A Global Treaty to Fight Cybercrime—Without Combating Mercenary Spyware

On Aug. 8, the international community concluded its final negotiations at the United Nations over an international cybercrime treaty. The treaty—now set to go to a vote before the UN General Assembly—is intended to align the cybercrime laws and investigatory police powers of its state parties. The negotiation process revealed deep fault lines within the global community about the role of human rights in the digital age. Amid a number of disputes, the treaty’s potential to fuel the global proliferation of mercenary spyware casts a looming shadow over its final draft. As the White House has underscored, state abuses of commercial spyware are a clear and pressing threat to human rights and to the national security interests of both the United States and its allies.

Proponents of the UN’s treaty process hoped to harmonize global efforts to combat transnational cybercrime. However, the treaty has come under intense fire—from civil society, leading security researchers, human rights authorities, the international press, and industry—for threatening to do far more harm than good for the digital security of the world’s population.

The draft treaty’s mandate calls for surveillance and cross-border data-sharing powers over a breathtaking range of online content—a vision that, as advocated by Russia, China, and other adversaries, dramatically overshoots a narrow focus of combating cybercrime. Chapters IV and V of the draft treaty call for surveillance and data-sharing obligations concerning any digital information of interest in domestic criminal law investigations in each country that is party to the treaty. The treaty is thus posed to flood already overloaded legal cooperation channels with low-priority or abusive police requests for digital information.

Recent Efforts at Countering the Proliferation of Mercenary Spyware

If adopted by the General Assembly, the UN’s treaty would represent one of the first major setbacks amid ongoing international efforts to combat mercenary spyware. Following the release of the White House’s 2023 executive order on commercial spyware, 16 other countries joined the United States in releasing a joint statement recognizing spyware as a threat to both national security and human rights. The joint statement emphasizes that spyware is far too often misused by both authoritarian regimes and democracies—including against human rights defenders and journalists. The U.S.-led coalition affirmed that they “share a fundamental national security and foreign policy interest in countering and preventing the proliferation of commercial spyware.” The United States has taken this a step further by prohibiting the federal government from using commercial spyware and has rolled out a government-wide response to combat the technology, including, for example, export controls and sanctions targeting individuals involved with commercial spyware entities. The United States also joined a parallel initiative in the EU, now led by the United Kingdom and France, with the objective of “Tackling the Proliferation and Irresponsible Use of Commercial Cyber Intrusion Capabilities.”

An International Framework for the Global Spy Trade

If the treaty proceeds, all signatories would be required to adopt surveillance and interception capabilities that can be weaponized by countries seeking legal cover to justify their use of commercial spyware. For example, the convention’s Article 28 obliges signatories to obtain surveillance capabilities over stored electronic data in their territory, and Articles 29 and 30 oblige states to obtain capabilities to carry the real-time interception of traffic data and content data. Notably, the provisions do not prohibit states from turning to cyber mercenaries wielding commercial spyware to obtain the requisite capabilities. A state could, under the aforementioned articles, argue that the treaty allows states to turn to commercial spyware vendors for the requisite surveillance capabilities. Language in Article 40, requiring states to provide the “widest measure” of mutual legal assistance in law enforcement investigations under the treaty, provides additional fodder for such interpretive claims. It is highly likely that governments would then abuse spyware to buttress despotic practices and undermine democratic institutions at home and abroad. Investigations by Citizen Lab researchers into the prevalence and impact of digital espionage have documented evidence of targeted attacks, both within and across borders, against civil society including human rights defenders, journalists, and political dissidents.

Other provisions in the draft pave the way for countries to outsource the use of spyware to law enforcement counterparts in foreign countries with lax privacy controls, or to launder data obtained from spyware through the secretive data-sharing channels created or normalized under the auspices of the treaty. For example, Article 46 requires states to “endeavour to provide mutual legal assistance to each other” in the real-time interception and recording of content data. The provision fails to note any restriction on whether the data in question are located in the territory of the assisting state. Article 47(2) generally endorses the use of cross-border networks that operate through multilateral or bilateral “agreements or arrangements” allowing for “direct cooperation” between police agencies worldwide. Article 48 also greenlights the use of transnational “joint investigations” between police agencies, which open the door to law enforcement authorities to go forum shopping for partnerships with spyware-friendly jurisdictions. Open-ended secrecy obligations under Article 40(20) create a strong possibility that evidence obtained through mercenary spyware would be difficult to detect and challenge through these networks.

Already, the international community is seeing more brazen uses of cross-border policing operations, such as a covert cross-border operation that led to the surreptitious capture of millions of encrypted cell phone messages around the world in a joint transnational investigation, led by a cooperation between the FBI and the Australian Federal Police. The investigation was structured to situate the storage of the captured messages on servers located in a third-party country—later revealed to be Lithuania—to avoid the legal barriers under U.S. constitutional privacy protections. U.S. law enforcement then gained access to the data through mutual legal assistance channels from Lithuania. The example raises questions about how to ensure that international human rights protections and accountability controls are equally robust in transnational investigations, particularly given the potential that collaborations may occur with jurisdictions that wield mercenary spyware.

Article 47(1) also endorses the rapid exchange of information through transnational channels, including any “data” or the location information of any person of interest. Subgroups of illiberal regimes also already have established practices that have raised serious concerns about data-sharing risks: For example, the Shanghai Cooperation Organization’s counterterrorism unit has reportedly used such data-sharing tactics to target dissidents and to circulate lists of individuals to be arrested and rendered. Even the informal sharing of inappropriate or inaccurate information can lead to the rendition and torture of innocent persons. Without robust human rights controls, low-visibility networks are particularly ripe for abuse by countries seeking to obtain and share data gleaned from mercenary spyware.

Difficult Lessons From INTERPOL’s Legacy

Potential member states of the UN’s proposed treaty on cybercrime can look to the International Criminal Police Organization (INTERPOL) as an example of the danger of cross-border data-sharing protocols that do not require and harmonize robust human rights protections from all participating states.

Established in 1923 and reconstituted in 1946, INTERPOL is an international data-sharing organization that intermediates between member police bodies from 196 countries around the world. Despite various reforms over the years, a commitment to international human rights instruments that apply to law enforcement investigations, such as the International Covenant on Civil and Political Rights, has never become a prerequisite to membership in INTERPOL. In fact, Article 4 of the organization’s constitution—which governs membership—does not include language on human rights compliance or any other elements of membership. It requires only that a request for membership come from the appropriate governmental authority of a “country,” which may propose an “official police body” for membership in INTERPOL. Its governing body, INTERPOL’s General Assembly, then determines membership with a vote. Further, Article 2 of its constitution states an aim of INTERPOL is to promote mutual assistance “in the spirit” of the Universal Declaration of Human Rights, but it does not go any further to make compliance obligatory for either INTERPOL or its membership.

Chronic abuse of INTERPOL’s international cooperation mechanisms illustrates the danger of cross-border policing frameworks that do not require shared commitment to robust human rights standards. Even in high-profile circumstances, for example, in the case Bill Browder—a financier known for exposing corruption in the Russian government—Russia attempted to arrest Browder eight times through INTERPOL’s Red Notice program. (His lawyer, Sergei Magnitsky, had been arrested in connection with the same accusations in Russia and died after being beaten in a Moscow prison.) Red Notices are requests to law enforcement worldwide to locate and arrest an individual for processing and extradition to the original country that issued an arrest warrant. The Red Notice program, and other cooperation procedures at INTERPOL, have been linked to repeated and persisting state abuses that often lead to wrongful arrests, detentions, solitary confinement, and, in some cases, extradition to due process injustices and torture.

INTERPOL’s Secretary General Juergen Stock has explained that at this stage, INTERPOL is limited in its capacity to better protect individuals from state abuses of the Red Notice program. Stock cited geopolitical tensions and the absence of a common international definition of terrorism—a nod to the danger of countries that misuse INTERPOL’s framework as a tool for transnational repression. Authoritarian countries often wield criminal law as a sword against free speech to silence opposition and suppress dissent, as in the case of Alexei Navalny, who was a leading anti-corruption advocate and leader of an opposition party in Russia. Moscow labeled Navalny as a criminal extremist, and Navalny was jailed until his death in a Russian prison in February. Despite the repeated abuse of INTERPOL’S framework, earlier this year Stock underlined that while it will scrutinize state requests for Red Notices, the organization has chosen not to police the human rights records of its member countries, stating that this is not its role “as a technical police organization.”

But however “technical” transnational police powers may be, there is no doubt that their misuse can be devastating to some of the most sensitive human rights interests known to international law. Stock’s positioning of INTERPOL as a technical body also fails to recognize how the inadequacy of procedural safeguards surrounding state surveillance and the disclosure of sensitive information to police agencies are not simply peripheral to human rights. Procedural safeguards—such as independent judicial authorization and oversight—that guard against abuse by state officials go to the heart of international human rights standards applicable to law enforcement investigations.

In the final stages of negotiations, a number of countries underscored the danger of similar types of abuses of the UN’s proposed treaty by voting to eliminate multiple safeguards from the final text of the treaty, including Article 40(22). Article 40(22) stipulates that states are not obliged to provide legal assistance to a foreign police investigation if there are “substantial grounds” for believing that the purpose of the foreign investigation or prosecution is to punish a person “on account of that person’s sex, race, language, religion, nationality, ethnic origin or political opinions.” Twenty-five countries—including Russia, China, and India—voted to remove Article 40(22), and another 17 countries abstained. In other words, more than 40 countries endorsed or tolerated removing a provision that limits cooperation obligations in circumstances where a foreign country is investigating an individual for the purpose of discrimination or punishment for their political opinions. Although the vote failed, the attempt serves as a warning about how many states are likely to approach the implementation of the treaty if it is approved by the General Assembly, particularly given shortcomings in the human rights safeguards that leave ample room for abuse.

A Missed Opportunity for International Law Reform to Target Mercenary Spyware

Like INTERPOL’s framework, the UN’s draft cybercrime treaty is also indifferent to whether state parties commit to international human rights instruments such as the International Covenant on Civil and Political Rights (the ICCPR). Article 6(1) references the need for state signatories to ensure that their implementation of the treaty “is consistent with their obligations under international human rights law,” but the measure is largely undermined by states that have declined to sign major human rights or data protection treaties. China, for example, has expressed support for the UN’s treaty but is not a party to the ICCPR and is responsible for documented abuses of INTERPOL’s cooperation procedures. The United Arab Emirates (UAE) also participated in the UN negotiations and is a potential signatory of the UN’s treaty. The UAE is not a signatory of the ICCPR and has been linked to abuses of NSO Group’s Pegasus spyware. The UAE has also been a significant financial donor of INTERPOL, and has also come under scrutiny for abuses of INTERPOL’s Red Notice program. By opening the treaty to all countries, regardless of their commitments to international human rights standards, such as the ICCPR, the UN’s treaty opens the door to further transnational abuses.

Human rights gaps in the final text of the proposed treaty have led to broad consensus between civil society and industry alike that the treaty should be rejected by democratic states for not going far enough to protect individuals around the world who will be most impacted by the treaty if it passes. While there are important protections in the final text of the proposed treaty, most of its provisions—such as Article 6(1), among others—have been assessed to be lacking and vulnerable to abuse. In addition to Article 6(1), Article 6(2) includes a provision that essentially prevents the treaty from being interpreted in a manner that would suppress human rights and fundamental freedoms. Article 6(2) is important, but it is also very broad and is therefore vulnerable to exploitation. For example, states might cite the robust sovereignty provision as outlined in Article 5, to dispute the specific content of Article 6 or applicability of international human rights standards to the use of cyber intrusions like mercenary spyware.

Another key safeguard found in Article 24 requires that state parties align their domestic laws with their international human rights obligations when implementing the treaty and stipulates that those implementing laws must incorporate the principle of proportionality. Article 24(2) stipulates the need for certain specific conditions and safeguards, such as the need for judicial review and effective remedial rights. Despite these provisions, Article 24 has also been criticized for framing these essential human rights obligations as optional, and for failing to invoke the need for other established human rights obligations, such as the principle of legality and right to individual notice. Altogether, there is much in Article 24 that reinforces the view of some states that much of its safeguards are primarily a matter of domestic preference. Even with these weaknesses, numerous states still voted to attempt to eliminate Articles 6(2) and 24 from the final text of the treaty.

Of particular concern, given the persistence of some states in the use of commercial spyware, Article 24’s safeguards also have very limited application to the treaty’s cooperation provisions in Chapter V. Collectively, the cooperation provisions in Articles 46 through 48 impose no express prohibitions on the sharing of hacked data or information obtained from commercial spyware. The provisions also do not impose any accompanying independent judicial oversight or transparency obligations to safeguard human rights in the context of transnational investigations. Transparency and oversight measures are critical to prevent shadowy transnational networks from proliferating in indefinite secrecy. Despite the treaty’s shortcomings in requiring commitment to human rights standards, Article 47(2) still allows the treaty itself to act as the “basis” for cooperation.

State abuses of spyware illustrate the danger of devolving human rights protections to the realm of “domestic law” for each country to chart on its own terms. International human rights authorities and scholars alike have called attention to the need for international law reform to confront cyber espionage and commercial spyware. This includes the need for global regulation requiring “multilateral, mandatory action with legal force” against spyware and for an international treaty addressing transnational dissident cyber espionage. The UN’s treaty would advance neither of those objectives.

Similar criticisms can be raised against a legacy cybercrime treaty, originally developed by the Council of Europe (commonly referred to as the Budapest Convention), which also obliges that states maintain surveillance capabilities and does not mandate that signatories sign the International Covenant on Civil and Political Rights or comparable human rights instruments. However, the text of the Budapest Convention was developed in 2001—long before cyber mercenaries developed the ability to wield powerful tools such as zero-click exploit chains, making it far more difficult for states to argue that the treaty ever intended to permit highly invasive exploits that were not in circulation at the time of drafting. The global proliferation of commercial spyware is now squarely before the international community, as is the prevalence and dangerousness of transnational repression. Researchers are increasingly calling attention to how although transnational repression “is not a new phenomenon, such tactics are expanding through the market growth for digital technologies and the spread of Internet-connectivity.” Increasingly, spyware is used as a tool to facilitate transnational repression, or as a repressive end in itself. Repeating mistakes of the past through the UN’s draft cyber treaty entrenches and worsens these problems.

The inability of the international community to generate consensus on matters concerning fundamental human rights leaves UN member states with the choice of whether to sign the treaty without key human rights safeguards. However, if history is a teacher, it tells that mandating cross-border cooperation without mandating robust human rights commitments is not a tenable path forward in the fight against transnational cybercrime. As Secretary of State Antony Blinken urged only earlier this year, the misuse of commercial spyware has been linked to “arbitrary detentions, forced disappearances and extrajudicial killings in the most egregious of cases.” For countries seeking to protect fundamental freedoms, human security, and national security, this is not a fight that can be lost.