Microsoft on Tuesday joined human rights and civil liberties groups raising serious concerns about an international cybercrime treaty the United Nations is negotiating this week to create a legal framework for cooperation on preventing digital crimes.
While a number of advocacy groups such as the Electronic Frontier Foundation have criticized aspects of the draft UN Cybercrime Treaty, Microsoft appears to be the first big tech company to weigh in publicly during the latest round of discussions, urging negotiators to address what it called overly broad definitions of cybercrime that could lead to human rights abuses.
Among the tech giant’s concerns are that the treaty’s provisions for government access to personal data could provide governments a front for “real-time surveillance” of anything they deem a crime. Moreover, the treaty does not provide safeguards for companies to notify targets of surveillance. Additionally, Microsoft expressed concerns that the draft treaty doesn’t protect “ethical hackers” in sections of the document about criminalizing cyber intrusions.
“We need to ensure that ethical hackers who use their skills to identify vulnerabilities, simulate cyberattacks, and test system defenses are protected,” Amy Hogan-Burney, associate general counsel for cybersecurity policy and protection at Microsoft, wrote in a LinkedIn Post. “Key criminalization provisions are too vague and do not include a reference to ‘criminal intent,’ which would ensure activities like penetration testing remain lawful.”
The LinkedIn post preceded a stakeholder session hosted Tuesday by Microsoft and groups including Access Now and the CyberPeace Institute, a nonprofit that Microsoft funds.
The treaty has been strongly backed by China and Russia, which last spring pushed for a successful resolution to curb the “use of information and communications technologies for criminal purposes.”
But since treaty negotiations began in 2021, critics have raised a number of issues. Several groups including Access Now, EFF and Human Rights Watch hosted a briefing last week to voice concerns that the treaty could facilitate expanded surveillance by law enforcement and undermine privacy and free expression by journalists, activists and marginalized groups.
“The treaty could harm the very people it’s meant to protect,” Carey Shenkman, human rights attorney at Article 19, a nonprofit that defends freedom of expression globally, said during the briefing.
Despite ongoing criticisms of the treaty, the U.S. government expressed optimism about the outcome of the negotiations, Recorded Future News reported last week. The U.S. State Department was “optimistic that the negotiations are “on a path towards a consensus-based treaty that will help countries fight the scourge of cybercrime,” a spokesperson told the outlet.
Chris Painter, a former cyber diplomat for the U.S. who has been attending negotiations, told CyberScoop that all of the concerns raised by Microsoft and others are still “in flux.”
“In particular, the scope issue is critical as Russia and its allies want a very broad scope that risks criminalizing dissent and other things we believe should be protected,” Painter wrote in a message. “There isn’t really much of a middle ground here so this threshold issue (as well as others) is critical.”
He said that while it’s too early to tell what final negotiations will look like, a failure to reach an agreement could lead to “a vote that would be both a bad precedent and risks many countries simply not signing on.”
The current negotiation for the cybercrime treaty will run until Friday. A final vote will not take place until January 2024.