UN Cybercrime Convention To Overrule Bank Secrecy

On Friday, the UN finalized the draft version of the UN Cybercrime Convention. The treaty, first proposed by Russia and China in 2017, aims to strengthen "international cooperation for combating certain crimes committed by means of information and communications technology systems and for the sharing of evidence in electronic form of serious crimes".

The UN Cybercrime Convention drastically expands government surveillance powers and enables widespread personal data sharing between UN member states. It mandates member states to formalize money laundering offenses and cybercrimes to an extent that would criminalize hacking, whistleblowing, and security research.

While establishing a basis for "mutual legal assistance", assistance may be denied "if the authorities of the requested State Party would be prohibited by its domestic law from carrying out the action requested with regard to any similar offence, had it been subject to investigation, prosecution or judicial proceedings under their own jurisdiction".

But: a State Party "shall not decline to act" under the provisions of the freezing, seizure and confiscation of the proceeds of crime "on the ground of bank secrecy". The Convention is expected to be adopted by the end of the year.

Confiscations, Financial Surveillance, and the Overruling of Bank Secrecy

Under article 31 governing the "freezing, seizure and confiscation of the proceeds of crime", the treaty mandates member states to provide "government, bank, financial, corporate or business records", the identification and tracing of "proceeds of crime, property, instrumentalities or other things for evidentiary purposes", and to recover "proceeds of crime" on behalf of requesting state parties.

Article 31 further states that "each State Party may consider the possibility of requiring that an offender demonstrate the lawful origin of alleged proceeds of crime or other property liable to confiscation".

Under article 50 governing "international cooperation for the purpose of confiscation", member states shall additionally "take measures to identify, trace and freeze or seize proceeds of crime, property, equipment or other instrumentalities" under the application of Article 40, requiring member states to take "evidence or statements from persons", execute "searches and seizures, and freezing" or "similarly accessing, seizing or similarly securing, and disclosing electronic data stored by means of an information and communications technology system", collect "traffic data in real time", and intercept "content data" under mutual legal assistance.

While the convention states that "nothing [...] shall affect the principle that the measures to which it refers shall be defined and implemented in accordance with the provisions of the domestic law of a State Party", it states that "a State Party shall not decline to act [...] on the ground of bank secrecy" pursuant to seizures, freezes, and confiscations or international cooperation for the purpose of confiscation of proceeds of crime, property, equipment or other instrumentalities.

The convention additionally formalizes money laundering offenses under article 17 governing the "laundering of proceeds of crime", stating that state parties "shall adopt, in accordance with fundamental principles of its domestic law, such legislative and other measures as may be necessary to establish as criminal offences, when committed intentionally:"

(a)(i) "The conversion or transfer of property, knowing that such property is the
proceeds of crime, for the purpose of concealing or disguising the illicit origin
of the property or of helping any person who is involved in the commission of
the predicate offence to evade the legal consequences of that person’s actions;"

(ii) "The concealment or disguise of the true nature, source, location,
disposition, movement or ownership of or rights with respect to property,
knowing that such property is the proceeds of crime;"

As "subject to the basic concepts of its legal system", state parties shall adopt legislative and other measures as may be necessary to establish as criminal offences, when committed intentionally, "the acquisition, possession or use of property, knowing, at the time of receipt, that such property is the proceeds of crime", and "participation in, association with or conspiracy to commit, attempts to commit and aiding, abetting, facilitating and counselling the commission of any of the offences established in accordance with this article".

Criminalizing Hacking, Whistleblowing and Security Research

To "promote and strengthen measures to prevent and combat cybercrime more
efficiently and effectively; promote, facilitate and strengthen international cooperation in preventing and combating cybercrime; and promote, facilitate and support technical assistance and capacity -building to prevent and combat cybercrime, in particular for the benefit of developing countries" as defined in Article 1 of the Convention, Article 17 further mandates member states to "establish as predicate offences relevant offences established in accordance with Articles 7 to 16 of this Convention", which include:

Article 7: Illegal access: "Each State Party shall adopt such legislative and other measures as may be necessary to establish as a criminal offence under its domestic law, when committed intentionally, the access to the whole or any part of an information and communications technology system without right."

Article 8: Illegal interception: "Each State Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally and without right, the interception, made by technical means, of non-public transmissions of electronic data to, from or within an information and communications technology system, including electromagnetic emissions from an information and communications technology system carrying such electronic data".

Article 9: Interference with Electronic Data: "Each State Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally and without right, the damaging, deletion, deterioration, alteration or suppression of electronic data."

Article 10: Interference with an information and communications technology system: "Each State Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally and without right, the serious hindering of the functioning of an information and communications technology system by inputting, transmitting, damaging, deleting, deteriorating, altering or suppressing electronic data".

Article 11: Misuse of devices: "Each State Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally and without right: The obtaining, production, sale, procurement for use, import, distribution or otherwise making available of: A device, including a program, designed or adapted primarily for the purpose of committing any of the offences established in accordance with articles 7 to 10 of this Convention; or a password, access credentials, electronic signature or similar data by which the whole or any part of an information and communications technology system is capable of being accessed; with the intent that the device, including a program, or the password, access credentials, electronic signature or similar data be used for the purpose of committing any of the offences established in accordance with articles 7 to 10" and "the possession of an item referred to in paragraph 1 [...] of this article, with intent that it be used for the purpose of committing any of the offences established in accordance with articles 7 to 10 of this Convention".

Real-Time Data Collection And Personal Data Sharing

As the Electronic Frontier Foundation explains, the treaty applies an overly broad definition of electronic data, including "documents saved on personal computers or notes stored on digital devices. In essence, this means that private unshared thoughts and information are no longer safe. Authorities can compel the preservation, production, or seizure of any electronic data, potentially turning personal devices into spy vectors regardless of whether the information has been communicated".

The treaty, when adopted, will mandate member states to significantly increase digital surveillance capabilities, stating that "each State Party shall adopt such legislative and other measures as may be necessary to empower its competent authorities to search or similarly access: a) An information and communications technology system, part of it, and electronic data stored therein; and b) An electronic data storage medium in which the electronic data sought may be stored; in the territory of that State Party."

The treaty requires member states to adopt "legislative and other measures" to "seize or similarly secure an information and communications technology system or part of it, or an electronic data storage medium; Make and retain copies of those electronic data in electronic form; Maintain the integrity of the relevant stored electronic data; Render inaccessible or remove those electronic data in the accessed information and communications technology system," and "empower its competent authorities to order any person who has knowledge about the functioning of the information and communications technology system in question, the information and telecommunications network, or their component parts, or measures applied to protect the electronic data therein, to provide, as is reasonable, the necessary information to enable the undertaking of the measures".

The treaty mandates the "real-time collection of traffic data" and "content data", requiring member states to adopt "legislative or other measures" to "collect or record [real-time traffic- and content data] through the application of technical means in the territory of that State Party" and "compel a service provider, within its existing technical capability; To cooperate and assist the competent authorities in the collection or recording" of "traffic data" and "content data, in real time, associated with specified communications in its territory transmitted by means of an information and communications technology system".

"Mutual legal assistance" between member states shall be "afforded to the fullest extent possible under relevant laws, treaties, agreements and arrangements of the requested State Party with respect to investigations, prosecutions and judicial proceedings".

The treaty further mandates cooperation between member states concerning "the identity, whereabouts and activities of persons suspected of involvement in [...] offences or the location of other persons concerned; The movement of proceeds of crime or property derived from the commission of [...] offences", and "the movement of property, equipment or other instrumentalities used or intended for use in the commission of [...] offences".

The Convention has been widely criticized by digital rights organizations. As the Chaos Computer Club writes: "The planned Cybercrime Convention is a surveillance treaty that tramples human rights and internationally endangers IT-security professionals and journalists." Over 100 NGOs have warned of the Convention's ramifications.

The Convention's mandates on the handling of financial information are particularly concerning in light of recent reports detailing the "weaponization" of existing anti-money laundering and counter-terrorist financing frameworks to crack down on targets which threaten government interests, "most often civil society actors such as watchdog organisations, journalists, opposition figures and other critics who threaten regime interests or stability."

Independent journalism does not finance itself. If you enjoyed this article, please consider contributing to our Geyser Fund.