EFF has joined forces with 110 NGOs today in a joint statement delivered to the United Nations Ad Hoc Committee, clearly outlining civil society non-negotiable redlines for the proposed UN Cybercrime Treaty, and asserting that states should reject the proposed treaty if these essential changes are not implemented. 

The last draft published on November 6, 2023 does not adequately ensure adherence to human rights law and standards. Initially focused on cybercrime, the proposed Treaty has alarmingly evolved into an expansive surveillance tool.

Katitza Rodriguez, EFF Policy Director for Global Privacy, asserts ahead of the upcoming concluding negotiations:

The proposed treaty needs more than just minor adjustments; it requires a more focused, narrowly defined approach to tackle cybercrime. This change is essential to prevent the treaty from becoming a global surveillance pact rather than a tool for effectively combating core cybercrimes. With its wide-reaching scope and invasive surveillance powers, the current version raises serious concerns about cross-border repression and potential police overreach. Above all, human rights must be the treaty's cornerstone, not an afterthought. If states can't unite on these key points, they must outright reject the treaty.

Historically, cybercrime legislation has been exploited to target journalists and security researchers, suppress dissent and whistleblowers, endanger human rights defenders, limit free expression, and justify unnecessary and disproportionate state surveillance measures. We are concerned that the proposed Treaty, as it stands now, will exacerbate these problems. The proposed treaty concluding session will be held at the UN Headquarters in New York from January 29 to February 10th. EFF will be attending in person.

The joint statement specifically calls States to narrow the scope of criminalization provisions to well defined cyber dependent crimes; shield security researchers, whistleblowers, activists, and journalists from being prosecuted for their legitimate activities; explicitly include language on international human rights law, data protection, and gender mainstreaming; limit the scope of the domestic criminal procedural measures and international cooperation to core cybercrimes established in the criminalization chapter; and address concerns that the current draft could weaken cybersecurity and encryption. Additionally, it requires the necessity to establish specific safeguards, such as the principles of prior judicial authorization, necessity, legitimate aim, and proportionality.

Despite an Ecuadorian court’s unanimous acquittal of security expert Ola Bini in January this year due to complete lack of evidence, Ecuador’s attorney general's office has moved to appeal the decision, perpetuating several years of unjust attacks on Bini’s rights. 

In the context of the Internet Governance Forum 2023 (IGF) held in Japan, the Observation Mission on the Bini case, which includes EFF and various digital and human rights groups, analyzed how advocates can utilize key elements of the judgment that found Bini not guilty. The Mission released a new statement pointing out these elements. The statement also urges Ecuadorian authorities to clarify Bini's procedural status as the attorney general's office has been posing difficulties for Bini's compliance with the precautionary measures still pending against him, particularly the requirement of periodic appearances to the AG's office.  

The full statement in Spanish is available here. 

Below we’ve summarized these key elements, which are critical for the protection of digital rights.

Irrelevant Evidence. The court characterized all evidence presented by the attorney general's office as irrelevant or unfit: "None of these elements led to a procedural truth for the purpose of proving any crime." With this decision, the court refused to convict Bini based on stereotyped views of security experts.  It has refused to apply criminal law based on a person's identity, connections, or activity, instead of actual conduct, or to apply criminal law based on a "political and arbitrary interpretation of what constitutes the security of the State and who could threaten it." Politically motivated prosecutions like Bini’s receive extensive media coverage, but what is often presented as "suspicious" is neither technically nor legally consistent. Civil society has worked to raise awareness among journalists about what is at stake in such cases, and to prevent judicial authorities from being pressured by publicized political accusations. 

The Importance of Proper Digital Evidence. The court emphasized the necessity of proper evidence to prove that an alleged computer crime occurred and that the image of a telnet session presented in Bini’s case is not fit for this purpose. The court explained that graphical representations, which can be altered, does not constitute evidence of a cybercrime since an image cannot verify whether the commands illustrated in it were actually executed. Building on technical experts' testimonies, the court said that what does not emerge or can be verified from digital forensics is not proper digital evidence. The Observation Mission's statement notes this is a key precedent that clarifies the type of evidence that is considered technically valid for proving alleged computer crimes. 

Unauthorized Access. The court clarified the meaning of unauthorized access, even though no access was proven in Bini's case. According to the court, access without authorization of a computer system requires the breach of some security system, which the ruling understands as overcoming technical barriers or using access credentials without authorization. In addition, and following Ecuador's penal code, the criminal offense of unauthorized access also requires proving an illegitimate purpose or malicious intent. While prosecutors failed to prove that any access has taken place (much less an unauthorized access), this interpretation aids in setting a precedent for defining unauthorized access in digital rights cases. It's particularly crucial as it ensures that individuals who test systems for vulnerabilities and report them do not face undue criminalization.

In light of these key elements, the Observation Mission's statement stresses that it is essential for Ecuadorian appellate authorities to affirm the lower court’s acquittal of Bini. It's also imperative that authorities clarify his procedural status and the requirement for periodic appearances, as any violation of his fundamental rights raises concerns about the legitimacy of the proceedings.

The Case's Legacy and Global Implications

This verdict has significant implications for digital rights beyond Bini's case. It underscores the importance of incorporating malicious intent into the configuration of computer crimes in legal and public policy discussions, as well as the importance of guarding against politically motivated prosecutions that rely on suspicion and public fear. 

Bini's case serves as a beacon for the defense of digital rights. It establishes critical precedents for the treatment of evidence, the importance of digital forensics, and relevant elements for assessing the offense of unauthorized access. It's a testament to the global fight for digital rights and an opportunity to safeguard the work of those who enhance our privacy, security, and human rights in the digital era.