UN rejects Russian cyber-crime treaty

The United Nations has rejected a Russia-backed treaty on cyber crime, preserving a deadlock that has hampered UK and US efforts to harmonise international computer law for the past 10 years.

Developments such as cloud computing, computer fraud, child pornography and fears of cyber warfare have increased pressure on countries around the world to give police powers to secure electronic evidence and pursue cyber crooks who operate across borders.

There is world-wide agreement that countries must urgently update and harmonise their statutes. But still no consensus on how it should be done.

The 12th pentennial UN Crime Congress in Salvador, Brazil, considered proposals for a cyber treaty but by Monday, after 10 days of talks, had failed to reconcile EU and US positions with those of developing countries and Russia.

The proposal was grounded by disagreements over national sovereignty and human rights. Traditional ideas of sovereignty are challenged when countries fall victim to trans-national cyber criminals and need to pursue them quickly into the foreign states where they hide.

Cloud computing similarly involves the relocation of data to servers in countries where police may not be regulated against unwarranted data access.

Rich countries said negotiations for a UN treaty would take years to tackle these thorny subjects. They insisted the Budapest Convention on Cyber Crime, introduced by the Council of Europe in 2001, already provided the desired treaty. States should concentrate scarce resources on adopting this into national law.

"The priority should be enhanced capacity building," said the US delegation, "not further delay in favour of lengthy negotiations for a new and unproven treaty."

Continued on next page...

Colonial legacy
Many developing countries favoured UN negotiations because they wanted to shape any cyber treaty to which they became party. African, Asian, Latin and Pacific countries went to the meeting with unanimous support for a UN treaty.

Cuba's delegation said international harmonisation was difficult without international negotiations. The Russian Federation, one of only five CoE members not to have ratified the Budapest Convention, wanted a UN treaty to give police more powers to shut down websites and block communications distributing "propaganda" for "terrorists and anti-social extremists".

"What is not allowable is that the principle of freedom of speech should impede a no less important goal, which is to free the informational networks from criminality," Russia's delegation told the Congress last week.

Russia has also long opposed the Budapest clause that gives law agencies the power to access computers in other countries with their owners' permission but without the approval of national authorities. Russia was offended in 2000 by FBI agents who hacked the computers of two Russian men who had been defrauding American banks. They collected evidence that was used to prosecute the men in the US courts.

Be thankful
The EU and US insisted the Budapest Convention provided a standard of law that should not be diluted. Cyber criminals hopped quickly between countries. Police needed to pursue them quickly. The US said countries with little computing experience would anyway contribute little to a new round of negotiations.

The Congress concluded that priority should be given to capacity-building in those countries caught by criminals on wrong side of the digital divide - without the experts and legislatures to apprehend them. Advanced countries should provide more technical assistance.

The meeting left a window open for preparatory talks for a UN treaty, but it removed any serious obstacle to the further propagation of the Budapest Convention, which has already been ratified by 46 countries, including four outside Europe.

Maud de Boer-Buquicchio, deputy general of the Council of Europe, told THINQ before the UN Congress convened that UN negotiations would have created such a delay in legal modernisation that it would give cyber criminals a helping hand.

Canada, Chile, Costa Rica, the Dominican Republic, Mexico and the Philippines have all made steps toward ratification of the Budapest convention. Argentina applied for ratification last month, though it supports a UN treaty as well. China had put its weight behind a UN treaty and has not dealt with the CoE. But its support was muted.

Another 120 countries have referred to the Budapest Convention while updating their statutes.

Curve ball
Those countries that have been victim of concerted foreign attacks on their computer systems have been quick to support the Budapest Convention for the powers in gives police to collect evidence.

The Estonian Ministry of Defence has promoted the Budapest Convention since the unattributed attacks on Estonian computers in 2007. Georgia took just 18 months, with CoE assistance, to draft cyber legislation after the unattributed hack attacks that coincided with its war with Russia in 2008.

Russia was blamed for both incidents, but denied that they were state-led computer attacks.

Budapest-grade legislation would have given police the means to pursue hackers and eliminate the possibility that the Russian state was behind them, securing electronic evidence and bringing prosecutions against the whoever was fingered.