The UN Cybercrime Convention Could Help & Harm Victims

In 2019, the UN General Assembly voted to establish an Ad Hoc Committee (AHC) to develop a convention on countering the use of Information and Communication Technologies (ICTs) for criminal purposes. The AHC has met twice since January 2022, convening UN member state delegations in Vienna and New York to negotiate the future cybercrime convention.

The mandating resolution expressed concern about the impact of crimes committed in the digital world on the well-being of individuals. Just as cybercrime is borderless, the impacts of cybercrime on the security of vulnerable groups are inexact.

Vulnerable and marginalized groups offline face newfound, rapidly evolving, and ill-defined threats online.

Determining who is vulnerable in cyberspace – and their levels of protection – is an intersectional exercise; however, as the second session of the AHC has shown, it is also a political and culturally-determined one.

Most states agreed that provisions for protecting vulnerable groups are important. However, continued disagreement on defining and protecting vulnerable groups has resulted in tension, particularly in discussions around gender considerations, combatting child sexual abuse materials (‘CSAM’) and victim and witness protection.

These tensions are the product of divergences in national cultural norms, political values, and existing anti-cybercrime frameworks.

The Vienna Spirit?

In early June, UN member states met in Vienna to share views on three chapters in the future convention (General Provisions, Provisions on Criminalization, and Law Enforcement and Procedural Measures), each of which has direct consequences for the protection of vulnerable groups in cyberspace.

From the get-go, many state and non-state representatives agreed the future treaty needs to include provisions for vulnerable groups and victims, although many states did not make the distinction between the two terms.

Many shared proposals to strengthen international cooperation to counter child sexual abuse material (‘CSAM’) and gender-based violence online; others recommended provisions for improving victim protection.

Why Protecting Vulnerable Groups Is At The Core Of Cybercrime Policymaking

An individual’s social and political identities can expose them to different harms and vulnerabilities. These vulnerabilities are often amplified in cyberspace.

Vulnerability and oppression online – and, conversely, empowerment and privilege – is determined by intersecting identities, including gender, race, sex, sexuality, disability, religion, caste and geography. This is why an intersectional and human-first approach is central to all stages of the anti-cybercrime lifecycle: from policymaking to implementation.

As elaborated in this paper on gender mainstreaming the convention, women and girls are more likely to be victims of the non-consensual sharing of intimate images online, although it is generally unhelpful to synonymize women with victims. Similarly, young men – especially immigrants living in cities – are more likely to experience other forms of cybercrime.

At the national, regional, and international level, there are already several instruments that address cybercrime risks faced by vulnerable groups, like the Council of Europe’s Budapest Convention. However, many instruments fall short of providing adequate protections for vulnerable groups, including the Budapest Convention, which has been criticized for not having stronger safeguards for human rights.

Recognizing shortcomings of current provisions, in July the Law Commission of England and Wales recommended reforms that would make it easier to prosecute sharing non-consensual images and deepfake pornography, crimes which disproportionately affect women.

How Is The AHC Addressing Vulnerable Groups In Cyberspace?

Reflecting interest from states, the AHC chair requested comments on how the future convention should consider gender perspectives. While most states demonstrated an understanding of some gender issues in cybercrime, there was disagreement about whether gender-specific provisions were necessary. Some states - like Armenia -  note that while gender perspectives are a priority, the convention does not need gender-specific provisions.

Recognizing gaps in knowledge about the gendered dimension of cybercrime, Australian and Canadian delegates recommend provisions including appointing a gender adviser and encouraging states to broaden their understanding about gender and cybercrime. Others (notably, the Philippines) push for broadening gender provisions beyond ‘women-specific’ measures, advocating against synonymizing gender with ‘women’, as many states have done so far.

‘Considering gender perspectives’ carries different meanings for different countries. Diverging approaches were demonstrated by discussions on sexual extortion and non-consensual sharing of intimate images. While most agree ‘sextortion’ is a serious issue, delegations disagreed on whether to include or exclude these acts, and why to do so: Jamaica – on behalf of CARICOM – is an advocate for inclusion, whereas EU states cite concerns about the freedom of expression if interpretations about what constitutes these behaviours (and ‘consent’) differs nationally.

Discussions on protecting children in cyberspace and combatting CSAM face similar issues. Despite consensus that children must be protected online, states disagree on what language to use to describe the offence. Terms range from CSAM (a term favoured by Australia, New Zealand, and others) to ‘child pornography’ (the term used in Russia’s proposed text).

Despite consensus that children must be protected online, states disagree on what language to use to describe the offence.

Terminology matters: ‘pornography’ might assume consent, but children – by definition – cannot consent. A ‘child pornography’ provision could have damaging consequences by establishing a higher threshold for criminalization and not covering other exploitative offences, like grooming and harassment.

On the national level, how ‘children’ and ‘protection’ are defined further complicates this issue. Most states agree children are ‘18 and under’, but many EU countries recommend flexibility on ages of consent in accordance with national laws, which compounds existing vulnerabilities if ‘consent’ is already ill-defined.

Marriage laws and cultural expectations around maturity differ between countries (and between boys and girls within countries), which could lead to serious harmonization risks for the future convention.

There is further divergence between states on how to criminalize the access and viewing of child sexual abuse material; while states agree clear ‘intent’ is required, a handful of states argue against criminalizing ‘artistic expressions’ (referring to comics or cartoons), based on their national approaches to freedom of expression.

Strong support among states to include a reference to victim rights and protections is promising. States are willing to borrow language from the UN Convention against Transnational Organized Crime (Articles 24 and 25), which mandates appropriate measures to protect, relocate and compensate victims and witnesses.

States may face definitional issues (a ‘witness’ in cyberspace is more ambiguous than a ‘victim’) but UNTOC appears a productive starting point, demonstrating the merit of adapting language that enjoys international consensus in existing anti-crime frameworks.

Looking Ahead To New York & Beyond

Despite calls from the Secretariat to de-politicize the negotiations, the AHC process - and especially how to define and protect vulnerable groups - has been determined by political, social, and cultural priorities. The next negotiating session in New York may be no different.

States must find a common ground between norms and precedents on gender, protecting children, victims, and witnesses in cyberspace, ensuring that the future treaty (whether narrow or broad) contains adaptable provisions for addressing cyber-dependent and cyber-enabled crimes disproportionately affecting vulnerable groups.

Agreeing to narrow definitions and making explicit reference to vulnerable groups is vital, as is establishing baselines for best practices (with reasonable flexibility in interpretations and implementation). The AHC should welcome experts from diverse disciplinary backgrounds to share national and cultural approaches.

Designing specific, adaptable mechanisms to protect vulnerable groups will be invaluable for the convention’s longevity and efficiency – and contribute to a strong, appropriate cybercrime treaty for all.

Isabella Wilkinson is Research Associate, International Security Programme at Chatham House

Amrit Swali Research Associate, International Security Programme at Chatham House

You Might Also Read:

Online Safety Act Places US  Adults At Risk:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« Staying Ahead Of Cyberthreats
How SMEs Can Achieve Cyber Resilience »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

C3IA Solutions

C3IA Solutions

C3IA Solutions is an NCSC-certified Cyber Consultancy providing assured, tailored advice to keep your information secure and data protected.

Netskope

Netskope

Netskope, a global cybersecurity leader, is redefining cloud, data, and network security to help organizations apply Zero Trust principles to protect data.

DataVisor

DataVisor

DataVisor is a big data fraud detection and anti-money laundering solution.

Secusmart

Secusmart

Secusmart provide highly secure and encrypted speech and data communication solutions.

OnSystem Logic

OnSystem Logic

OnSystem Logic has developed a unique, patent-pending solution to solve the problem of the exploitation of flaws in application software as a technique for cyber attacks.

Syhunt Security

Syhunt Security

Syhunt is a leading player in the web application security field, delivering its assessment tools to a range of organizations across the globe.

Dutch Accreditation Council (RvA)

Dutch Accreditation Council (RvA)

RvA is the national accreditation body for the Netherlands. The directory of members provides details of organisations offering certification services for ISO 27001.

Gula Tech Adventures

Gula Tech Adventures

Gula Tech Adventures invests in companies and nonprofits that help close the gap in needed technology and workforce to defend the country in cyberspace.

IQ4 - Cybersecurity Workforce Alliance (CWA)

IQ4 - Cybersecurity Workforce Alliance (CWA)

Cybersecurity Workforce Alliance, a division of iQ4, is an organization comprised of a diverse range of professionals dedicated to the development of the cybersecurity workforce.

FastNetMon

FastNetMon

FastNetMon is a very high performance DDoS detection and mitigation tool which could detect malicious traffic in your network and immediately block it.

OptimEyes.ai

OptimEyes.ai

OptimEyes.ai is a unique AI-powered, on-demand SaaS solution for cyber-security, data privacy and compliance risk modeling.

Serbus

Serbus

Serbus Secure is a fully managed suite of secure communication, enterprise mobility and mobile device security tools.

RapidSpike

RapidSpike

RapidSpike is the only website monitoring solution that focuses all three key aspects of website health: performance, reliability AND security.

DynTek

DynTek

DynTek delivers exceptional, cost-effective professional IT consulting services, end-to-end IT solutions and managed IT services.

Cyber Advisors

Cyber Advisors

Cyber Advisors offers customizable cyber security solutions and IT services for businesses of all sizes across the nation from experts you can trust.

Xcede

Xcede

Xcede are global technology recruitment specialists. We connect companies with exceptional professionals who empower growth.