In cybersecurity, as in everything else, words matter.

The encroaching presence of geopolitics into our living rooms and smartphone screens hints at our growing sensitivity to the effect of global events, even as so-called information is presented through the filter of computing technologies and the information they bring to our sensory organs.

Earlier this month I wrote about the tragic effects of weaponized commercial technologies, and followed it up with a few thoughts on how information availability shapes our personal and group identities. These musings reminded me of the fundamental need for a shared language when it comes to concepts as abstract as "information and communication technology" (ICT).

Creating terms and definitions is not typically something many of us have the opportunity to do very often. As such, when a definition for the term "cyberfraud" was required for my professional reference on the topic (The Canadian Cybefraud Handbook, Reuters, 2017), I found the exercise particularly challenging. I ended up spending an entire chapter of the book justifying the precision and the flexibility required to both future-proof the term and build upon previous definitions of "electronic fraud" without casting a net so wide as to incur the risk of covering too much of the concept of digital crime or even diluting "cyberfraud" itself.

The Challenge of Defining Cyberfraud

At the risk of sounding like Judge Judy, I settled on the following:

Cyberfraud, n.: any unconscionable act, dishonest conduct, deceptive activity or deceitful omission that uses computer technologies or digital connectivity to defraud the public, or any person, out of assets, property, money, valuable security or service.

The objective was to offer a clear and concise definition of cyberfraud while illustrating the fact that connected, computer processing would be used to engineer a scalable situation that would result in one, or more likely many people, being cheated out of something of value.

The effort may seem trivial at first glance, but was important to constrain the definition while not excluding certain important implications:

1. the use of computer processing must be exploitable in order to amplify the effect of the deception
2. the gain of advantage must offer the promise of being disproportionately greater than the effort expended, thereby differentiating from a one-off situation that is sufficiently described by the term "fraud"
3. the exploitation of more than just a connected computer, but the advantage of being "online", as illustrated by the network effect of online access to data and processing capability

A Look at the US DOJ Definition of Cybercrime

Stay with me here. We're getting somewhere. That somewhere is the specific importance of precision, when it comes to a particular description. Take for instance the American Criminal Law Review (https://www.ojp.gov/ncjrs/virtual-library/abstracts/computer-crimes-7), a Journal that set out to describe "Computer Crimes" in broad strokes, as nothing less than "any violations of criminal law that involve a knowledge of computer technology for their perpetration, investigation, or prosecution."

Here's where it gets interesting: the journal goes on to assert that due to the diversity of computer-related offenses, a narrower definition would be inadequate.

The US Department of Justice divides computer-related crimes into three categories.

1. the computer as the "object" of a crime. This category refers primarily to the theft of computer hardware or software.
2. the computer as the "subject" of a crime. This category of computer-related crime encompasses any attempt to interfere with the lawful services and activities provided by computers and their servers.
3. the computer as the "instrument" used to commit traditional crimes, which include identity theft, child pornography, copyright infringement, and mail or wire fraud.

The United Nations Cybercrime Treaty

To recap, the "computer" or information system exists in one of three states within the context of cybercrime: as the objective of the crime, as the focus of the activity or as the tool enabling the illicit activity. So it is with this backdrop that we look at the objectives of the (big breath in) "Ad Hoc Committee to Elaborate a Comprehensive International Convention on Countering the Use of Information and Communications Technologies for Criminal Purposes", a valiant 2019 United Nations initiative to "combat the use of information and communications technologies for criminal purposes". This ambitious effort promised to "take into full consideration existing international instruments and efforts at the national, regional and international levels" and has now come up with a Draft resolution for consideration by the General Assembly that literally no one in the world is happy with.

How is that possible? Unlike most legal and diplomatic documents, this cooperative work of thought leadership is not a particularly nebulous read, like most such intractable volumes of administrative prose. In fact, as many eagle eyed readers were quick to point out, the problem starts with the title itself: United Nations Convention against Cybercrime (Crimes Committed through the Use of an Information and Communications Technology System) . This doesn't just clarify the use of the term cybercrime but it appears to equate it to information and related technologies, which is a very interesting approach given the diversity of audiences soon to digest, translate and communicate the work into tangible initiatives.

It immediately goes into the preamble by stating in no uncertain terms "that information and communications technologies, while having enormous potential for the development of societies, create new opportunities for perpetrators, may contribute to the increase in the rate and diversity of criminal activities, and may have an adverse impact on States, enterprises and the well-being of individuals and society as a whole". True enough, but the foreshadowing is difficult to ignore.

Having thusly set out to solve all ICT crime regardless of context, the draft convention launches into an idealistic mission unconstrained even by "the scale, speed and scope of criminal offences, including offences related to terrorism and transnational organized crime, such as trafficking in persons, the smuggling of migrants, the illicit manufacturing of and trafficking in firearms, their parts, components and ammunition, drug trafficking and trafficking in cultural property". Theft, fraud, forgery, suppression of data, interference, deception and numerous other evils are mentioned throughout the latest revision of the Updated draft text of the convention.

The formidable articulation of grandiose objectives continues:

"Convinced of the need to pursue, as a matter of priority, a global criminal justice policy aimed at the protection of society against crimes committed through the use of an information and communications technology system (hereinafter “cybercrime”) by, inter alia, adopting appropriate legislation, establishing common offences and procedural powers and fostering international cooperation to prevent and combat such activities more effectively at the national, regional and international levels,

Determined to deny safe havens to those who engage in cybercrime by prosecuting these crimes wherever they occur,

Stressing the need to enhance coordination and cooperation among States by, inter alia, providing technical assistance and capacity-building, including, where possible, the transfer of technology on mutually agreed terms, to countries, in particular developing countries, upon their request, to improve national legislation and frameworks and enhance the capacity of national authorities to deal with cybercrime in all its forms, including its prevention, detection, investigation and prosecution, and emphasizing in this context the role that the United Nations plays,

Recognizing the increasing number of victims of cybercrime, the importance of obtaining justice for those victims and the necessity to address the needs of persons in vulnerable situations in measures taken to prevent and combat the offences covered by this Convention,

Determined to prevent, detect and suppress more effectively international transfers of property obtained as a result of cybercrime and to strengthen international cooperation in the recovery and return of proceeds of the crimes established in accordance with this Convention,

Bearing in mind that preventing and combating cybercrime is a responsibility of all States and that they must cooperate with one another, with the support and involvement of relevant international and regional organizations, as well as nongovernmental organizations, civil society organizations, academic institutions and private sector entities, if their efforts in this area are to be effective..."

It goes on, but my clipboard is full and I believe we can see where the dissenting voices get the idea that a very real risk of undesirable outcomes exists, in the form of (at least) perceived:

1. pressure on participating nations to surveil their populations and share information
2. retroactive justification from a vast array of crimes to introduce broad security controls
3. aspirational goals towards the elimination, eradication and extirpation of all crimes that can be performed with electronic devices and the key ingredient of "information".

Information

The term appears 122 times within the report of the concluding session of the Ad Hoc Committee to Elaborate a Comprehensive International Convention on Countering the Use of Information and Communications Technologies for Criminal Purposes (one can never tire of articulating it in its full splendor).

Despite the vast frequency of its use, "information" remains undefined either in the preamble, the body of the text, footers or even the glossary. Does that bode poorly for such an expansive work of international collaboration?

We know that words matter and that such ambitious mandates are - aside from being unenforceable - a major undertaking, but the criminalization of information and communications technologies risks posing a much larger threat to human rights and civil liberties.

Indeed, two years ago, the Electronic Frontier Foundation and some 130 other organizations urged the UN to include human rights safeguards in their proposed convention. And the Committee listened, adding the following clarification:

Article 6. Respect for human rights

1. States Parties shall ensure that the implementation of their obligations under this Convention is consistent with their obligations under international human rights law.
2. Nothing in this Convention shall be interpreted as permitting suppression of human rights or fundamental freedoms, including the rights related to freedom of expression, conscience, opinion, religion or belief, peaceful assembly and association, in accordance with applicable international human rights law.
3. Was it sufficient? Those pesky public crusaders came back with rebukes with incendiary titles such as: "The UN Cybercrime Draft Convention Remains Too Flawed to Adopt" and launched into direct criticism as early as the first paragraph:

"Despite two and a half years of intense discussions and seven negotiation sessions, states remain deeply divided on fundamental aspects, leading to a deeply flawed draft text and a problematic chair’s proposal from February 2024. They can’t even agree what to call the Convention, much less its scope—should it address only core cybercrime, or any crime committed using technology?

The February 2024 language continues to risk criminalizing protected speech, granting broad surveillance powers without robust safeguards, and raising serious cybersecurity concerns. Despite continuous advocacy from civil society and industry, these key issues remain unaddressed. A new version of the Convention is expected soon, but without addressing these critical flaws, the risks to human rights remain."

Now that the UN treaty is much closer to being ratified, the EFF and others are increasing efforts to clarify what's at stake for nations and their citizens:

"The proposed UN Cybercrime Convention is an extensive surveillance pact that imposes intrusive domestic surveillance measures and mandates states’ cooperation in surveillance and data sharing... with minimal human rights safeguards.

If adopted, it will rewrite surveillance laws worldwide. Millions of people, including human rights defenders, journalists, security researchers, and those speaking truth to power, will be affected. Without clear, enforceable safeguards, the treaty risks becoming a tool for state abuse and transnational repression rather than protecting human rights."

The EFF goes on to neatly summarize the fundamental problems with this initiative:

1. The Title of the Draft Convention is Misleading and Problematic
2. Expansive Scope and Over-Criminalization Risks
3. Overbroad Scope of Evidence Gathering Powers Will Enable Domestic and Cross-Border Spying
4. Insufficient Human Rights Safeguards
5. Highly Intrusive Secret Spying Powers Without Robust Safeguards
6. Compelled Technical Assistance (accessing a secure system by forcing anyone to assist in unlocking it)
7. Lawless Law Enforcement Cooperation Risks Human Rights Erosion
8. Insufficient Protection for Security Researchers and Other Public Interest Work
9. Risks to LGBTQ and Gender Rights

This is not likely to take a quick fix. To truly understand the enormity of the challenge and the risks associated with getting it wrong, I looked at Canada's International Centre for Criminal Law Reform and Criminal Justice Policy. As the initial opposition to the initiative was taking shape, the ICCLR published a handy article entitled "Canada’s Position at the UN Cybercrime Treaty Negotiations" that struck a balanced posture:

"The world is witnessing an alarming rise in cybercrime. In what has been dubbed a “ransomware epidemic,” cybercriminals are increasingly encrypting data and demanding ransom payments, often directly affecting critical infrastructure with collateral damages to the economy. In fact, most crimes now qualify as a form of cybercrime since most activity can be digitalized, whether as content, meta, or other data, and electronic evidence is vital for the prosecution of nearly all offences."

"Yet states hold widely divergent views in relation to cybercrime. This includes the fundamental question of whether such a UN treaty is even needed since many states are already committed to other multilateral cybercrime instruments. Canada, for instance, has ratified the Council of Europe’s Convention on Cybercrime (i.e., the “Budapest Convention”) and signed the Additional Protocol on racism and xenophobia in cyberspace. States’ existing international legal obligations and disparate policy positions, placed within the wider geopolitically polarized environment and the ongoing cyberattacks against Ukraine, suggest a fraught path forward for the upcoming negotiations and may even introduce the possibility that a common vision for a UN treaty may not be forged."

If it does not come to pass, the Draft Convention will join scores of other well-intentioned global efforts that were too broad, ambitious or forced to acquiesce to the reality that the world is changing faster than a convention of this magnitude can effectively address. Given that the very definition of "information" is practically changing before our very eyes - from alternative facts to propaganda - pulling the plug on an initiative that could, at best, introduce the world to a false sense of security, is far from the worst possible outcome.