Introduction
Member states of the United Nations approved the draft text of the United Nations Convention Against Cybercrime (‘Draft Convention’) by consensus, in August 2024, after five years of deliberations. It is the UN’s first consolidated attempt at regulating crimes on the Internet. The move has attracted its fair share of controversy, with tech companies and human rights organisations protesting against the lack of safeguards.
The draft text of the convention is expected to be adopted by the General Assembly later this year. It could then become the foremost multi-lateral legal instrument governing cybercrime.[1] The Draft Convention primarily addresses the following aspects: (i) combating cybercrimes enabled by information and communications technology (‘ICT’) systems (ii) strengthening international cooperation to tackle cybercrimes by establishing effective frameworks at national, regional and international levels, and (iii) enhancing coordination among states by providing technical assistance and capacity building.
In this piece, we will discuss the key provisions of the UN Draft Convention and analyse the implications for India.
First UN Treaty on Cybercrime
The UN’s core concern in this regard is captured in the preamble. It recognises that the proliferation of ICT systems can have a significant impact on the “scale, speed and scope of criminal offences”. While ICT has tremendous potential to develop societies, it can also create novel opportunities for perpetrators. The diversity of crimes in the age of ICT, as well as the increasing frequency of such crimes, may impact States, enterprises and individuals adversely.
It mentions offences related to terrorism and transnational organised crime. The latter includes trafficking of persons, smuggling of migrants, illicit manufacturing of firearms, drug trafficking and trafficking of cultural property. The draft convention is part of a global trend, where governments have been attempting to clamp down on crimes committed through, or enabled by, the internet. This has prompted the UN to pursue the formulation of a global criminal justice policy, geared towards tackling cybercrime, by adopting appropriate legislation, establishing common offences and ensuring international cooperation.
Key Definitions
‘ICT systems’ have been defined in the Draft Convention as “any device or group of interconnected or related devices, one or more of which, under a program, gathers, stores and performs automatic processing of electronic data” [Article 2(a)]. Further, ‘electronic data’ has been defined as “any representation of facts, information or concepts in a form suitable for processing in an information and communications technology system, including a program suitable to cause an information and communications technology system to perform a function” [Article 2(b)]. A ‘serious crime’ has been defined as “conduct constituting an offence punishable by a maximum deprivation of liberty of at least four years or a more serious penalty” [Article 2(h)].
What Constitutes a Cybercrime?
The term ‘cybercrime’ has not been defined under the Draft Convention. Instead, Chapter II of the treaty provides a list of activities that are to be criminalised. They are:
Illegal access to an ICT system [Article 7]
State parties shall adopt appropriate legislative and other measures to criminalise intentional illegal access to an ICT system in whole or in part. A State party may narrow down the scope of the offence by requiring that the offence be committed by infringing upon security measures, with dishonest or criminal intent to obtain electronic data.
Illegal interception of non-public transmissions of electronic data [Article 8]
The intentional and illegal interception of non-public transmission of electronic data to, from or within an ICT system, including electromagnetic emissions, shall be criminalised. A State party may narrow down the scope of the offence by requiring that the offence be committed with dishonest or criminal intent to obtain electronic data.
Interference with electronic data or an ICT [Articles 9 and 10]
The intentional and illegal interference with electronic data, by way of damaging, deleting, deteriorating, altering or suppressing, shall be a criminal offence. A State party may narrow down the scope of the offence by requiring that the above conduct result in serious harm. Accordingly, the intentional and illegal interference with an ICT system, resulting in serious hindering of its functioning, by inputting, transmitting, damaging, deleting, deteriorating, altering or suppressing electronic data, shall be a criminal offence.
Misuse of devices [Article 11]
Intentionally and illegally making available a device or data to commit an offence shall be criminalised. A device may include a programme that is designed or adapted primarily to commit an offence.
Forgery related to ICT systems [Article 12]
Tampering with electronic data, by way of input, alteration, deletion or suppression, when done intentionally and illegally, shall be an offence. Such forgery should result in inauthentic data, with the intent that they be considered or acted upon for legal purposes as if they were authentic. A State party may narrow down the scope of the offence by requiring a criminal intent to defraud.
Theft or fraud related to ICT systems [Article 13]
Loss of property to another person, when done intentionally and without right, shall be a criminal offence. Such loss may occur through:
- Input, alteration, deletion, or suppression of electronic data,
- Interference with the functioning of the ICT system,
- Deception through the ICT system regarding factual circumstances.
Online child sexual abuse or child sexual exploitation material [Article 14]
The following conducts relating to online child sexual abuse or exploitation material (CSAM) have been criminalised:
- Making available CSAM through an ICT system,
- Soliciting, procuring or accessing CSAM through an ICT system,
- Possessing or controlling CSAM stored in an ICT system,
- Financing of above offences.
Solicitation or grooming to commit a sexual offence against a child [Article 15]
Intentionally communicating, soliciting, grooming, or making any arrangement through an ICT system to commit a sexual offence against a child, as defined in domestic law, including for the commission of any of the offences established by Article 14 of the Convention, shall be a criminal offence. State parties may exclude the criminalisation of such conduct when committed by children themselves.
Non-consensual dissemination of intimate images [Article 16]
Making a person’s intimate images available through an ICT system, without the consent of the depicted person, when done intentionally and without right shall be a criminal offence. This provision pertains to individuals over the age of eighteen.
Laundering proceeds of crime [Article 17]
Conversion or transfer of property, with the knowledge that such property is derived from the proceeds of crime, to conceal or disguise the illicit origin of the property or for helping in the commission of an offence, is criminalised. Acquisition, possession or use of property, knowing that such property is derived from the proceeds of crime is an offence.
Apart from the above provisions establishing cybercrimes, State parties are obligated to establish laws governing the liability of both natural and legal persons, criminalise the above offences, and statute of limitations. Furthermore, Chapter V lays down the principles for achieving international cooperation, the general principles for which include investigation and prosecution of criminal offences, and sharing of electronic evidence, established under the convention. Additionally, requirements relating to protection of personal data [Article 36], extradition [Article 37], transfer of criminal proceedings [Article 39] and mutual legal assistance [Article 40, 44, 45, 46] have been laid down.
Implications for India
The adoption of the UN Draft Convention will have significant implications for the Indian legal framework governing cybercrimes and cybersecurity. India has actively participated in the negotiations surrounding the treaty. Given that India is not a member state of the Budapest Convention on Cybercrime (2001), the coming into effect of the UN Draft Convention would mean the benchmarking to international cybercrime standards for the first time.
Provisions relevant to tackling cybercrimes are currently scattered across various laws, such as the Information Technology Act, of 2000, the CERT-IN Framework, Digital Personal Data Protection Act, of 2023, criminal laws, and sectoral laws and regulations. However, the lack of an updated national cybersecurity strategy has meant reliance on the National Cyber Security Policy of 2013. The adoption of the Draft Convention may expedite the formulation of an updated national cybersecurity strategy in India, which is aligned with international standards.
Upon ratification of the treaty, India may proceed either by amending existing legislation, such as the Information Technology Act, of 2000, or by enacting fresh legislation, targeting cybercrimes on subjects not already covered under extant law. This may prove to be a complex exercise, requiring a comprehensive mapping of the obligations under the Draft Convention vis-à-vis the extent to which such offences are covered in the current Indian legal framework. An assessment of gaps between the two would reveal the appropriate legal and policy strategies.
Moreover, differences in state capacity and bandwidth have been acknowledged in the Draft Convention. As a Global South nation, India may have to avail technical assistance programmes and capacity-building initiatives to align effectively with the contents of the treaty. Achieving a degree of geographical balance in the implementation of the Draft Convention would be of utmost importance, thus distinguishing it from the fractured path of the Budapest Convention.
Conclusion
The UN Draft Convention is indicative of the urgency felt by global leaders in tackling cybercrimes, through appropriate international and national legal instruments. While the final adoption by the General Assembly is awaited, as well as the subsequent ratification by India, the significance of the Draft Convention cannot be understated. The success of the Draft Convention in tackling cybercrime would depend on how well global asymmetries in state capacities are addressed, and the degree of harmonisation achieved in establishing cybercrimes within domestic laws. Further, as advocated in the Draft Convention, a whole-of-ecosystem approach, taking inputs from NGOs, civil society, academic institutions, and private sector entities, would be valuable. Such efforts could lead to maintaining an open, reliable and secure digital infrastructure.