Article Details

Microsoft ain't happy with Russia-led UN cybercrime treaty. Could be used to put ethical hackers, and citizens, behind bars. A controversial United Nations proposal has a new foe, Microsoft, which has joined the growing number of organizations warning delegates that the draft version of the UN cybercrime treaty only succeeds in justifying state surveillance — not stopping criminals, as originally intended. Amy Hogan-Burney, associate general counsel for cybersecurity policy and protection at Microsoft, on Tuesday warned that the proposal in its current form is too vague, and could be used to criminalize ethical hacking and security practices, not to mention a signatory's own citizens. "The risk is that the treaty will not be a tool for prosecuting criminals but rather a weapon that allows for intrusive data access and surveillance instruments," she wrote in a LinkedIn post. "The result could be an international agreement granting authoritarian states the power to suppress dissent under the guise of fighting cybercrime." Microsoft's concerns come as UN delegates meet in New York this week to update the cybercrime treaty, which is supposed to both define online crime and address how member states can work together to address the problem.  During a press conference yesterday to announce an international law enforcement operation that took down Qakbot, US Attorney Martin Estrada said cybercrime will cost victims $8 trillion this year alone. But there's more at play here. The UN proposal has been under debate for over two years. This week's meetings make the draft's sixth round of negotiations.  Russia originally proposed the international treaty with support from countries including China and North Korea. Some suggestions from these and other authoritarian regimes worry Western member states, along with human rights and digital privacy advocates, which fear the treaty will encourage legalized surveillance across borders and criminalize online speech. Hogan-Burney points to another potential unintended consequence: "The text also does not contain language protecting lawful cybersecurity work that keeps the digital ecosystem secure." The international community needs to protect ethical hackers — like those who work to find and responsibility disclose vulnerabilities — she wrote. "Key criminalization provisions are too vague and do not include a reference to 'criminal intent,' which would ensure activities like penetration testing remain lawful," Hogan-Burney said. She also called on member states to "balance human rights with efforts to fight cybercriminals" by taking precautions - such as aligning the treaty with existing data protection standards and limiting the scope of provisions around data access.  Additionally, Microsoft would like to see an updated draft that will "increase transparency by allowing technology providers to give notice to users when their data is requested, unless doing so might compromise a criminal investigation," Hogan-Burney added.