The debate over internet governance and cyber crimes: West vs the rest?
With Internet connectivity and use of technology rising exponentially, the tug of war over Internet governance continues. On one end are the states advocating for a global, open and free model of the Internet, dubbed as the ‘Western model’, spearheaded by the U.S. and its allies. On the other end are a cluster of states led by China and Russia, advocating for a sovereign and controlled version of the internet, a ‘Leviathan model’. Although the idea of an Internet embodying the principles of equality, openness and multistakeholderism sounds appealing, the rise of new trends including cyber crimes and online misinformation poses a challenge to this model making it arduous, if not impossible, to pick one model over the other.
The post will briefly explore the two models proposed for Internet governance and the role of cybercrimes in shaping the debate. In this context, it will also critically analyze the Budapest Convention (the “convention”) and the recently proposed Russian Resolution (the “resolution”), and the strategies adopted in each to deal with the menace of cybercrimes. It will also briefly discuss India’s stance on the convention.
Two Models and Three Parties
Since the evolution of the Internet, its stewards have been expounding a global internet embodying features such as statelessness, openness, interoperability, security, and multistakeholderism. Known as the Western model of internet governance, it has been embraced by many states including UK, France. The model is premised on the idea that the internet should be a space where there is free flow of content without filtering by any intervening party including the state, thereby upholding the freedom of speech and human rights. However since the potential to cause harm in cyberspace is real, the states cannot leave the domain ungoverned. Therefore, the proponents of the Western model do exercise some degree of sovereignty over cyberspace within their borders but it is largely in contrast to the tight control exercised by the statist and controlled model, spearheaded by China and Russia. The latter model advocates for a closed version of the internet bound by territorial borders along with authoritarian control over the flow of information.
Interestingly, not every state can be easily categorized into either of these groups. Some states either lack the capacity or an interest to implement one of the model. Tim Maurer et al. in a seminal paper identifies such states as the “swing states”. They are undecided on either of the models but have the capacity to influence global conversations due to their mixed political orientations and resources. Swing states and the influence they wield in shaping the trajectory of the international process is not the focus of this post but will be explored in a future blog post.
Cyber Crime: The Menace of Internet Era
While the internet has huge potential to enable development of states on many fronts, it can also be used for criminal purposes. Cybercrime is one of the most daunting challenges of the internet era. Technological advancements that enable unique features like anonymity in cyberspace make cybercrimes less risky with the potential to provide high returns, making it all the more appealing to various actors. The growing number of internet users and connected devices increases the number of possible targets. Examples include Stuxnet, a malware that targeted the Iranian nuclear facility, and Wannacry, a ransomware attack that affected computers worldwide. In 2018, the Chief of United Nations Office on Drugs and Crime (UNODC) pointed out that cyber crimes are estimated to generate revenue of approximately $1.5trillion per year. Despite cyber crimes proliferating rapidly, law enforcement agencies have not been able to keep up the pace resulting in an enforcement gap. The transnational nature of cyber crimes is one of the major difficulties faced by them. Due to its global nature, cyberspace provides a platform for criminals to commit crimes out of one state, which could have the potential to affect multiple victims in different states. This means investigations of such crimes involve questions of extra territorial jurisdictions and increased cooperation between authorities of different states, creating various complications. This, coupled with diverse types of actors such as states, non-state actors, and groups hired by either of the two further complicates the issue at hand.
The Convention on Cybercrime of the Council of Europe, known as the Budapest Convention, is the only international instrument currently in place that addresses the issue of cyber crime. Recognizing the paramount need for combating crimes, it criminalizes conduct that affects the “confidentiality, integrity, and availability of computer systems, networks, and computer data”. It covers a diverse rangeof issues ranging from illegal access, computer related fraud to child pornography. Furthermore, it serves as an instrument that facilitates greater cooperation among states to enable better detection, investigation, and prosecution of cyber crimes.
The wide division of opinions on internet governance is also mirrored in the debate on how to effectively tackle the issue of cybercrime. This led to a recent development in last year’s General Assembly in the form of a Russian-led resolution on cybercrime. The resolution proposes the establishment of a committee of experts to draft a new cybercrime treaty that would replace the convention. Considering the fact that Russia has been a strong advocate of a Leviathan model of internet, the proposed treaty would in most likelihood embrace principles of sovereignty and non-interference while dealing with cyber crimes.
With the resolution passing the final vote at the UN General Assembly, the proponents of the convention are met with a time bound challenge to come up with innovative approaches to convince more states to join their side.
The Budapest Convention v. The Russian Resolution
The Budapest Convention has met with multiple criticisms, the major one being that it is a West drafted treaty with hardly any involvement of the developing countries. It’s also argued that as the treaty is almost two decades old, its provisions are too outdated to deal with evolving crimes. Furthermore, it is criticized for the vagueness of some of its provisions, which allow governments to bifurcate their obligations, and thereby hinders the effective implementation of the treaty. For example, the MLA regime of the treaty is often cited as ineffective as it does not command firm cooperation from parties by providing them grounds to refuse the same.
Despite being imperfect, a realistic analysis of the convention would reveal that it is the best instrument at hand to deal with cyber crimes. The convention, establishing common standards for its signatories, along with the Cybercrime Convention Committee (the “Committee”) that oversees its implementation and Programme Office on Cyber Crime (the “C-PROC”) dedicated towards capacity building, provides a dynamic framework for effectively tackling cybercrimes. The Committee ensures that the convention is adapted to address evolving crimes such as denial of service attacks and identity thefts, which did not exist at the time the convention was adopted, by issuing guidance notes and draft protocols. Similarly on the issue of procedural law, despite new developments such as cloud servers, the Committee is actively working on addressing the complicated challenges posed by it. It has proposed an additional protocol to specifically deal with access to evidence in the cloud by facilitating more efficient mutual legal assistance amongst the signatories and direct cooperation with service providers, while striking a balance between rule of law and human rights. The protocol if adopted would not only aid in the law enforcement process but would also have a major impact on how the international community perceives sovereignty in cyberspace. Furthermore, The C-PROC through its various capacity building initiatives such as strengthening of the legislations along the lines of rule of law and human rights, training of relevant authorities, promotion of public-private partnerships and international cooperation strengthens the ability of states to deal with cyber crimes.
While the international community is unable to arrive at a consensus on internet governance, with neither conglomerate of states acceding to the demands of the other, renewing global diplomatic negotiations on it might seem to be the best step. However a look at Russia’s resolution and its draft cyber crime convention would indicate that it might not be the appropriate solution to the problem at hand. The resolution as well as the draft convention, which is supposed to serve as a framework for the treaty, are drafted without due regard for human rights concerns. A mere reference to human rights, requiring use of ICTs to be in compliance with human rights and fundamental freedoms, is insufficient to safeguard it while combating cyber crimes. Primarily, the language used in the resolution is vague.It fails to define “use of information and communication technologies for criminal purposes". It mentions both cyber enabled crimes such as use of ICTs for trafficking as well as cyber crimes that could detrimentally affect “critical infrastructures of states and enterprises” and “well-being of individuals”. Such broad wording is highly problematic as it vests immense powers at the hands of the state to criminalize even ordinary online behaviour that is detrimental to its interests. In fact, such practices are already in existence around the world where we see governments clamping down on human rights activists, journalists, and civil society for expressing their opinions that are critical of the government in the online space. Numerous examples of such authoritarian actions include internet shutdowns, blocking of websites, which have become the trend around the world. While legislations curbing cyber crimes are quintessential to ensure a safe and secure cyberspace, arbitrary use of it, as is widely observed, today can have chilling effects on exercising rights in the online domain. Furthermore, combating a complex issue like cyber crime, which involves questions of technicalities, laws, and human rights, requires concerted efforts from various stakeholders including civil society and private sector. It is only through such multistakeholder endeavors that we can curb the use of ICTs for criminal purposes without hindering human rights. Therefore an ad hoc intergovernmental group of experts, as proposed by the resolution, is not the appropriate body to develop an international treaty on cyber crimes.
In short, the resolution and the draft convention are proposing a Leviathan model vesting state with excessive control over the internet. In practice, it would bear resemblance to the “sovereign internet law” of Russia and the “Golden Shield Project” of China. Such models are widely criticized for eschewing democratic principles in the name of ensuring security of the state from cyber attacks. For instance, the “sovereign internet law” mandates installation of technical equipments for counteracting threats to stability, security, and functional integrity of the internet.” The law, therefore, allows the government to prevent any communication that challenges its interests. A past attempt by the Russian government to block Telegram, is an example of the same. Furthermore, in the event of a “threat”, the law provides for routing of traffic solely through networks located within Russia, thereby allowing isolation of the national network and centralized control over it by the state. It paves the way for creation of digital borders, premised on the principle of state sovereignty. The “Great Firewall of China”, a part of the “Golden Shield Project”, is the most appropriate depiction of internet sovereignty. The Firewall serves as a system of surveillance that vests the government with complete control over all incoming and outgoing information over the Chinese networks. Any new domain has to obtain prior approval from the government before becoming accessible on the Chinese internet. When it comes to the question of human rights, a mere search for the term “democracy” in a search engine is blocked. The resolution by leaving the question of what amounts to use of ICTs for criminal purposes open-ended creates the danger of exercising of similar excessive powers by the states that could impinge upon fundamental human rights. The draft convention already incorporates the principle of state sovereignty. If adopted, it comes with the risk of us seeing the likes of Chinese model of the internet in greater numbers.
The convention is not perfect but we should be realistic and not expect one treaty to solve all problems at a go. The convention, coupled with its follow-up and capacity-building mechanisms are making positive developments in addressing evolving cyber threats while promoting a global and open internet . With as many as 65 parties and many using it as the model for their national cyber crime legislation, a new treaty to address cyber crimes pose the risk of hindering the developments made by the convention so far especially in the international cooperation front. Concerted efforts to improvise the convention are more practical than developing a new international framework, especially when the probability of reaching a consensus is almost nil.
India and the Budapest Convention: To Ratify or Not
Despite cybersecurity being a major concern and occupying a central place in its overall internet governance policy, India has surprisingly not yet become a party to the convention. It has even amended its Informational Technology Act, 2008 along the lines of the convention. India’s reluctance to sign, notwithstanding the convention’s potential to aid it in addressing its concerns in the cyber front especially with regard to jurisdictional issues while tackling cyber crimes, warrants an analysis.
One of the widely cited reasons for the reluctance is the non-inclusion of India and other developing countries in the drafting stage. However choosing to stand on the sidelines merely because of non-inclusion in the initial negotiations might not be the wisest move especially since the convention addresses matters that are of extreme importance to India. Ratifying the treaty even at a later stage would still enable it to participate in further evolution of the convention, which could outweigh this concern. Another major concern for India is that terrorism, considering how cyberspace has enlarged its scope and reach, does not find any mention in the substantive law of the convention. However the procedural provisions of the convention apply to any criminal offence committed with the aid of a computer, including terrorism. But it is often argued that the MLA regime is not sufficiently firm to facilitate cooperation. While it is true that the process has to be made more efficient, the Committee along with the Cloud Evidence Group is actively working on addressing its shortcomings. Finally, controversial provision-Ar.32, on cross border access to data- is also a cause for concern for India. The Guidance Notes issued by the Committee, however, clarifies the limited scope of the article thereby addressing the privacy and data protection concerns raised against it.
The convention is still evolving and is constantly being reviewed to make it more effective. Therefore India has to ask itself the question whether it wants to stand on the sidelines and observe the developments or if it should partake in shaping its progress. Currently, it is the only instrument in place that provides a legal framework for facilitating cooperation on cyber crime investigations amongst various jurisdictions. Considering that India has already embarked on a “Digital India” initiative, which in most likelihood will be accompanied by a spike in cyber crimes, it is the need of the hour to ratify the convention.
Elizabeth Dominic is a lawyer and a tech-policy researcher. Her work focuses on the intersection of law and technology and human rights, particularly on the applicability of current international legal frameworks to cyberspace and emerging technologies. Previously, she has worked at the Centre for Communication Governance and at IT for Change.
This post was reviewed and edited by Aman Nair,Amber Sinha and Arindrajit Basu