Holy CRAP the UN Cybercrime Treaty is a nightmare

Support me this summer on the Clarion Write-A-Thon and help raise money for the Clarion Science Fiction and Fantasy Writers' Workshop!

If there's one thing I learned from all my years as an NGO delegate to UN specialized agencies, it's that UN treaties are dangerous, liable to capture by unholy alliances of authoritarian states and rapacious global capitalists.

Most of my UN work was on copyright and "paracopyright," and my track record was 2:0; I helped kill a terrible treaty (the WIPO Broadcast Treaty) and helped pass a great one (the Marrakesh Treaty on the rights of people with disabilities to access copyrighted works):

https://www.wipo.int/treaties/en/ip/marrakesh/

It's been many years since I had to shave and stuff myself into a suit and tie and go to Geneva, and I don't miss it – and thankfully, I have colleagues who do that work, better than I ever did. Yesterday, I heard from one such EFF colleague, Katitza Rodriguez, about the Cybercrime Treaty, which is about to pass, and which is, to put it mildly, terrifying:

https://www.eff.org/deeplinks/2024/07/un-cybercrime-draft-convention-dangerously-expands-state-surveillance-powers

Look, cybercrime is a real thing, from pig butchering to ransomware, and there's real, global harms that can be attributed to it. Cybercrime is transnational, making it hard for cops in any one jurisdiction to handle it. So there's a reason to think about formal international standards for fighting cybercrime.

But that's not what's in the Cybercrime Treaty.

Here's a quick sketch of the significant defects in the Cybercrime Treaty.

The treaty has an extremely loose definition of cybercrime, and that looseness is deliberate. In authoritarian states like China and Russia (whose delegations are the driving force behind this treaty), "cybercrime" has come to mean "anything the government disfavors, if you do it with a computer." "Cybercrime" can mean online criticism of the government, or professions of religious belief, or material supporting LGBTQ rights.

Nations that sign up to the Cybercrime Treaty will be obliged to help other nations fight "cybercrime" – however those nations define it. They'll be required to provide surveillance data – for example, by forcing online services within their borders to cough up their users' private data, or even to pressure employees to install back-doors in their systems for ongoing monitoring.

These obligations to aid in surveillance are mandatory, but much of the Cybercrime Treaty is optional. What's optional? The human rights safeguards. Member states "should" or "may" create standards for legality, necessity, proportionality, non-discrimination, and legitimate purpose. But even if they do, the treaty can oblige them to assist in surveillance orders that originate with other states that decided not to create these standards.

When that happens, the citizens of the affected states may never find out about it. There are eight articles in the treaty that establish obligations for indefinite secrecy regarding surveillance undertaken on behalf of other signatories. That means that your government may be asked to spy on you and the people you love, they may order employees of tech companies to backdoor your account and devices, and that fact will remain secret forever. Forget challenging these sneak-and-peek orders in court – you won't even know about them:

https://www.eff.org/deeplinks/2024/06/un-cybercrime-draft-convention-blank-check-unchecked-surveillance-abuses

Now here's the kicker: while this treaty creates broad powers to fight things governments dislike, simply by branding them "cybercrime," it actually undermines the fight against cybercrime itself. Most cybercrime involves exploiting security defects in devices and services – think of ransomware attacks – and the Cybercrime Treaty endangers the security researchers who point out these defects, creating grave criminal liability for the people we rely on to warn us when the tech vendors we rely upon have put us at risk.

This is the granddaddy of tech free speech fights. Since the paper tape days, researchers who discovered defects in critical systems have been intimidated, threatened, sued and even imprisoned for blowing the whistle. Tech giants insist that they should have a veto over who can publish true facts about the defects in their products, and dress up this demand as concern over security. "If you tell bad guys about the mistakes we made, they will exploit those bugs and harm our users. You should tell us about those bugs, sure, but only we can decide when it's the right time for our users and customers to find out about them."

When it comes to warnings about the defects in their own products, corporations have an irreconcilable conflict of interest. Time and again, we've seen corporations rationalize their way into suppressing or ignoring bug reports. Sometimes, they simply delay the warning until they've concluded a merger or secured a board vote on executive compensation.

Sometimes, they decide that a bug is really a feature – like when Facebook decided not to do anything about the fact that anyone could enumerate the full membership of any Facebook group (including, for example, members of a support group for people with cancer). This group enumeration bug was actually a part of the company's advertising targeting system, so they decided to let it stand, rather than re-engineer their surveillance advertising business.

The idea that users are safer when bugs are kept secret is called "security through obscurity" and no one believes in it – except corporate executives. As Bruce Schneier says, "Anyone can design a system that is so secure that they themselves can't break it. That doesn't mean it's secure – it just means that it's secure against people stupider than the system's designer":

The history of massive, brutal cybersecurity breaches is an unbroken string of heartbreakingly naive confidence in security through obscurity:

https://pluralistic.net/2023/02/05/battery-vampire/#drained

But despite this, the idea that some bugs should be kept secret and allowed to fester has powerful champions: a public-private partnership of corporate execs, government spy agencies and cyber-arms dealers. Agencies like the NSA and CIA have huge teams toiling away to discover defects in widely used products. These defects put the populations of their home countries in grave danger, but rather than reporting them, the spy agencies hoard these defects.

The spy agencies have an official doctrine defending this reckless practice: they call it "NOBUS," which stands for "No One But Us." As in: "No one but us is smart enough to find these bugs, so we can keep them secret and use them attack our adversaries, without worrying about those adversaries using them to attack the people we are sworn to protect."

NOBUS is empirically wrong. In the 2010s, we saw a string of leaked NSA and CIA cyberweapons. One of these, "Eternalblue" was incorporated into off-the-shelf ransomware, leading to the ransomware epidemic that rages even today. You can thank the NSA's decision to hoard – rather than disclose and patch – the Eternalblue exploit for the ransoming of cities like Baltimore, hospitals up and down the country, and an oil pipeline:

https://en.wikipedia.org/wiki/EternalBlue

The leak of these cyberweapons didn't just provide raw material for the world's cybercriminals, it also provided data for researchers. A study of CIA and NSA NOBUS defects found that there was a one-in-five chance of a bug that had been hoarded by a spy agency being independently discovered by a criminal, weaponized, and released into the wild.

Not every government has the wherewithal to staff its own defect-mining operation, but that's where the private sector steps in. Cyber-arms dealers like the NSO Group find or buy security defects in widely used products and services and turn them into products – military-grade cyberweapons that are used to attack human rights groups, opposition figures, and journalists:

https://pluralistic.net/2021/10/24/breaking-the-news/#kingdom

A good Cybercrime Treaty would recognize the perverse incentives that create the coalition to keep us from knowing which products we can trust and which ones we should avoid. It would shut down companies like the NSO Group, ban spy agencies from hoarding defects, and establish an absolute defense for security researchers who reveal true facts about defects.

Instead, the Cybercrime Treaty creates new obligations on signatories to help other countries' cops and courts silence and punish security researchers who make these true disclosures, ensuring that spies and criminals will know which products aren't safe to use, but we won't (until it's too late):

https://www.eff.org/deeplinks/2024/06/if-not-amended-states-must-reject-flawed-draft-un-cybercrime-convention

A Cybercrime Treaty is a good idea, and even this Cybercrime Treaty could be salvaged. The member-states have it in their power to accept proposed revisions that would protect human rights and security researchers, narrow the definition of "cybercrime," and mandate transparency. They could establish member states' powers to refuse illegitimate requests from other countries:

https://www.eff.org/press/releases/media-briefing-eff-partners-warn-un-member-states-are-poised-approve-dangerou

If you'd like an essay-formatted version of this post to read or share, here's a link to it on pluralistic.net, my surveillance-free, ad-free, tracker-free blog:

https://pluralistic.net/2024/07/23/expanded-spying-powers/#in-russia-crime-cybers-you

Image: EFF https://www.eff.org/files/banner_library/cybercrime-2024-2b.jpg

CC BY 3.0 https://creativecommons.org/licenses/by/3.0/us/

i think we need more cybercriminal!vox because the average cybercriminal is just some friendless dweeb dude with no moral compass sitting alone in his room and making crazy money off of innocent randos and. what says vox more than that?

this also makes going to hell a thousand times funnier because it means all his interactions with alastor were 100% him bullshitting to look cool.

"oh my head? uh yeah it's a. tv." (it is a pc monitor) "its cuz i uh.. died on live tv. pretty cool right?" (he fucked up the code on one of his viruses so bad that his computer room exploded) "yeah i killed like, 14 people? wild weatherman amirite." (he killed absolutely nobody and mostly just scammed money out of tech-illiterate grandmas and middle schoolers) "so uh. how'd you die? like, drown in red paint, or..?" (he genuinely thinks this is gonna land him a bitch)

[new!] ⌨️ XL Deskpad Designs 4mm thick, 36x18 Inches

[ https://dustrial.net/collections/xl-deskpads ]

I was sent to a very prestigious private school to study computer science, and they were definitely teaching me cybercrimes.

Ninjago DR Sora

⌨️ — 𝐦𝐫. 𝐫𝐨𝐛𝐨𝐭 𝐩𝐨𝐬𝐭𝐞𝐫𝐬 — ⌨️

(via Pin page)

By: Toby Davies

Published: May 14, 2024

Seventy-eight per cent of people in England and Wales think that crime has gone up in the last few years, according to the latest survey. But the data on actual crime shows the exact opposite.

As of 2024, violence, burglary and car crime have been declining for 30 years and by close to 90%, according to the Crime Survey for England and Wales (CSEW) – our best indicator of true crime levels. Unlike police data, the CSEW is not subject to variations in reporting and recording.

The drop in violence includes domestic violence and other violence against women. Anti-social behaviour has similarly declined. While increased fraud and computer misuse now make up half of crime, this mainly reflects how far the rates of other crimes have fallen.

All high-income countries have experienced similar trends, and there is scientific consensus that the decline in crime is a real phenomenon.

[ Data via Office for National Statistics ]

There is strong research evidence that security improvements were responsible for the drop. This is most obvious with vehicle electronic immobilisers and door deadlocks, and better household security – stronger door frames, double glazed windows and security fittings – along with an avalanche of security in shopping centres, sports stadiums, schools, businesses and elsewhere. Quite simply, it became more difficult to commit crimes.

Decreases in crimes often committed by teenagers, such as joyriding or burglary, had a multiplying effect: when teenagers could no longer commit these easy “debut crimes” they did not progress to longer criminal careers.

There are, of course, exceptions. Some places, times and crime types had a less pronounced decline or even an increase. For many years, phone theft was an exception to the general decline in theft. Cybercrime, measured by the CSEW as fraud and computer misuse, has increased and is the most prominent exception.

But this increase was not due to thwarted burglars and car thieves switching targets: the skillset, resources and rewards for cybercrime are very different. Rather, it reflects new crime opportunities facilitated by the internet. Preventive policy and practice is slowly getting better at closing off opportunities for computer misuse, but work is needed to accelerate those prevention efforts.

The perception gap

So why is there such a gulf between public perception and the reality of crime trends? A regular YouGov poll asks respondents for their top three concerns from a broad set of issues. Concern about crime went from a low in 2016 (when people were more concerned with Brexit), quadrupled by 2019 and plummeted during the pandemic when people had other worries. But in the last year, the public’s concern about crime has risen again.

Proportion of people naming crime as a top three issue facing the country:

[ Data via YouGov ]

There are many possible explanations for this, of which the first is poor information. A study published in 1998 found that “people who watch a lot of television or who read a lot of newspapers will be exposed to a steady diet of crime stories” that does not reflect official statistics.

The old news media adage “if it bleeds, it leads” reflects how violent news stories, including crime increases and serious crimes, capture public attention. Knife crime grabs headlines in the UK, but our shock at individual incidents is testament to their rarity and our relative success in controlling violence – many gun crimes do not make the news in the US.

Most recent terrorist attacks in the UK have featured knives (plus a thwarted Liverpool bomber), but there is little discussion of how this indicates that measures to restrict guns and bomb-making resources are effective.

Political rhetoric can also skew perceptions, particularly in the run-up to elections. During the recent local elections, the Conservatives were widely criticised for an advert portraying London as “a crime capital of the world” (using a video of New York), while Labour has also made reference to high levels of crime under the current government.

There are also some “crime drop deniers”, who have vested interests in crime not declining due to, for example, fear of budget cuts. One of us (Graham) worked with a former police chief who routinely denied the existence of declining crime.

Despite the evidence of crime rates dropping, some concerns are justified. Victims, along with their families and friends, have legitimate concerns, particularly as crime is more likely to recur against the same people and at the same places.

And, while the trend is clear, there are nevertheless localised increases in some types of offending. When these relate to harmful and emotive issues like knife crime in London, for example, it is natural that this might have a substantial influence.

We are unlikely to be able to change political agendas or journalists’ approach to reporting. But governments should be taking a more rational approach to crime that is based on evidence, not public perception.

Local governments need to keep on top of their local crime hotspots: problem bars and clubs where crime occurs, shops where shoplifting is concentrated, local road traffic offence hotspots and so on. The common theme here is how crime concentrates.

National government, meanwhile, should lead on reducing crime opportunities via national-level levers. Only national government can influence social media platforms and websites that host online crime and encourage larger businesses to improve manufacturing, retailing and service industry practices.

The positive story around crime rarely makes headlines, but this should not put us off from learning the lessons borne out in the data. We know this can work from past success, but it took decades to get car makers to improve vehicle security and to get secure-by-design ideas in building regulations. Society needs to move more quickly.

Thousands Stranded After Rescue from Myanmar’s Scam Centers

Myanmar: Thousands of individuals remain stranded after being rescued from scam centers in Myanmar, where they were forced into cyber fraud operations, officials reported.

Authorities across Southeast Asia have been cracking down on criminal networks that traffic people into these scam compounds, where they are coerced into defrauding victims online. The rescued individuals, many of whom were lured with fake job offers, are now awaiting repatriation.

Human Trafficking and Cyber Scam Networks

Reports indicate that criminal syndicates operating in Myanmar, Cambodia, and Laos have exploited economic hardships to recruit victims under false pretenses. Many were promised high-paying jobs but were instead forced into fraudulent activities, including investment scams and fake romance schemes.

According to officials, the rescued individuals include nationals from various countries. However, logistical challenges, diplomatic hurdles, and lack of proper documentation have delayed their return home.

Authorities Call for Urgent Action

Governments and international agencies are working together to facilitate repatriation efforts. Meanwhile, cybersecurity experts warn of the growing scale of these cyber scam operations and urge stricter measures to combat online fraud and human trafficking.

Victims have recounted harrowing experiences of being held captive, facing threats, and being forced to scam innocent people worldwide. With thousands still awaiting help, calls for immediate action have intensified.

Global Crackdown on Online Fraud

Law enforcement agencies continue to dismantle these criminal networks, but experts stress the need for increased vigilance. People seeking overseas jobs are advised to verify employment opportunities thoroughly to avoid falling prey to such schemes.

As the situation unfolds, governments and NGOs are under pressure to ensure the safe return of those stranded and to prevent further exploitation.

For your consideration for emotional support hoodie. Built on high quality Cotton Heritage M2580 Perfect staple. [ https://dustrial.net/collections/lux-hoodies ]

On September 16, 2023, Chioma Okoli posted a review of the Nagiko tomato puree she bought at a street market in Sangotedo, Lagos, on her Facebook page. She was telling the few thousand followers on her small-business page that it tasted more sugary than other products, asking those who had tried it what they thought. The post received a diversity of opinions, but it reached a head when a Facebook user commented: “Stop spoiling my brother product, if [you] don’t like it, use another one than bring it to social media…” Okoli responded, saying: “Help me advise your brother to stop ki**ing people with his product…” Two days later, the post had garnered more than 2,500 comments, to her surprise.

Continue Reading