[HN Gopher] EFF's concerns about the UN Cybercrime Convention
___________________________________________________________________
EFF's concerns about the UN Cybercrime Convention
Author : walterbell
Score : 176 points
Date : 2024-08-10 07:46 UTC (3 days ago)
(HTM) web link (www.eff.org)
(TXT) w3m dump (www.eff.org)
| acheong08 wrote:
| > Negotiations for this treaty began in 2022, initiated by a
| controversial proposal from the Russian Federation.
|
| I would understand if this was coming from the states but why is
| the UN even considering such a proposal coming from Russia?
| ViktorRay wrote:
| Russia is a member of the United Nations. It is also a
| permanent member of the United Nations Security Council.
|
| So it is only natural that the UN would consider proposals from
| Russia.
| walterbell wrote:
| UN cybercrime treaty was unanimously approved by 200 countries
| this week.
| acheong08 wrote:
| Well, that's depressing. Were EFF recommendations applied?
| walterbell wrote:
| EFF tweet, https://x.com/eff/status/1821672613468569628
| Member States traded away existing human rights safeguards to
| reach a contrived consensus for a treaty that will endanger
| journalists, dissenters, human rights activists, and every
| day people around the world.
|
| Related thread: https://news.ycombinator.com/item?id=41210110
| tptacek wrote:
| I don't think the EFF has much suction at the level of
| international diplomacy. Most UN countries, including much of
| Europe, don't have the basic categorical legal principles
| much of EFF's argumentation relies on, especially re: free
| expression and rules of evidence.
|
| Fortunately, those same legal principles in the US cannot be
| overridden by a treaty.
| dannyobrien wrote:
| There has always been a fairly established group of NGOs
| with similar criticisms at the international level,
| including EFF (you're more likely to hear these critiques
| from EFF at HN because ... well, we're a pretty an EFF-
| adjacent community here.)
|
| Unfortunately, the UN mostly works as a venue for
| governments negotiating with governments, with accredited
| NGOs having a position of being tolerated in those
| discussions, but with no real power. Outside of those
| tolerated NGOs, influence drops even further.
|
| (When I was at EFF, we did try to get UN official
| accreditation, but China would consistently veto it. There
| are other digital rights groups that have been accepted
| though, and we worked very closely with those. The full
| list of NGOs are here: https://en.wikipedia.org/wiki/List_o
| f_organizations_with_con... )
| tptacek wrote:
| Yeah, I was only struck by the previous comment's
| implication that the UN Office of Drugs and Crime might
| in the ordinary course take and act on feedback from the
| EFF. Like, it could happen, but it would be very
| surprising, right?
|
| I think it almost doesn't make sense, in that I perceive
| EFF to be, whether overtly or not, a very American
| organization with very American public policy views.
| gjsman-1000 wrote:
| The other issue is that the EFF is the minority opinion
| on many, many subjects. Many of the most effective NGOs
| have a "we agree with you, but this 10% needs to change,"
| which is flexible enough that governments who otherwise
| wouldn't care pay attention.
|
| The EFF isn't like that - for example, the idea of
| outlawing DRM, while popular among hackers and people
| here, is a total nonstarter internationally. It's about
| as effective as hiring the FSF to lecture Microsoft; or
| hiring PETA to lecture Tyson; or hiring the Amish to
| lecture you on electrical design. The opinions are so
| diametrically opposed that it's not even worth
| considering.
| advael wrote:
| Not surprisingly, most governments have little to no
| respect for individual freedom and autonomy. To my
| understanding, this is among the best reasons not to sign
| such treaties with said governments, as compromising on
| principles surrounding fundamental human rights should be
| a non-starter for those that value them
| cma wrote:
| For strict textualists it is ambiguous whether the
| supremacy clause puts treaties above the constitution, or
| was referring to state constitutions:
|
| > This Constitution, and the Laws of the United States
| which shall be made in Pursuance thereof; and all Treaties
| made, or which shall be made, under the Authority of the
| United States, shall be the supreme Law of the Land; and
| the Judges in every State shall be bound thereby, any thing
| in the Constitution or Laws of any State to the Contrary
| notwithstanding.
|
| And there is no explicit ordering of priority between them
| and the Constitution.
| tptacek wrote:
| I don't think this is true, regarding federal law
| precedence and the Constitution. To be true would be to
| imply that the Senate, with the cooperation of the
| executive and one other country(?!), can override the
| Constitution.
|
| You don't have to get there axiomatically though; you can
| just look this up. Treaties are coequal with federal
| statutes, and are overridden by any conflicting statute
| passed after the treaty is ratified.
| blackeyeblitzar wrote:
| I looked up who the representatives were from the US and I
| hadn't heard of any of the names. The UN website doesn't have
| bios or links to more information on those people - just a list
| of names you can't scrutinize. It's a depressing bureaucracy
| bulatb wrote:
| This thread with all these comments (the ones up when I wrote
| this) was posted three days ago. Here's a post that referenced it
| then: https://news.ycombinator.com/item?id=41211151
|
| Why is it back on the front page and posted "5 hours ago"? I'm
| not implying underhandedness or anything but I'd like to know why
| this happens. Anyone know?
|
| These are the comments it got at the time:
|
| https://news.ycombinator.com/item?id=41210091
|
| https://news.ycombinator.com/item?id=41210379
|
| https://news.ycombinator.com/item?id=41212594
|
| https://news.ycombinator.com/item?id=41210086
|
| https://news.ycombinator.com/item?id=41210905
| lagniappe wrote:
| I suppose you'll find the number of licks to the center of a
| Tootsie Pop before you get an answer to this that makes any
| sense. Nonetheless, I do have hope someone will ackshually me
| into an explanation.
| wizzwizz4 wrote:
| <del>A wizard</del> <ins>dang</ins> did it.
| ziddoap wrote:
| Second chance pool
|
| https://news.ycombinator.com/item?id=26998308
|
| > _HN 's second-chance pool is a way to give links a second
| chance at the front page. Moderators and a small number of
| reviewers go through old submissions looking for articles that
| are in the spirit of the site--gratifying intellectual
| curiosity--and which seem like they might interest the
| community. These get put into a hopper from which software
| randomly picks one every so often and lobs it randomly onto the
| lower part of the front page. If it interests the community, it
| gets upvoted and discussed; if not, it falls off._
| bulatb wrote:
| _> lobs it randomly onto the lower part of the front page_
|
| That is where it was. So the process posts a copy of the
| article and comments with the current date? But gives it the
| old URL?
| ziddoap wrote:
| As far as I am aware, it just updates the timestamps of the
| original to the time of the 'lobbing'.
| commandlinefan wrote:
| Looks like, unsurprisingly, the resolution is more about
| mandating censorship than it is about curbing actual crime. I'm
| pretty pessimistic about the future of a free internet - there
| have been lots of attempts at censorship-resistant protocols, but
| they require widespread adoption. If they haven't already been
| adopted, I doubt they ever will.
| alephnerd wrote:
| > Looks like, unsurprisingly, the resolution is more about
| mandating censorship than it is about curbing actual crime
|
| That is a fairly bad take tbh.
|
| I mentioned this in my previous comment about this treaty, and
| the primary driver is the fact that most countries (especially
| China, Russia, Singapore, South Korea, Saudi Arabia, UAE, Iran,
| India) are NOT parties of the Budapest Convention because of
| the Censorship or Surveillance portions.
|
| Now that offensive security capabilities have proliferated,
| some amount of norms are required (which is what Article 12, 13
| and 17 touch on), but the countries listed above will not budge
| on their censorship or surveillance stance.
|
| This treaty is itself is a result of the Track 1.5 Dialogues
| around cyberwarfare happening between the 5 Eyes and China
| [1][2] after tensions became dangerously bad in the early
| 2020s.
|
| If letting China continue their Great Firewall means we can
| formalize the rules of engagement for gray-zone operations
| using a third party (Appin/India, LockBit/Russia,
| ChamelGang/China or NK), so be it.
|
| The UN treaty is superseded by American jurisdiction anyhow.
|
| > future of a free internet
|
| The internet was never truly free. Access was always arbitrated
| by telcos (and a major reason why the tech industry has been a
| major donor to the EFF) who themselves are strongly regulated
| by governments.
|
| The difference is, the internet isn't only a Western project
| anymore, and consensus will need to be formed with other
| nations, unless we want to end up forming regionalized
| "internets"
|
| [0] - https://news.ycombinator.com/item?id=41210110#41211961
|
| [1] - https://www.chathamhouse.org/about-us/our-
| departments/intern...
|
| [2] -
| https://www.idcpc.org.cn/english2023/bzhd/202406/t20240618_1...
| Esras wrote:
| I'm trying to read this in good faith, that what you're
| describing is about how "[formalizing] the rules of
| engagement for gray-zone operations using a third party" will
| help prevent certain kinds of tensions from rising again to a
| potential boiling point (arguably the _only_ point of the
| UN), but the tone comes off as so defeatist it's hard to see
| that as a positive.
|
| Can you elaborate a bit further on why you see this as a
| necessary step for a given outcome?
|
| Otherwise this just looks like giving in to bad faith actors
| and weakening our own protections in the process.
| alephnerd wrote:
| > but the tone comes off as so defeatist
|
| Because it is.
|
| The existing status quo over cyberwarfare is untenable, and
| runs the very real risk of causing chaos if we don't tamp
| down on the usage of third parties for plausible
| deniability.
|
| Most countries have offensive security capabilities
| directly under direct government control, but a number of
| them will also tolerate third party actors attacking a
| rival country so long as they don't attack the host
| country.
|
| This is what LockBit (Russia), ChamelGang (either China or
| NK), Appin (India), etc has done.
|
| Either everyone allows cybercriminals in their countries to
| attack other countries (and spark actual chaos in our
| entire internet infra that could escalate into actual
| violence), or all nation states agree to tamp down on third
| party attackers.
|
| The Budapest Convention was the previous cybercrimes
| agreement, but most countries outside of the West that
| matter didn't ratify it. This meant terms of engagement
| over cyberwarfare weren't truly formalized, and a bad actor
| like NK or China could in good faith argue that a North
| Korean or Chinese cybergang did no wrong.
|
| The brutal reality is that performative treaties like the
| Budapest Convention have no teeth, and a global Internet
| means that terms of engagement are needed for warfare, or
| the entire Internet splinters.
| fngjdflmdflg wrote:
| >Now that offensive security capabilities have proliferated,
| some amount of norms are required
|
| >This treaty is itself is a result of the Track 1.5 Dialogues
| around cyberwarfare happening between the 5 Eyes and China
| [1][2] after tensions became dangerously bad in the early
| 2020s.
|
| >If letting China continue their Great Firewall means we can
| formalize the rules of engagement for gray-zone operations
| using a third party (Appin/India, LockBit/Russia,
| ChamelGang/China or NK), so be it.
|
| >The internet was never truly free. Access was always
| arbitrated by telcos
|
| >the internet isn't only a Western project anymore
|
| None of what you wrote here is an argument for mandating data
| collection, as outlined in articles 29 and 30. Those two
| articles are unrelated to your points here. They aren't about
| establishing norms for an existing phenomenon or about
| preventing or regulating cyberwarfare between the US and
| China or about formalizing rules of grey zone operations.
| It's just a requirement for data collection.
| alephnerd wrote:
| > None of what you wrote here is an argument for mandating
| data collection
|
| Data Collection was one of the primary reason why Russia,
| China, India, Singapore, and other nations did not become
| parties to the Budapest Convention (the precursor to this
| treaty) [0][1]
|
| Most nations other than the US, Canada, EU, and Japan
| mandate collection and retention of metadata by ISPs and
| Online Services, and this was a major sticking point that
| lead to the inefficacy of the Budapest Convention.
|
| > Those two articles are unrelated to your points here
|
| I just gave links to the currently ongoing Track 1.5
| dialogues to show the ongoing diplomacy work that has
| started over cybercrime in the early 2020s.
|
| [0] - https://www.uscc.gov/sites/default/files/Research/Chi
| na%20In...
|
| [1] - https://ccdcoe.org/uploads/2018/10/InternationalCyber
| Norms_C...
| fngjdflmdflg wrote:
| >Most nations other than the US, Canada, EU, and Japan
| mandate collection and retention of metadata
|
| Then they should just not mention data collection at all
| if there is no agreement on it. "These countries are
| already doing it" is not a good reason to agree to
| something. Especially since it makes changing the law in
| those countries impossible now.
|
| >this was a major sticking point that lead to the
| inefficacy of the Budapest Convention.
|
| Really? Are you saying those other countries said they
| would not agree to any Cybercrime Convention unless it
| had an article _mandating_ data collection? I find that
| hard to believe. In any case, even if that were true, it
| would be better to have no convention at all.
| alephnerd wrote:
| > Then they should just not mention data collection at
| all if there is no agreement on
|
| This treaty is supposed to supersede the Budapest
| Convention. The Budapest Convention is explicitly in
| favor of data privacy (a number of it's data privacy
| norms influenced the GDPR).
|
| Either data collection mandates are left to individual
| states or the same deadlock that happened with the
| Budapest Convention would happen again.
|
| > it would be better to have no convention at all
|
| Then you're left with the status quo that every nation
| that isn't a party of the Budapest Convention can use 3rd
| party groups to hack a rival, which leads to chaos.
| fngjdflmdflg wrote:
| >Either data collection mandates are left to individual
| states
|
| What is wrong with this? This seems extremely obvious.
| The fact that you do not mention this option in your
| original post seems almost disingenuous. Unless you meant
| to address it in the 'unless we want to end up forming
| regionalized "internets"' line? Although leaving the
| entire meat of your argument to one unexplained line
| isn't great either. And even then I don't see how the
| lack of mandating data collection would result in
| regionalized internets. So far I can access websites in
| Russia or South Korea just fine despite this point. And
| in any case you can create a regionalized internet even
| if all these rules are followed. See China and north
| korea.
|
| >you're left with the status quo that every nation that
| isn't a party of the Budapest Convention can use 3rd
| party groups to hack a rival, which leads to chaos.
|
| US, China, Russia and North Korea will continue to hack
| each other, no matter the outcome of this UN Convention.
| Even ignoring that point it is still strictly much better
| to have hacking than have globally mandated data
| collection
| dmurray wrote:
| > Looks like, unsurprisingly, the resolution is more about
| mandating censorship than it is about curbing actual crime.
|
| Well, the EFF's take on the resolution is always going to be
| more about the censorship it introduces than how much it
| enables law enforcement to curb actual crime.
|
| I'm aligned with the EFF on this, and would vote against this
| if it were raised in any democratic forum I voted in, but
| that's because I care more about reducing censorship than
| reducing online crime. Yes, I, unlike most voters in modern
| liberal democracies, would let ten paedos walk free to save one
| Aaron Swartz.
|
| If you really care about them ~equally - as you have to, for
| your comment to be made in good faith - then you can't take
| your talking points from the EFF.
| fngjdflmdflg wrote:
| Does it actually mandate any censorship/data collection, or
| does it just mandate that collected data must be shared? I
| tried reading the actual PDF[0] but I don't really want to read
| the whole thing
|
| [0]
| https://documents.un.org/doc/undoc/gen/v24/055/06/pdf/v24055...
| ziddoap wrote:
| Articles 29, 30, and 45 are the relevant ones which touch on
| data collection.
| fngjdflmdflg wrote:
| Ok, so they are mandating data collection:
|
| >Each State Party shall adopt such legislative and other
| measures as may be necessary to empower its competent
| authorities to: (a) Collect or record, through the
| application of technical means in the territory of that
| State Party; and (b) Compel a service provider, within its
| existing technical capability: (i) To collect or record,
| through the application of technical means in the territory
| of that State Party; or (ii) To cooperate and assist the
| competent authorities in the collection or recording of;
| traffic data, in real time, associated with specified
| communications in its territory transmitted by means of an
| information and communications technology system.
|
| That is pretty bad. Some parts of this draft actually
| seemed pretty reasonable - eg. Article 14 making CSAM
| illegal. I guess that is part of the trick.
| ziddoap wrote:
| Article 36 is a pretty fun one, too.
|
| > _States Parties are encouraged to establish bilateral
| or multilateral arrangements to facilitate the transfer
| of personal data._
| alephnerd wrote:
| > facilitate the transfer of personal data.
|
| I take it you oppose the EU-US Data Privacy Framework
| then?
| ziddoap wrote:
| Yep
| fngjdflmdflg wrote:
| link to the draft:
| https://documents.un.org/doc/undoc/gen/v24/055/06/pdf/v24055...
| andersa wrote:
| Is there a summary somewhere? 41 pages of dense text is quite a
| lot.
| codetrotter wrote:
| LLMs are pretty good at summarizing things.
| ccvannorman wrote:
| Here, let me Chat GPT that for you. https://chatgpt.com/share
| /5b72547f-435f-4ac9-aefd-83e61093d0...
|
| Chat GPT 4o had this to say after I asked it to summarize and
| criticize the document:
|
| The convention's real-time data collection provisions risk
| enabling mass surveillance, violating privacy rights, and
| creating avenues for state overreach without sufficient
| safeguards.
|
| By simplifying extradition processes, the convention may
| facilitate politically motivated prosecutions, leading to
| potential abuses of international legal systems under the
| guise of combating cybercrime.
|
| The broad criminalization of cyber offenses, such as
| electronic forgery, could lead to the overreach of law
| enforcement, targeting minor or unintended infractions and
| stifling legitimate digital activities.
| Sirizarry wrote:
| Now what does it have to say as a rebuttal to that
| criticism?
___________________________________________________________________
(page generated 2024-08-13 23:00 UTC)