This September, the United Nations General Assembly shall take up the comprehensive international agreement on cybercrime, which, if adopted, shall be presented for ratification by all UN member states.
For the very first time, the UN Ad Hoc Committee to Elaborate a Comprehensive International Convention on Countering the Use of Information and Communications Technologies for Criminal Purposes shall define what will globally be considered as cybercrime and how countries and their law enforcement agencies can collaborate to prevent, detect and prosecute such crimes that include access to and sharing relevant data held by the private sector, and potentially establish third party liability.
The International Chamber of Commerce Philippines joins global industries and the World Chambers Federation in raising a number of concerns that can affect areas such as cybersecurity research, access to data held by the private sector, including matters of data protection and privacy, human rights implications, as well as business liability and regulation.
The Convention likewise seeks to harmonize approaches and incentivize collaboration, but if its scope is not clearly and narrowly defined, this could only cause complications for business compliance specially when countries end up with complex and overlapping laws.
Acts of cybercrime cross borders and necessitate global cooperation for an effective prosecution of crimes. The cooperation entails that offenses are commonly understood and recognized by the parties involved. A globally agreed to Convention ensures a more stable, secure and trusted digital environment. It should not, however, duplicate nor contradict existing frameworks, rather, it should supplement or be aligned with existing international agreements such as the Budapest Convention, the UN Convention Against Transnational Organized Crime, the UN Convention Against Corruption, and others.
Moreover, the provisions on criminalization should include offenses against confidentiality, integrity and availability of computer data and systems — examples of which are unauthorized access or hacking; unauthorized system interference that cause injury to the public through the use of computer programs or electromagnetic methods; and unauthorized data interference, otherwise known as phishing.
Novel cyber technologies and criminal activities, such as the spreading and use of malicious computer codes to attack government systems, critical infrastructure, or ICT supply chains must be an integral part of the Convention.
Traditional crimes, however, should not be classified as cybercrime simply because a computer was involved in the planning and execution of the crime. For example, terrorism, arms trafficking or counterfeit medical products need not be addressed in this Convention as they are already covered by other treaties.
When criminalizing various actions, the Convention should explicitly mention intent and purpose for each act. Security and vulnerability research and disclosure, when coordinated with vendors and authorities, should not be criminalized since that would have the opposite effect and make the cyber ecosystem less secure.
Further, given the different legal practices and cultural approaches across member nations, any attempt to regulate content must be shunned. Commitments that would result in preventive content takedowns may lead to hampering journalistic freedom and freedom of expression.
It is imperative that the definition and scope of each illegal conduct covered, including descriptions of types of activities, are stipulated. Given the rapid evolution of technologies and the need to ensure the protection of human rights when it comes to criminal sanctions, these definitions shall be the basis for penalties and compliance requirements once the Convention is adopted and implemented as national law. Provisions written Clearly, Definitively, Precisely and Carefully will avoid unintended interpretation.
ICC Philippines appeals to the Philippine delegation to consider the concerns of the global business community before said Convention is submitted for ratification.