Authoritarian overreach: the misuse of INTERPOL and UN cybercrime policies

In recent years, there have been concerns about the use by authoritarian regimes of INTERPOL notices as a tool to target dissidents, journalists, refugees and opponents abroad for political gain or revenge. The use of INTERPOL notices as a form of transnational repression has been reported upon by the US Congress, European Parliament, journalists, academics and human rights campaigners such as Bill Browder, who has written about his arrest by Spanish police pursuant to an INTERPOL diffusion notice issued at the request of the Russian government.

While concerns about the abuse of INTERPOL channels are finally receiving the attention they deserve (even if a solution seems a distant prospect), there are growing fears that a new UN cybercrime treaty could provide authoritarian states with another tool with which to extend their reach overseas to silence or target their opponents. However, despite the potentially enormous consequences of the new treaty, it has received little attention in the British press.

There is a very real and worrying danger that provisions in the proposed UN Cybercrime Convention, the aim of which is to provide a global legal framework for international cooperation on preventing and investigating cybercrime and the prosecution of cybercriminals, could in fact be abused in a similar fashion to INTERPOL; used to repress human rights and online freedom of speech. Without a clearly defined scope and sufficient safeguards in place, the treaty could legitimise intrusive investigations and grant unhindered law enforcement access to personal information, providing states with a means to surveil and target individuals and undermine their privacy. The initial sponsors of the convention – Russia, China, and Cambodia – have already introduced repressive domestic cybercrime laws.

In light of these fears, the UN Cybercrime Convention is currently in the midst of contentious negotiations. The UN General Assembly adopted a resolution in December 2019, originally proposed by Russia, establishing an Ad Hoc Committee to elaborate a “comprehensive international convention on countering the use of information and communications technologies for criminal purposes”. Negotiations began in May 2021. In September, the committee concluded its sixth session in New York, with the aim of finalising its negotiations at the next session in February 2024. However, as states head to the concluding session, there is a notable lack of consensus on fundamental issues such as the treaty’s scope and what constitutes a cybercrime. It is anticipated that, given the lack of consensus about such important aspects of the treaty, it will be required to be put to a two-thirds majority vote before the General Assembly before it can come into force.

Some states, including the US, UK, Brazil, Canada, Switzerland and Norway, are in favour of a narrow and focused definition of what amounts to a cybercrime, covering “core cybercrimes,” such as illegally gaining access to, intercepting, or interfering with computer data and systems. However, many other states want the treaty to go further and cover “cyber-enabled crimes” i.e. where the use of information and communication technologies (ICTs) play a significant role in crimes by facilitating the reach of the crime or speeding it up. This would significantly expand the proposed treaty's surveillance scope by covering practically any offence involving a computer, both domestically and abroad.

Of most concern, and causing particular alarm amongst NGOs and organisations such as the Committee for the Protection of Journalists (CPJ), are the proposals to include content-based crime. This would expand the scope of the treaty to cover so-called “morality-based crimes”, which can put journalists and others, including members of LGBTQ+ communities, at risk even if they do not explicitly criminalise speech. Laws against disinformation and hate speech are already being used in domestic proceedings to criminalise journalists, human rights defenders and members of the LGBTQ+ communities. One high-profile example among many is the conviction of the Nobel Prize winner Maria Ressa for criminal libel under the Philippines Cybercrime Prevention Act 2012. Another example is Pakistan’s Prevention of Electronic Crimes Act, which authorises the blocking of websites deemed critical of officials and requires service providers to retain or provide authorities with access to large amounts of people’s data. The inclusion of disinformation and hate speech provisions in an international treaty (disinformation provisions having been proposed by China, Indonesia, and India and hate speech provisions by Pakistan, Kuwait, China and Jordan respectively), would extend this reach and surveillance abroad.

In the last draft of the convention, Article 35 permits each country to define its own crimes under domestic laws when requesting assistance from other nations in cross-border policing and evidence collection. In certain countries, such laws may be based on subjective moral judgments that are not criminal and considered a matter of free expression elsewhere.

For example, across the Middle East and North Africa, cybercrime laws have been used in Egypt, Jordan and Saudi Arabia to prosecute LGBTQ+ people, and in Tunisia and the United Arab Emirates to prosecute human rights defenders. In March 2022 a court in Egypt charged singers Omar Kamal and Hamo Beeka with “violating family values” for dancing and singing in a video uploaded to YouTube. While the draft convention allows countries to refuse a request for assistance if the activity in question is not a crime in its domestic regime (the principle of "dual criminality"), given the current strain on the MLAT system, there is a fear that requests, even from countries with contentious laws, could slip through the checks and result in increased cross-border monitoring and repercussions for individuals (as has been seen in the rampant abuse of the INTERPOL notice system).

These fears are not only being expressed by NGOs. Concerns have also been raised by organisations including Microsoft, the International Chamber of Commerce and the Cybersecurity Tech Accord, as well as some states such as Canada. In a statement to the Ad Hoc Committee in September 2023, the Canadian delegation said that the relentless push to expand the scope of the treaty had turned it into a general criminal Mutual Legal Assistance treaty, leaving it completely in the hands of any state to decide what conduct constitutes a “crime” or “a serious crime” and opening up a menu of measures to crack down on these self-defined crimes:

“This represents the potential, and indeed inevitability, for Orwellian reach and control by those states who will choose to abuse this instrument… Criticizing a leader, innocently dancing on social media, being born a certain way, or simply saying a single word, all far exceed the definition of serious crime in some States. These acts will all come under the scope of this UN treaty in the current draft.”

Unfortunately, organisations monitoring the negotiations, such as the Electronic Frontier Foundation (EFF), have reported that some of the most concerning criminal offences and surveillance measures that had not made it into the zero-draft introduced at the start of the latest session in New York have been reintroduced into the text. A new draft text is expected at the end of November 2023.

While the draft Convention may incorporate some procedural safeguards, for example dual criminality, its far-reaching scope raises profound questions about its compatibility with international human rights law. In 2019, the UN General Assembly warned that it was “gravely concerned that national security, counter-terrorism and cybercrime legislation and other measures, such as laws regulating civil society organizations, are in some instances misused to target human rights defenders or have hindered their work and endangered their safety in a manner contrary to international law.” It would be both appalling and ironic if an international UN cybercrime treaty were to enable and perpetuate such abuses even further.