discussions around gender considerations, combatting child sexual abuse materials (‘CSAM’) and victim and witness protection.

These tensions are the product of divergences in national cultural norms, political values, and existing anti-cybercrime frameworks.

The Vienna Spirit?

In early June, UN member states met in Vienna to share views on three chapters in the future convention (General Provisions, Provisions on Criminalization, and Law Enforcement and Procedural Measures), each of which has direct consequences for the protection of vulnerable groups in cyberspace.

From the get-go, many state and non-state representatives agreed the future treaty needs to include provisions for vulnerable groups and victims, although many states did not make the distinction between the two terms.

Many shared proposals to strengthen international cooperation to counter child sexual abuse material (‘CSAM’) and gender-based violence online; others recommended provisions for improving victim protection.

Why Protecting Vulnerable Groups Is At The Core Of Cybercrime Policymaking

An individual’s social and political identities can expose them to different harms and vulnerabilities. These vulnerabilities are often amplified in cyberspace.

Vulnerability and oppression online – and, conversely, empowerment and privilege – is determined by intersecting identities, including gender, race, sex, sexuality, disability, religion, caste and geography. This is why an intersectional and human-first approach is central to all stages of the anti-cybercrime lifecycle: from policymaking to implementation.

As elaborated in this paper on gender mainstreaming the convention, women and girls are more likely to be victims of the non-consensual sharing of intimate images online, although it is generally unhelpful to synonymize women with victims. Similarly, young men – especially immigrants living in cities – are more likely to experience other forms of cybercrime.

At the national, regional, and international level, there are already several instruments that address cybercrime risks faced by vulnerable groups, like the Council of Europe’s Budapest Convention. However, many instruments fall short of providing adequate protections for vulnerable groups, including the Budapest Convention, which has been criticized for not having stronger safeguards for human rights.

Recognizing shortcomings of current provisions, in July the Law Commission of England and Wales recommended reforms that would make it easier to prosecute sharing non-consensual images and deepfake pornography, crimes which disproportionately affect women.

How Is The AHC Addressing Vulnerable Groups In Cyberspace?

Reflecting interest from states, the AHC chair requested comments on how the future convention should consider gender perspectives. While most states demonstrated an understanding of some gender issues in cybercrime, there was disagreement about whether gender-specific provisions were necessary. Some states - like Armenia -  note that while gender perspectives are a priority, the convention does not need gender-specific provisions.

Recognizing gaps in knowledge about the gendered dimension of cybercrime, Australian and Canadian delegates recommend provisions including appointing a gender adviser and encouraging states to broaden their understanding about gender and cybercrime. Others (notably, the Philippines) push for broadening gender provisions beyond ‘women-specific’ measures, advocating against synonymizing gender with ‘women’, as many states have done so far.

‘Considering gender perspectives’ carries different meanings for different countries. Diverging approaches were demonstrated by discussions on sexual extortion and non-consensual sharing of intimate images. While most agree ‘sextortion’ is a serious issue, delegations disagreed on whether to include or exclude these acts, and why to do so: Jamaica – on behalf of CARICOM – is an advocate for inclusion, whereas EU states cite concerns about the freedom of expression if interpretations about what constitutes these behaviours (and ‘consent’) differs nationally.

Discussions on protecting children in cyberspace and combatting CSAM face similar issues. Despite consensus that children must be protected online, states disagree on what language to use to describe the offence. Terms range from CSAM (a term favoured by Australia, New Zealand, and others) to ‘child pornography’ (the term used in Russia’s proposed text).

Despite consensus that children must be protected online, states disagree on what language to use to describe the offence.

Terminology matters: ‘pornography’ might assume consent, but children – by definition – cannot consent. A ‘child pornography’ provision could have damaging consequences by establishing a higher threshold for criminalization and not covering other exploitative offences, like grooming and harassment.

On the national level, how ‘children’ and ‘protection’ are defined further complicates this issue. Most states agree children are ‘18 and under’, but many EU countries recommend flexibility on ages of consent in accordance with national laws, which compounds existing vulnerabilities if ‘consent’ is already ill-defined.

Marriage laws and cultural expectations around maturity differ between countries (and between boys and girls within countries), which could lead to serious harmonization risks for the future convention.

There is further divergence between states on how to criminalize the access and viewing of child sexual abuse material; while states agree clear ‘intent’ is required, a handful of states argue against criminalizing ‘artistic expressions’ (referring to comics or cartoons), based on their national approaches to freedom of expression.

Strong support among states to include a reference to victim rights and protections is promising. States are willing to borrow language from the UN Convention against Transnational Organized Crime (Articles 24 and 25), which mandates appropriate measures to protect, relocate and compensate victims and witnesses.

States may face definitional issues (a ‘witness’ in cyberspace is more ambiguous than a ‘victim’) but UNTOC appears a productive starting point, demonstrating the merit of adapting language that enjoys international consensus in existing anti-crime frameworks.

Looking Ahead To New York & Beyond

Despite calls from the Secretariat to de-politicize the negotiations, the AHC process - and especially how to define and protect vulnerable groups - has been determined by political, social, and cultural priorities. The next negotiating session in New York may be no different.

States must find a common ground between norms and precedents on gender, protecting children, victims, and witnesses in cyberspace, ensuring that the future treaty (whether narrow or broad) contains adaptable provisions for addressing cyber-dependent and cyber-enabled crimes disproportionately affecting vulnerable groups.

Agreeing to narrow definitions and making explicit reference to vulnerable groups is vital, as is establishing baselines for best practices (with reasonable flexibility in interpretations and implementation). The AHC should welcome experts from diverse disciplinary backgrounds to share national and cultural approaches.

Designing specific, adaptable mechanisms to protect vulnerable groups will be invaluable for the convention’s longevity and efficiency – and contribute to a strong, appropriate cybercrime treaty for all.

Isabella Wilkinson is Research Associate, International Security Programme at Chatham House

Amrit Swali Research Associate, International Security Programme at Chatham House

You Might Also Read:

Online Safety Act Places US  Adults At Risk:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Staying Ahead Of Cyberthreats
How SMEs Can Achieve Cyber Resilience »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Fortinet

Fortinet

Fortinet is a provider of network security systems. Our products provide protection against dynamic security threats while simplifying the IT security infrastructure.

Cyber Indemnity Solutions (CIS)

Cyber Indemnity Solutions (CIS)

CIS is an InsurTech company focused on licensing innovative cyber risk insurance solutions to the global insurance industry.

Cyberwatch

Cyberwatch

Cyberwatch is a Vulnerability Scanner & Fixer software that helps you to detect and fix the vulnerabilities of your Information System.

National Information Security & Safety Authority (NISSA) - Libya

National Information Security & Safety Authority (NISSA) - Libya

NISSA is responsible for safeguarding the integrity, availability and resilienceof ICT infrastructure, resources, services and data in Libya.

Norwegian Business & Industry Security Council (NSR)

Norwegian Business & Industry Security Council (NSR)

NSR is a member organization serving the Norwegian business sector in an advisory capacity on matters relating to crime and security including cyber.

Baffle

Baffle

Baffle is pioneering a solution that makes data breaches irrelevant by keeping data encrypted from production through processing.

United Security Providers

United Security Providers

United Security Providers is a leading specialist in information security, protecting IT infrastructures and applications for companies with high demands on security.

Arsenal Recon

Arsenal Recon

Arsenal Recon are digital forensics experts, providing consultancy services and powerful software tools to improve the analysis of electronic evidence.

Steganos

Steganos

Steganos offers highly secure and easy to use software tools that protect and secure on and offline data.

Eskive

Eskive

Eskive is a Brazilian cyber security awareness and education platform that empowers users and strengthens their company in the face of cyber threats.

ITRenew

ITRenew

ITRenew is a leading global IT lifecycle management solutions company, specializing in onsite data center decommissioning and data erasure services.

Critical Start

Critical Start

Critical Start provides Managed Detection and Response services, endpoint security, threat intelligence, penetration testing, risk assessments, and incident response.

xMatters

xMatters

xMatters is a digital service availability platform that helps enterprises prevent, manage, and resolve IT incidents before they can become business problems.

RegScale

RegScale

RegScale helps organizations comply in real-time with multiple compliance requirements (NIST, CMMC, ISO, SOX, etc), scalable to meet the needs of the entire enterprise.

Lansweeper

Lansweeper

Lansweeper is an IT Asset Management platform provider helping businesses better understand, manage and protect their IT devices and network.

Sentar

Sentar

Sentar is a cyber intelligence company, applying advanced analytics and systems engineering expertise to protect our national security by securing mission-critical assets.