Privacy International, Electronic Frontier Foundation and Human Rights Watch are pleased to have the opportunity to participate in the second session of the Ad Hoc Committee.

Preliminary remarks on criminalization

We have observed that while cybercrime often threatens the rights of individuals, efforts to combat cybercrime have also given rise to risks of human rights abuses due to vague and overly broad definitions of offenses penalties, disproportionate sanctions and abusive applications of criminal law taken in the name of the fight against cybercrime. As noted by the Office of the High Commissioner for Human Rights in its submission to the first session, we also noted “the common use at the national level of cybercrime laws and policies to restrict freedom of expression, targeting dissenting voices, justifying internet shutdowns, interfering with privacy and anonymity of communications, and limiting the rights to freedom of association and peaceful assembly (available here).

Discussions at previous UN debates on cybercrime have shown that there is not yet a shared global consensus on how to define cybercrime. From a human rights perspective, we respectfully suggest that States emphasize the narrowness, specificity and clarity of the scope of criminal behavior covered by the definition of cybercrime.

In particular, we would like to reiterate the need to focus on crimes that target information and communication technologies (ICTs). Core cybercrimes include offenses in which ICTs are the direct objects as well as the instruments of the crimes; these crimes could not exist at all without ICT systems. A useful reference for the types of crimes that are inherently ICT-related crimes can be found in Articles 2 to 6 of the Budapest Convention.

Crimes, where ICT is only a tool sometimes used in the commission of an offence, should not be included in the future treaty. These would include offenses already prohibited by applicable national law, and involving or merely incidentally benefiting from ICT systems without targeting or harming those systems. For example, the extortion of an individual where the request is delivered via email. The act of extortion is already a crime, and email may have been just the vehicle for transmitting the threat.

Even a narrowly tailored treaty that criminalizes core cybercrimes can be misused or abused to violate rights. Ultimately, whatever crimes are included in the treaty, they must be narrowly defined and with clear safeguards against abuse.

In addition, the proposed convention is expected to reinforce States’ obligations under international human rights law to protect individuals from harm resulting from criminal activity conducted on the Internet while respecting other international human rights standards. rights, in particular in the areas of freedom of expression, the right to privacy, due process standards and general principles of criminal law, for example equality of resources and proportionality of punishment.

Privacy International is a registered charity (1147471) and a company limited by guarantee registered in England and Wales (04354366).
Registered office: 62 Britton Street, London EC1M 5UY, United Kingdom

The Electronic Frontier Foundation is a nonprofit organization that advocates for human rights in the digital world. Founded in 1990, EFF advocates for human rights through impact litigation, political analysis, grassroots activism and technology development. EFF’s mission is to ensure that technology supports human rights, justice and innovation for all people around the world.

Human Rights Watch is an independent non-governmental organization founded in 1978 that monitors and reports on human rights in over 100 countries around the world.