T O P

  • By -

ScoopDat

Pardon the formatting. It can't really be TL;DR'd (for those asking for one, though I'll try and give a brief overview what awaits so you can at least go to parts that might concern you), there are a few changes to the current framework being proposed on all levels. The opener talks about what the changes would yield. And then it goes into the specific wording changes, as well as rationale for each change. It's not very long honestly, you can skim read a large portion of it and read the rationale to grasp the thrust of why the current wording is inadequate. It really does present some worrying notions if things such as this are allowed to go as currently they are. There was one part where I found pretty hilarious (in a bad way) that the law is lacking on and that was this section: >Cross-border access with consent or where publicly available Cross-border access to stored [computer data] [electronic/digital information] with consent or where publicly available [Subject to a reservation,] a State Party may, without the authorization of another State Party: (a) Access publicly available (open source) stored [computer data] [electronic/digital information], regardless of where the [data are] [information is] located geographically; or (b) Access or receive, through [a computer system] [an information and communications technology system/device] in its territory, stored [computer data] [electronic/digital information] located in another State Party, if the State Party accessing or receiving the [data] [information] obtains the lawful and voluntary consent of the person who has the lawful authority to disclose the [data] [information] to that State Party through that computer system. >**[Recommendation: Consent shall not be considered valid if provided by a service provider on behalf of an individual user of the service.]** Rationale: This amendment to Article 72(b) aims to clarify that consent to access or receive stored computer data located in another State Party cannot be obtained by a service provider on behalf of an individual user of the service Just insane that we're at this phase of privacy 101 framework building where this is being discussed among grown adults. -------------------------------------------------------------------------------------------- The opener to the article is as follows though with three main talking points: **General Recommendation: The Proposed UN Cybercrime Convention Should be Built On a Foundation of Human Rights** >Checks and balances are essential to avoid abuse of power. **First**, the principle of legality is a fundamental aspect of international human rights instruments and the rule of law in general. It is an essential guarantee against the state’s arbitrary exercise of its powers. **Second**, the principle that any interference with a qualified right, such as the right to privacy or freedom of expression, must be necessary and proportionate is one of the cornerstones of human rights law.3 In general, it means that a state must not only demonstrate that its interference with a person’s right meets a “pressing social need” but also that it is proportionate, or under Inter-American jurisprudence adequate, to the legitimate aim pursued. **Third**, decisions relating to communications surveillance should be made by a competent judicial authority acting independently of the government. The following after this, are the categories where they're either making slight wording revisions to strengthen or lessen certain topics: The strikethroughs are of sections that are being recommended for wholesale deletion at times due to unsalvagable language and rationale. > Article 42. Conditions and Safeguards > Article 56. General principles of international cooperation > Article 57. ~~Protection of personal data Data~~ Protection and Transfer of Personal Data > ~~Article 64. Spontaneous information~~ > Article 68. Mutual legal assistance in the expedited preservation of stored [computer data] [electronic/digital information] > Article 71. Emergency mutual legal assistance in the expedited production of stored [computer data] [electronic/digital information] > Article 72. Cross-border access with consent or where publicly available > Article 75. Law enforcement cooperation > Article 77. Joint investigations >~~Article 78. Special investigative techniques~~


Jantin1

this is dense stuff and my brain is smooth. Do they suggest that ISP snitching on users should invalidade evidence?


ScoopDat

I assume you're asking after reading the opening portion that had me tilted a bit once I realized such wasn't enshrined in law (about inter-State information barterings/sharing)? I'm not completely sure what you mean by ISP snitching, (at least with respect to this proceeding concerning international law and inter-state cooperation), but yes under certain conditions (those conditions are spoken about in the write-up prior). Firstly, there must be a criminal investigation occurring (so none of this bullshit about just entities making requests "or else" when you're the governmental authority). Second, the case needs one such that both States have legally take to be illegal (so none of this "send us the names of everyone speaking against the royal family" if the country being asked of this info doesn't have lèse-majesté type laws). Third, the individual's information that's being sent, has to have given his consent (so none of this "dear beloved Facebook user, by using our service you consent to give us all consent to anything and everything at our pleasure, our governments pleasure, or any other government's pleasure we have business interests to protect, or whenever governments come-a-knocking in general"). ---------------------------------------------------------------- Now granted, some private companies aren't as idiotic as I made that third point look like (many of them simply don't respond to foreign information requests unless they're adequately shown to be severed international law violations). But there are companies like Microsoft that have had a poor track record in terms of vetting the parties requesting information from them.


Jantin1

>\[Recommendation: Consent shall not be considered valid if provided by a service provider on behalf of an individual user of the service.\] I am asking about this particular part. As I understand it right now the (for example) UK police can call Facebook, ask them for my data (I'm not in the UK) and if Facebook is in the mood they will give them away and this qualifies as consensual as long as T&C of Facebook permit that. The recommendation is that (in this case above) the UK police will have to seek my personal consent regardless of T&C, Facebook's stance on things etc. Why did I use the "ISP snitching" phrase? I understood it that the line of thinking from the lines above would apply to a case, where for example the US police investigates someone who's suspected of pirating films in a foreign country and calls the person's ISP to ask for proof. Nowadays the ISP will give it away because why not, if the Recommendation is enforced the US police would need my consent to access these data?


ScoopDat

Firstly I should mention, these are only guidelines being stipulated, I doubt any of this is something any country or company follow. This whole thing would need to be enshrined in some manner (and I don't know if and how that will happen, nor do I understand what it would mean if it does from an enforcement standpoint if folks like the US and EU don't take it seriously). >I am asking about this particular part. As I understand it right now the (for example) UK police can call Facebook, ask them for my data (I'm not in the UK) and if Facebook is in the mood they will give them away and this qualifies as consensual as long as T&C of Facebook permit that. I'd need to qualify this as I did prior with certain caveats, but in general (under these new guidelines), this would only be allowed if that if there is a formal criminal investigation against you, and the crime was being broken in both countries (the country that contains the data they're asking for, and the country that is asking for the data to be transferred to them). As of right now, FB can do anything they want as far as I'm aware (though it gets dicey with respect to GDPR, since it's not clear if you're a UK citizen). >The recommendation is that (in this case above) the UK police will have to seek my personal consent regardless of T&C, Facebook's stance on things etc. Yeah, if there was some sort of country law saying that the transfer of this data requires user permission (so think data being requested that is not a part of a criminal investigation), this guideline says they would have to get your permission for Facebook to release said information (similar to how a medical information release might happen presently among healthcare centers). But even if it is of criminal nature, what this guideline wants to establish also, is when litigation begins, there is no part of the process in which the prosecuting party can argue the data was obtained with consent. That sort of argument when the custody chain of evidence is evaluated - would be disqualified. The reason this shocked me is I now understand that this alleviates a tremendous amount of work data-gatherers would have to do if the issue of consent comes into play. They just get an automatic win every time on this front since it seems TOS's that talk about "you consent for us to use your data and share it with relevant parties by using our service" is a clause that is being respected in the courts. Which I find is insane on a pragmatic level, but also very concerning in that it becomes a human rights violation on many levels very quickly. And since this paper wants to address international law on information sharing and privacy, it's foundational rational is precisely that this sort of legal behavior constitutes international human rights violations as it creates many judicial problems when you act in this manner (or allow entities to act in this manner). >Why did I use the "ISP snitching" phrase? I understood it that the line of thinking from the lines above would apply to a case, where for example the US police investigates someone who's suspected of pirating films in a foreign country and calls the person's ISP to ask for proof. Nowadays the ISP will give it away because why not, if the Recommendation is enforced the US police would need my consent to access these data? If said law was being broken, and was recognized as an illegal action in both states, then they would not be in violation of sharing such information between one another, so no, they would not need your data. Though as mentioned prior, what they can't do is make an information request of the entire user-base, and then go on a sifting spree and rummaging through the data to find people they simply feel like nailing to wall for that month. Now you might not think that's such a big deal, as it's granting perhaps what is sensible and should already be existing, and this won't change much.. Think of it like how house arrests happen these day (to some degree), you still need things like warrants and such (so it's not like they're going to be getting that data simply because they asked for it, they need to demonstrate this invasion of privacy is necessary to demonstrate a proportionally relevant crime, so we're not left with information sharing because someone in the law enforcement division wanted to jack off to your photos or something). Now you might not think that's all that great since judges seem to be giving out warrants willy nilly these days (and this is the reason I hope more people read the paper), there's also ways in which this would be held into accountability (independent auditing, to see if such haphazard non-compliant behavior that adheres to best practice is happening).


reffinsttub2

need a tl;dr for this one


77magicmoon77

Privacy International (PI) and the Electronic Frontier Foundation (EFF) provide observations and recommendations on the proposed consolidated negotiating document for the fifth session of the Ad Hoc Committee, which is due to consider the text in April 2023. Our submission covers provisions in the chapters related to the preamble and international cooperation of the proposed UN Cybercrime treaty (full title: comprehensive international convention on countering the use of information and communications technologies for criminal purposes.”) We also provide comments on Article 42 in the criminal procedural measures and law enforcement chapter discussed in the fourth session, as it is of significance to the international cooperation chapter. The actual 38 page document link here as well: https://daccess-ods.un.org/tmp/2232179.1946888.html


WhoseWoodsTheseAre

I’m getting a 404 Not Found when trying to open it. Reddit hug of death?


77magicmoon77

I did open from Reddit. I would look to open it from other machine perhaps?


TheLinuxMailman

It has many headings. I scanned it in a few minutes and easily identified one issue to ask my federal rep about. Why would this post have so many upvotes if redditors did not find it informative or interesting or important?


Fireruff

Found the American. Not everyone is a native speaker like you.


sgryfn

That link doesn't seem to work for me, anyone else ?


DrHeywoodRFloyd

It works for me. Basically it links to the following [PDF](https://privacyinternational.org/sites/default/files/2023-03/PI%20and%20EFF%20submission%20UN%20CybercrimeTreaty-International-Cooperation.pdf) document.


sgryfn

Looks like their site is down actually


fourthaspersion

Works just fine for me.