Civil rights activists: EU must not agree to planned UN cybercrime convention

The threat of new attacks on encryption and privacy worldwide: with this core argument, 22 civil society organizations are calling on delegates from the EU member states and the European Commission to rectify shortcomings in the repeatedly revised draft of a United Nations agreement to combat cybercrime. Organizations such as the Electronic Frontier Foundation (EFF), Access Now, Digitalcourage, Epicenter.works, European Digital Rights (EDRi) and Privacy International are particularly critical of an "overly broad scope of application that grants drastic surveillance powers without robust human rights and data protection safeguards". There is only a short window of time left to narrow down the planned treaty and formulate clear principles for the protection of privacy.

A UN committee is due to meet for the last time in New York at the end of July to finalize the Cybercrime Convention, which was initiated by Russia and China. Without further extensive corrections, the current draft gives "abusive practices by governments", such as spying on citizens and online censorship, "the appearance of international legitimacy", write the signatories of the open letter to the EU authorities. If no substantial improvements can be achieved, the initiative should be rejected. This is because the scope of application currently also includes cyber-based and other content-related offenses. In this context, the hacking paragraphs in Germany repeatedly lead to bizarre decisions, for example when judges consider the use of plain text passwords to be a criminal offense.

Freedom of expression threatens to come under the wheels

"Article 18 of the draft lacks clarity regarding the liability of online platforms for criminal offenses committed by their users," the civil rights activists explain. This poses the risk that online platforms could be held liable for information generated by third parties, even without actual knowledge of the illegality of the content. However, the EU's Digital Services Act (DSA), for example, requires the latter. Operators would thus be encouraged to engage in "excessively comprehensive content moderation", "which is at the expense of freedom of expression". Even the Council of Europe's controversial Cybercrime Convention is not so broadly based. In other areas, the draft does not contain any specific human rights guarantees. At the very least, a reference to the established principles of lawfulness, necessity, proportionality, non-discrimination and legitimate purpose should be included.

According to the petition, large parts of Articles 28, 29 and 30 should be deleted "as they contain excessive surveillance measures that open the door to invasions of privacy without sufficient safeguards". At the same time, cybersecurity and technical protection mechanisms such as encryption would be undermined. The clauses on international legal assistance, which would allow international access to personal data in the cloud without effective fundamental rights safeguards, go far too far. The EFF has published a series on the proposed agreement, focusing on the threat of data retention and the criminalization of IT security researchers. Leading scientists from this field protested against the plan in February. The EU actually promised to uphold human rights in the negotiations.

(anw)