岸田政権は「非常事 態」を名目に国の指示権 を拡大する地方自治法改 正案を国会に提出。連休 明けの7日、衆院本会議 で審議入りした。同法案 には「対等」なはずの国 と地方の関係を主従関係 に逆戻りさせ、国の意志 を地方に強要する武器に しようと狙う危険な思惑 が透けて見えている。　「新しい戦前」を推し 進めるためのこの法案は、 戦前の反省から憲法92 条が明記する地方自治の 本旨「地方自治は国から 独立した団体によって運 営される」を内側から掘 り崩し、憲法を空洞化し て壊..

「グローバルサウス諸国を、日本とともに成長し未来を作っていくパートナーと位置付けている、、グローバルサウス諸国との産業協力を強化する、、この内容を6月末の＜骨太の方針＞に盛り込む」と言い残し、岸田総理は専用機に乗り込みました。　そのグローバルサウスの根幹であるBRICS外相会議が、6月11日と12日にロシアのニジニ・ノブゴロドで開かれました。　が、岸田総理の専用機はグローバルノース諸国の形骸特権サロン＜G７＞イタリアに向かったのです。　＜G7＞イタリアは、テブン・アルジェリア大統領も招待しました。

　　憲法集会に開催された５月３日、東京の有明防災公園の「武力で平和はつくれない取りもどそう憲法を生かす政治を２０２４年憲法大集会」にはＪＣＪ有志を含め３万２０００人が参加、。　集会のメインステージでは伊藤塾の伊藤真塾長、新外交イニシアチブ(ＮＤ)の猿田佐世代表の二人の弁護士がスピーチ。伊藤氏は「今まで私たちは憲法に守られてきたが、これからはわたしたちが憲法を守るべき」「人口比例選挙の実現を」。猿田氏は、アメリカが広範囲な分野で日米韓の参加国連携に力を入れていることを例に、「本..

This is the second post in a series highlighting the problems and flaws in the proposed UN Cybercrime Convention. Check out our detailed analysis on the criminalization of security research activities under the proposed convention.

The United Nations Ad Hoc Committee is just weeks away from finalizing a too-broad Cybercrime Draft Convention. This draft would normalize unchecked domestic surveillance and rampant government overreach, allowing serious human rights abuses around the world.

The latest draft of the convention—originally spearheaded by Russia but since then the subject of two and a half years of negotiations—still authorizes broad surveillance powers without robust safeguards and fails to spell out data protection principles essential to prevent government abuse of power.

As the August 9 finalization date approaches, Member States have a last chance to address the convention’s lack of safeguards: prior judicial authorization, transparency, user notification, independent oversight, and data protection principles such as transparency, minimization, notification to users, and purpose limitation. If left as is, it can and will be wielded as a tool for systemic rights violations.

Countries committed to human rights and the rule of law must unite to demand stronger data protection and human rights safeguards or reject the treaty altogether. These domestic surveillance powers are critical as they underpin international surveillance cooperation.

EFF’s Advocacy for Human Rights Safeguards

EFF has consistently advocated for human rights safeguards to be a baseline for both the criminal procedural measures and international cooperation chapters. The collection and use of digital evidence can implicate human rights, including privacy, free expression, fair trial, and data protection. Strong safeguards are essential to prevent government abuse.

Regrettably, many states already fall short in these regards. In some cases, surveillance laws have been used to justify overly broad practices that disproportionately target individuals or groups based on their political views—particularly ethnic and religious groups. This leads to the suppression of free expression and association, the silencing of dissenting voices, and discriminatory practices. Examples of these abuses include covert surveillance of internet activity without a warrant, using technology to track individuals in public, and monitoring private communications without legal authorization, oversight, or safeguards.

The Special Rapporteur on the rights to freedom of peaceful assembly and of association has already sounded the alarm about the dangers of current surveillance laws, urging states to revise and amend these laws to comply with international human rights norms and standards governing the rights to privacy, free expression, peaceful assembly, and freedom of association. The UN Cybercrime Convention must be radically amended to avoid entrenching and expanding these existing abuses globally. If not amended, it must be rejected outright.

How the Convention Fails to Protect Human Rights in Domestic Surveillance

The idea that checks and balances are essential to avoid abuse of power is a basic “Government 101” concept. Yet throughout the negotiation process, Russia and its allies have sought to chip away at the already-weakened human rights safeguards and conditions outlined in Article 24 of the proposed Convention. 

Article 24 as currently drafted requires that every country that agrees to this convention must ensure that when it creates, uses, or applies the surveillance powers and procedures described in the domestic procedural measures, it does so under its own laws. These laws must protect human rights and comply with international human rights law. The principle of proportionality must be respected, meaning any surveillance measures should be appropriate and not excessive in relation to the legitimate aim pursued.

Why Article 24 Falls Short? 1. The Critical Missing Principles

While incorporation of the principle of proportionality in Article 24(1) is commendable, the article still fails to explicitly mention the principles of legality, necessity, and non-discrimination, which hold equivalent status to proportionality in human rights law relative to surveillance activities. A primer:

• The principle of legality requires that restrictions on human rights including the right to privacy be authorized by laws that are clear, publicized, precise, and predictable, ensuring individuals understand what conduct might lead to restrictions on their human rights.
• The principles of necessity and proportionality ensure that any interference with human rights is demonstrably necessary to achieving a legitimate aim and only include measures that are proportionate to that aim.
• The principle of non-discrimination requires that laws, policies and human rights obligations be applied equally and fairly to all individuals, without any form of discrimination based on race, color, sex, language, religion, political or other opinion, national or social origin, property, birth, or other status, including the application of surveillance measures.

Without including all these principles, the safeguards are incomplete and inadequate, increasing the risk of misuse and abuse of surveillance powers.

2. Inadequate Specific Safeguards 

Article 24(2) requires countries to include, where “appropriate,” specific safeguards like:

• judicial or independent review, meaning surveillance actions must be reviewed or authorized by a judge or an independent regulator.
• the right to an effective remedy, meaning people must have ways to challenge or seek remedy if their rights are violated.
• justification and limits, meaning there must be clear reasons for using surveillance and limits on how much surveillance can be done and for how long.

Article 24 (2) introduces three problems:

2.1 The Pitfalls of Making Safeguards Dependent on Domestic Law

Although these safeguards are mentioned, making them contingent on domestic law can vastly weaken their effectiveness, as national laws vary significantly and many of them won’t provide adequate protections. 

2.2 The Risk of Ambiguous Terms Allowing Cherry-Picked Safeguards

The use of vague terms like “as appropriate” in describing how safeguards will apply to individual procedural powers allows for varying interpretations, potentially leading to weaker protections for certain types of data in practice. For example, many states provide minimal or no safeguards for accessing subscriber data or traffic data despite the intrusiveness of resulting surveillance practices. These powers have been used to identify anonymous online activity, to locate and track people, and to map people’s contacts. By granting states broad discretion to decide which safeguards to apply to different surveillance powers, the convention fails to ensure the text will be implemented in accordance with human rights law. Without clear mandatory requirements, there is a real risk that essential protections will be inadequately applied or omitted altogether for certain specific powers, leaving vulnerable populations exposed to severe rights violations. Essentially, a country could just decide that some human rights safeguards are superfluous for a particular kind or method of surveillance, and dispense with them, opening the door for serious human rights abuses.

2.3 Critical Safeguards Missing from Article 24(2)

The need for prior judicial authorization, for transparency, and for user notification is critical to any effective and proportionate surveillance power, but not included in Article 24(2).

Prior judicial authorization means that before any surveillance action is taken, it must be approved by a judge. This ensures an independent assessment of the necessity and proportionality of the surveillance measure before it is implemented. Although Article 24 mentions judicial or other independent review, it lacks a requirement for prior judicial authorization. This is a significant omission that increases the risk of abuse and infringement on individuals' rights. Judicial authorization acts as a critical check on the powers of law enforcement and intelligence agencies.

Transparency involves making the existence and extent of surveillance measures known to the public; people must be fully informed of the laws and practices governing surveillance so that they can hold authorities accountable. Article 24 lacks explicit provisions for transparency, so surveillance measures could be conducted in secrecy, undermining public trust and preventing meaningful oversight. Transparency is essential for ensuring that surveillance powers are not misused and that individuals are aware of how their data might be collected and used.

User notification means that individuals who are subjected to surveillance are informed about it, either at the time of the surveillance or afterward when it no longer jeopardizes the investigation. The absence of a user notification requirement in Article 24(2) deprives people of the opportunity to challenge the legality of the surveillance or seek remedies for any violations of their rights. User notification is a key component of protecting individuals’ rights to privacy and due process. It may be delayed, with appropriate justification, but it must still eventually occur and the convention must recognize this.

Independent oversight involves monitoring by an independent body to ensure that surveillance measures comply with the law and respect human rights. This body can investigate abuses, provide accountability, and recommend corrective actions. While Article 24 mentions judicial or independent review, it does not establish a clear mechanism for ongoing independent oversight. Effective oversight requires a dedicated, impartial body with the authority to review surveillance activities continuously, investigate complaints, and enforce compliance. The lack of a robust oversight mechanism weakens the framework for protecting human rights and allows potential abuses to go unchecked.

Conclusion

While it’s somewhat reassuring that Article 24 acknowledges the binding nature of human rights law and its application to surveillance powers, it is utterly unacceptable how vague the article remains about what that actually means in practice. The “as appropriate” clause is a dangerous loophole, letting states implement intrusive powers with minimal limitations and no prior judicial authorization, only to then disingenuously claim this was “appropriate.” This is a blatant invitation for abuse. There’s nothing “appropriate” about this, and the convention must be unequivocally clear about that.

This draft in its current form is an egregious betrayal of human rights and an open door to unchecked surveillance and systemic abuses. Unless these issues are rectified, Member States must recognize the severe flaws and reject this dangerous convention outright. The risks are too great, the protections too weak, and the potential for abuse too high. It’s long past time to stand firm and demand nothing less than a convention that genuinely safeguards human rights.

Check out our detailed analysis on the criminalization of security research activities under the UN Cybercrime Convention. Stay tuned for our next post, where we'll explore other critical areas affected by the convention, including its scope and human rights safeguards.

This is the first post in a series highlighting the problems and flaws in the proposed UN Cybercrime Convention. Check out The UN Cybercrime Draft Convention is a Blank Check for Surveillance Abuses. 

The latest and nearly final version of the proposed UN Cybercrime Convention—dated May 23, 2024 but released today June 14—leaves security researchers’ and investigative journalists’ rights perilously unprotected, despite EFF’s repeated warnings.

The world benefits from people who help us understand how technology works and how it can go wrong. Security researchers, whether independently or within academia or the private sector, perform this important role of safeguarding information technology systems. Relying on the freedom to analyze, test, and discuss IT systems, researchers identify vulnerabilities that can cause major harms if left unchecked. Similarly, investigative journalists and whistleblowers play a crucial role in uncovering and reporting on matters of significant public interest including corruption, misconduct, and systemic vulnerabilities, often at great personal risk.

For decades, EFF has fought for security researchers and journalists, provided legal advice to help them navigate murky criminal laws, and advocated for their right to conduct security research without fear of legal repercussions. We’ve helped researchers when they’ve faced threats for performing or publishing their research, including identifying and disclosing critical vulnerabilities in systems. We’ve seen how vague and overbroad laws on unauthorized access have chilled good-faith security research, threatening those who are trying to keep us safe or report on public interest topics. 

Now, just as some governments have individually finally recognized the importance of protecting security researchers’ work, many of the UN convention’s criminalization provisions threaten to spread antiquated and ambiguous language around the world with no meaningful protections for researchers or journalists. If these and other issues are not addressed, the convention poses a global threat to cybersecurity and press freedom, and UN Member States must reject it.

This post will focus on one critical aspect of coders’ rights under the newest released text: the provisions that jeopardize the work of security researchers and investigative journalists. In subsequent posts, Wwe will delve into other aspects of the convention in later posts.

How the Convention Fails to Protect Security Research and Reporting on Public Interest Matters What Provisions Are We Discussing?

Articles 7 to 11 of the Criminalization Chapter—covering illegal access, illegal interception, interference with electronic data, interference with ICT systems, and misuse of devices—are core cybercrimes of which security researchers often have been accused of such offenses as a result of their work. (In previous drafts of the convention, these were articles 6-10).

• Illegal Access (Article 7): This article risks criminalizing essential activities in security research, particularly where researchers access systems without prior authorization to identify vulnerabilities.
• Illegal Interception (Article 8): Analysis of network traffic is also a common practice in cybersecurity; this article currently risks criminalizing such analysis and should similarly be narrowed to require malicious criminal intent (mens rea).
• Interference with Data (Article 9) and Interference with Computer Systems (Article 10): These articles may inadvertently criminalize acts of security research, which often involve testing the robustness of systems by simulating attacks that could be described as “interference” even though they don’t cause harm and are performed without criminal malicious intent.

All of these articles fail to include a mandatory element of criminal intent to cause harm, steal, or defraud. A requirement that the activity cause serious harm is also absent from Article 10 and optional in Article 9. These safeguards must be mandatory.

What We Told the UN Drafters of the Convention in Our Letter?

Earlier this year, EFF submitted a detailed letter to the drafters of the UN Cybercrime Convention on behalf of 124 signatories, outlining essential protections for coders. 

Our recommendations included defining unauthorized access to include only those accesses that bypass security measures, and only where such security measures count as effective. The convention’s existing language harks back to cases where people were criminally prosecuted just for editing part of a URL.

We also recommended ensuring that criminalization of actions requires clear malicious or dishonest intent to harm, steal, or infect with malware. And we recommended explicitly exempting good-faith security research and investigative journalism on issues of public interest from criminal liability.

What Has Already Been Approved?

Several provisions of the UN Cybercrime Convention have been approved ad referendum. These include both complete articles and specific paragraphs, indicating varying levels of consensus among the drafters.

Which Articles Has Been Agreed in Full

The following articles have been agreed in full ad referendum, meaning the entire content of these articles has been approved:

• Article 9: Interference with Electronic Data
• Article 10: Interference with ICT Systems
• Article 11: Misuse of Devices 
• Article 28(4): Search and Seizure Assistance Mandate

We are frustrated to see, for example, that Article 11 (misuse of devices) has been accepted without any modification, and so continues to threaten the development and use of cybersecurity tools. Although it criminalizes creating or obtaining these tools only for purposes of violations of other crimes defined in Articles 7-10 (covering illegal access, illegal interception, interference with electronic data, and interference with ICT systems), those other articles lack mandatory criminal intent requirements and a requirement to define “without right” as bypassing an effective security measure. Because those articles do not specifically exempt activities such as security testing, Article 11 may inadvertently criminalize security research and investigative journalism. It may punish even making or using tools for research purposes if the research, such as security testing, is considered to fall under one of the other crimes.

We are also disappointed that Article 28(4) has also been approved ad referendum. This article could disproportionately empower authorities to compel “any individual” with knowledge of computer systems to provide any “necessary information” for conducting searches and seizures of computer systems. As we have written before, this provision can be abused to force security experts, software engineers, tech employees to expose sensitive or proprietary information. It could also encourage authorities to bypass normal channels within companies and coerce individual employees—under threat of criminal prosecution—to provide assistance in subverting technical access controls such as credentials, encryption, and just-in-time approvals without their employers’ knowledge. This dangerous paragraph must be removed in favor of the general duty for custodians of information to comply with data requests to the extent of their abilities.

Which Provisions Has Been Partially Approved?

The broad prohibitions against unauthorized access and interception have already been approved ad referendum, which means:

• Article 7: Illegal Access (first paragraph agreed ad referendum)
• Article 8: Illegal Interception (first paragraph agreed ad referendum)

The first paragraph of each of these articles includes language requiring countries to criminalize accessing systems or data or intercepting “without right.” This means that if someone intentionally gets into a computer or network without authorization, or performs one of the other actions called out in subsequent articles, it should be considered a criminal offense in that country. The additional optional requirements, however, are crucial for protecting the work of security researchers and journalists, and are still on the negotiating table and worth fighting for.  

What Has Not Been Agreed Upon Yet?

There is no agreement yet on Paragraph 2 of Article 7 on Illegal Access and Article 8 on illegal interception, which give countries the option to add specific requirements that can vary from article to article. Such safeguards could provide necessary clarifications to prevent criminalization of legal activities and ensure that laws are not misapplied to stifle research, innovation, and reporting on public interest matters. We made clear throughout this negotiation process that these conditions are a crucially important part of all domestic legislation pursuant to the convention. We’re disappointed to see that states have failed to act on any of our recommendations, including the letter we sent in February.

The final text dated May 23, 2024 of the convention is conspicuously silent on several crucial protections for security researchers:

• There are no explicit exemptions for security researchers or investigative journalists who act in good faith.
• The requirement for malicious intent remains optional rather than mandatory, leaving room for broad and potentially abusive interpretations.
• The text does not specify that bypassing security measures should only be considered unauthorized if those measures are effective, nor make that safeguard mandatory.

How Has Similar Phrasing Caused Problems in the Past?

There is a history of overbroad interpretation under laws such as the United States’ Computer Fraud and Abuse Act, and this remains a significant concern with similarly vague language in other jurisdictions. This can also raise concerns well beyond researchers’ and journalists’ work, as when such legislation is invoked by one company to hinder a competitor’s ability to access online systems or create interoperable technologies. EFF’s paper, “Protecting Security Researchers' Rights in the Americas,” has documented numerous instances in which security researchers faced legal threats for their work:

• MBTA v. Anderson (2008): The Massachusetts Bay Transit Authority (MBTA) used a  cybercrime law to sue three college students who were planning to give a presentation about vulnerabilities in Boston’s subway fare system.
• Canadian security researcher (2018): A 19-year-old Canadian was accused of unauthorized use of a computer service for downloading public records from a government website.
• LinkedIn’s cease and desist letter to hiQ Labs, Inc. (2017): LinkedIn invoked cybercrime law against hiQ Labs for “scraping” — accessing publicly available information on LinkedIn’s website using automated tools. Questions and cases related to this topic have continued to arise, although an appeals court ultimately held that scraping public websites does not violate the CFAA. 
• Canadian security researcher (2014): A security researcher demonstrated a widely known vulnerability that could be used against Canadians filing their taxes. This was acknowledged by the tax authorities and resulted in a delayed tax filing deadline. Although the researcher claimed to have had only positive intentions, he was charged with a cybercrime.
• Argentina’s prosecution of Joaquín Sorianello (2015): Software developer Joaquín Sorianello uncovered a vulnerability in election systems and faced criminal prosecution for demonstrating this vulnerability, even though the government concluded that he did not intend to harm the systems and did not cause any serious damage to them.

These examples highlight the chilling effect that vague legal provisions can have on the cybersecurity community, deterring valuable research and leaving critical vulnerabilities unaddressed.

Conclusion

The latest draft of the UN Cybercrime Convention represents a tremendous failure to protect coders’ rights. By ignoring essential recommendations and keeping problematic language, the convention risks stifling innovation and undermining cybersecurity. Delegates must push for urgent revisions to safeguard coders’ rightsandrights and ensure that the convention fosters, rather than hinders, the development of a secure digital environment. We are running out of time; action is needed now.

Stay tuned for our next post, in which we will explore other critical areas affected by the proposed convention including its scope and human rights safeguards. 

言論の自由を保障する憲法の下で、警察による驚くべき報道弾圧が起きた。鹿児島県警が、捜査情報などを「第三者」に「漏洩」したとして現職の巡査長と前生活安全部長を相次いで逮捕した背景に、強制性交事件の「もみ消し疑惑」と、それを […]

富士電機が提供するTellus Lite V-Simulatorには、複数の脆弱性が存在します。

Rockwell Automationが提供するFactoryTalk View SEには、複数の脆弱性が存在します。

Motorola Solutionsが提供するVigilant License Plate Readersには、複数の脆弱性が存在します。

Siemensから各製品向けのアップデートが公開されました。