What do you think of when you hear the word cybercrime? Shadowy hackers infiltrating a network? Ransomware gangs taking a school’s systems hostage? What about a person violating a social network’s terms of service, paying for cocaine using Venmo, or publishing disinformation?
If you live in the United States, cybercrime can mean virtually any illegal act that involves a computer. The vague and varied definitions of “cybercrimes” or related terms in US federal and state law have long troubled civil liberties advocates who see people charged with additional crimes simply because the internet was involved. And without clear, narrowly tailored, universal definitions of cybercrime, the problem may soon become a global one.
The United Nations is negotiating an international cybersecurity treaty that risks enshrining the same type of broad language that’s present in US federal and state cybercrime statutes and the laws of countries like China and Iran. According to a coalition of civil liberties groups, the draft treaty’s list of “cybercrimes” is so expansive that they threaten journalists, security researchers, whistleblowers, and human rights writ large.
“It's really from the international level all the way down that we have this problem of ‘cybercrime’ as an overbroad or even meaningless concept,” says Andrew Crocker, a senior staff attorney at the Electronic Frontier Foundation, a nonprofit that focuses on civil liberties in the digital era.
The push for an international cybercrime treaty originated with what might seem like an unlikely source: Russia. In 2019, 88 UN member countries voted in favor of a Moscow-led resolution to create a working group—the so-called Ad Hoc Intergovernmental Committee—that would craft a cybercrime treaty. Cosponsored by China, Myanmar, Cambodia, Iran, Syria, Belarus, Nicaragua, and Venezuela, the resolution broadly defined cybercrime as “the use of information and communications technologies for criminal purposes.”
Even as the resolution passed, critics predicted the creation of such a treaty would focus not on network intrusions, spreading malware, or stealing data but on issues more pressing for authoritarian regimes: sovereign control over the internet and the suppression of speech that clashes with government priorities.
More than three years and four full rounds of negotiations later, the critics’ warnings have come to fruition. Human rights nonprofit Article 19 counted 34 types of crime in draft proposals for the new UN cybercrime treaty that would fall into the larger “cybercrime” bucket. That’s dozens more than any other cybercrime-related UN agreement, including the Budapest Convention on Cybercrime, a 2001 treaty that expands international cooperation between law enforcement agencies investigating and prosecuting certain crimes, such as hacking into a computer network, and is the current international standard.
Some of the most problematic crimes on the draft treaty’s list concern content-related offenses, says Paulina Gutiérrez, senior legal officer at Article 19. This includes activities that may be otherwise illegal in many countries—distributing child sexual abuse material or inciting acts of terrorism, for example—but do not require an internet-connected computer to carry out. It also encompasses “crimes” that are ripe for abuse by authoritarian regimes. Think terrorism-related offenses, which have no internationally agreed-upon definitions, or what a Russia-authored draft of the treaty called the sharing of material online that’s “motivated by political, ideological, social, racial, ethnic, or religious hatred”—all of which could be used to stifle speech and imprison journalists or activists, according to the EFF.
The core issue for Article 19, EFF, and other civil liberties groups is the conflation of “cyber-enabled” crimes, such as copyright infringement or the creation of disinformation, and “cyber-dependent” crimes, such as distributing malware or infiltrating a company’s network to steal information. “We have a very, very strong position about the limited scope of the treaty, because we obviously realized that they are going to try to cover everything that is just ‘a crime and technology,’” says Gutiérrez.
Beyond narrowing the types of crimes included in the treaty’s list of “cybercrimes,” Article 19 is advocating for the inclusion of language that limits the scope of the treaty to include only a crime in which a person had “dishonest intent” when committing it and that the crime caused “serious harm.” Without these provisions, activities like unknowingly sharing “fake news” articles or conducting cybersecurity research could qualify as “cybercrimes” under the treaty.
“If you don't [include] intentionality and serious harm,” says Gutiérrez, “any type of offense committed just by using technology will fall under there.”
One problem with an international treaty as broad as the one the UN is negotiating is that it could lead nations to adopt laws that align with the expansive scope of the treaty. But in the US, much of that broad scope already exists. The federal Computer Fraud and Abuse Act of 1986 has long drawn the ire of civil liberties advocates who say the 36-year-old law criminalizes swaths of activities that shouldn’t be crimes. That’s largely due to its vague language, which prohibits accessing a “protected” computer—defined as essentially any computer that’s connected to the internet—“without authorization.”
In recent years, US courts have limited the CFAA’s scope to not cover, for example, violating a website’s terms of service. And the US Department of Justice last May revised its CFAA policies to not prosecute people for conducting “good-faith security research.” But courts’ past interpretations of the CFAA don’t mean every new CFAA case will narrow the scope of the law. And the DOJ could change its CFAA policy at any time. That’s why the EFF and other civil liberties organizations have pushed for Congress to update the law and narrow its scope.
Data visualization: Datawrapper
Regardless of what happens to the CFAA, similar vague definitions of “cybercrime” have permeated at the state level. A WIRED analysis of crime reports from cities that recorded some of the highest rates of computer-related offenses per capita found that the kinds of crimes that get classified by the FBI as “cybercrime” can vary dramatically depending on state criminal statutes.
In Vail, Colorado, for instance, local law enforcement reported that the city’s 5,000 residents experienced 47 “cybercrime” incidents in the past three years—one of the highest rates in the country, according to data collected by the FBI through its National Incident-Based Reporting System. The underlying crime reports for this data, which WIRED obtained through public records requests, show that these cases ranged from the fraudulent use of a credit card to identity theft to extortion over nude photos.
Some state anti-hacking laws are even broader than the CFAA, says Crocker, the EFF attorney. California Penal Code Section 502, which Crocker describes as “pretty typical” of state-level cybercrime laws, includes language similar to the CFAA’s vague “unauthorized access” prohibition. But it also stipulates that someone who “knowingly accesses and without permission alters, damages, deletes, destroys, or otherwise uses any data, computer, computer system, or computer network” may have broken state law.
Crocker says the EFF has argued against prosecutions where the only alleged criminal activity that occurred under Section 502 was the defendant downloading publicly accessible data that the owner of the data failed to keep private—a common activity among security researchers and journalists.
All of these broadly worded state-level cybercrime statutes can lead to over-criminalization, says Nellie King, president of the National Association of Criminal Defense Lawyers. It becomes particularly problematic when there’s little clarity about when an activity crosses the line from legal to illegal. Laws against “cyber-stalking” are a good example, King says. “I can’t tell you how many of those cases where I have to go in and say, ‘This is not stalking. This is being annoying.’”
In addition to vague laws, cybercrime statutes are sometimes essentially duplicates of other laws on the books, which means people can be charged twice for the same act—a “double counting of crime,” says Crocker. For example, prosecutors could “charge someone with the underlying crime of fraud but then enhance it with another crime of fraud conducted over the internet where there's no harm to the actual computers or networks,” he says. King agrees, adding that states can tack on additional “cyber-related” charges “to get the sentencing jacked.”
Finally, unlike the CFAA, many state cybercrime laws have not been heavily tested by the courts, says Crocker, which leaves them open to broader interpretation. “Most states have relatively sparse case law on their state hacking law,” he says, “so you have … laws without a lot of interpretation, which is a very risky area for individuals who risk running afoul of these laws.”
The solution to vague, expansive cybercrime legislation is to craft legal definitions that are limited to “cyber-dependent” activities, experts say. “If ‘cybercrime’ is going to mean anything, it has to be specifically limited to crimes done to computer systems and networks using computer systems and networks,” Crocker says. “In other words, it has to be the kind of crime that could not exist if this technology did not exist. ‘Cybercrime’ can't just be any bad thing done using a computer.”
Of course, amending the mountain of US state and federal cybercrime laws is unlikely to happen, Crocker says. Even just the CFAA, which Congress could update at any time, remains largely unchanged despite several attempts to amend the law. The greatest opportunity to prevent further expansion of over-criminalization through cybercrime laws now is with the UN treaty. But even with support from many member nations to limit the list of crimes covered by the treaty to “cyber-dependent” ones, and concerted efforts from civil liberties groups to exclude offenses committed unintentionally or without causing serious harm and to add safeguards against abuse, Article 19’s Gutiérrez remains skeptical.
“The probability that we get this, I think, is very low,” Gutiérrez says.
Still, the treaty’s negotiations are ongoing, with the Ad Hoc Intergovernmental Committee scheduled to meet for the fifth round of negotiations in mid-April and the sixth round in late summer. The final text of the treaty is expected to be completed by February 2024—a tight time frame that Gutiérrez says could cause trouble for an international agreement of this complexity, magnitude, and consequence.
The speed of the negotiations means there is little time to bring the treaty’s language more in line with what civil liberties and human rights groups say is essential. In fact, it could lead to a country like Russia or China slipping in language at the last minute that would be even more detrimental to what’s already in the negotiating document—something that reportedly happened during the fourth negotiating session in January. “The truth is that the issues are so complex, they are so technical, and there's very little time to negotiate all this,” Gutiérrez says. “So there’s no question some of this language will get into the treaty, because it's not just overlooked—the process is really, really being super rushed.”
