The Budapest Convention on Cybercrime and the controversies over Brazilian membership

In 2021, the 2001 Budapest Convention on Cybercrime gained the spotlight in the national debate on digital rights, driven in large part by legislative efforts to fasten the ratification of this treaty in Brazil. The Brazilian accession process, however, has been quite controversial and has been raising criticism from academics and human rights activists in the digital field. In today’s IRIS blog post, the debate about the convention is presented along with the risks and impacts that a hasty accession can have on the Brazilian legal system.

The Budapest Convention and the pressure for a rapid Brazilian accession

The 2001 Budapest Convention on Cybercrime is an international treaty on criminal procedural law and criminal law originally established within the Council of Europe and which currently has more than 60 signatory countries. Its content deals with both the criminalization of specific conducts and the definition of procedures for investigation and production of evidence. In addition, this norm outlines mechanisms for international legal cooperation in order to encourage coordinated and harmonious action among countries in the area of combating cybercrime.

In recent months, the debate about the Brazilian adhesion to the convention has been driven by the processing of the Legislative Decree Proposal No. 255/2021, which intends to ratify the entire treaty in the national legal system. Presented in June and approved in October in the plenary of the Chamber of Deputies, the lower house of Congress, the text of the proposal is currently being discussed in the Federal Senate, where changes can still be proposed in the form of amendments presented to the House’s plenary.

The extreme speed of the legislative process regarding the LDP has raised huge controversies among the different sectors involved in the debate on the subject. On the one hand, criminal authorities are pressuring the legislative power for a quick accession, arguing that the approval of the text would bring gains to the effectiveness in the fight against cybercrime, a social problem that has acquired significant proportions in recent years. On the other hand, academic and human rights organizations in the network warn of the dangers of a total adherence to the text of the convention and ask for a deeper debate. This is the position of Coalizão Direitos na Rede, for example, a national articulation of more than 48 entities – including IRIS – dedicated to the fight for the protection of fundamental rights in the digital area in Brazil.

One of the questioning points raised by the second group concerns the lack of participation and openness of the debate. Since the LDP can generate enormous repercussions on the national ecosystem of digital rights protection, it would be expected that its debate would mobilize a broad, open and democratic discussion. However, the process has been very fast-paced and, in general, not very participatory. It is impossible not to contrast the very few public hearings and the mere four months that characterized its progress in the Chamber with the various rounds of debates and the years during which other norms of similar importance were debated in Congress, such as the Internet Bill of Rights (Marco Civil da Internet) and the General Data Protection Law.

As I will explore in the next section, such acceleration represents not only an issue of form, but also a matter of content, as accelerated and full adherence to the convention can do significant damage to the national digital rights protection environment.

Brazil does not need or must adhere fully and unrestrictedly to the text of the convention

One of the most questioned aspects of the adhesion proposed by LDP 255/2021 is its total and unrestricted nature. This is because given the enormous variety that characterizes the legal systems of potential signatories and the sovereignty that States have to legislate in their respective jurisdictions, certain adaptations may be necessary to make national systems and some provisions of the treaty compatible. In this sense, the convention itself expresses concern with ensuring the alignment between its content and the internal norms of the signatories and with international human rights instruments (art. 15), in addition to providing mechanisms to facilitate such domestic compliance – the so-called declarations (art. 40) and reservations (art. 42). They are instruments for the exercise of sovereignty by each country that integrates the Convention.

Generally speaking, the declarations and reservations are safeguards that the signatories can avail themselves of, by expressing their intention, in adhering to specific provisions of the convention. For example, article 4 of the treaty provides for the criminalizing “the damaging, deletion, deterioration, alteration or suppression of computer data without right”. By adhering to this article, therefore, the signatories undertake to introduce such criminal offense into their respective legal systems. As a reservation, however, the article allows States to choose to add another element to the characterization of the offense: the occurrence of serious harm resulting from the act. In this way, each State can assess whether the introduction of the criminal offense in its legislation will include this element or not.

The use of declarations and reservations is an important tool available for countries to pursue harmony between their national legal frameworks and the innovations brought about by the treaty. For this reason, several signatories have made use of this instrument, as can be seen from a brief visit to the Council of Europe website. Chile, for example, requires the occurrence of serious damage for the classification of article 4. Colombia, for its part, makes the application of certain procedural measures provided for in Articles 20 and 21 of the Convention subject to compliance with its rules on the protection of personal data. Dozens of other examples can be identified on the website.

The extreme speed of processing the LGPD 255/2021 and the scarcity of spaces for in-depth public debate about its content have favored the approval of the proposals without any amendments to the text presented. In the absence of adequate conditions for the different stakeholders to be able to publicly debate the text of the convention and to discuss the provisions in which the establishment of declarations and reservations would be necessary and reasonable, Congress is moving towards ratification of the entire treaty, without acknowledging the instruments for affirmation of Brazilian sovereignty before the parties of the convention.

This can have disastrous consequences for the national ecosystem of digital rights protection, since there is a risk of conflict between provisions of the convention and other provisions in force in Brazilian law, a risk that could be mitigated through declarations and reservations. These norms include the Interception Law, the Internet Bill of Rights, the Criminal Code, the Copyright Law and Law n.º 11.829/2008. Also, legislative proposals that are still in progress may be impacted, such as Bill No. 2630/2020, the Code of Criminal Procedure reform and the Data Protection on Public Safety and Criminal Prosecution Bill. Therefore, there is a lack of consistency between the content of the convention, the rules of Brazilian law and principles that should guide initiatives related to criminal investigations.

In the next section, I look at some of the more problematic predictions within the document.

Parts of the convention may pose risks to journalists and security researchers

In terms of the merits of the convention, one of the most worrying points concerns the possibility of criminalizing legitimate and routine activities carried out by information security researchers and journalists. The contents of Articles 2 and 8 are particularly worrying in this regard, which determine that the signatories take measures aimed at criminalizing the practices of “illegitimate access” and “computer-related fraud”.

The crime of “illegitimate access” would consist in “the access to the whole or any part of a computer system without right” when committed intentionally. By establishing such a criminal offense, the article authorizes countries to make its application conditional on the existence of illegitimate intent or another supplementary element. “Computer-related fraud”, in turn, would be characterized by the intention and without right causing of a loss of property to another person by: a) any input, alteration, deletion or suppression of computer data; b) any interference with the functioning of a computer system; with fraudulent or dishonest intent of procuring, without right, an economic benefit for oneself”

In the field of information security, independent researchers commonly engage in research and analysis of security vulnerabilities of public and private systems without any malicious intent. In addition to contributing to the scientific advancement of the field in question, this practice generates the social benefit of making the institutions that maintain the systems aware of the flaws found, allowing them to take action to correct them before being exploited by a malicious attacker. In the context of public systems, this practice also favors transparency and social control over government infrastructure and actions. Regardless of the social benefits of these activities, however, researchers and journalists are targets of legal and media efforts of intimidation and criminalization from organizations that have had their systems exposed.

Sometimes, it is not even necessary that any damage or exploitation of a flaw has occurred for such criminalization attempts to take place. We can just remember the scandal involving the Ministry of Health’s TrateCOV application, which prescribed ineffective drugs against Covid, even for pregnant women and children. When talking about the application in her testimony to the Parliamentary Committee of Inquiry of the Pandemic, Mayra Pinheiro, a representative of the Ministry, accused the data journalist Rodrigo Menegat of “invasion” of the system and of “unduly extracting data” for purposes of “undue simulations”. In reality, what that journalist did was simply inspect the page’s source code – a function that required less than three clicks from any user who accessed it – and publish an analysis of its content. The fact that Menegat’s conduct was legitimate did not stop the government from trying to criminalize him.

This episode illustrates the material risks that the thoughtless adherence to the penal rules contained in the convention poses for groups that are already the target of political, legal and media attacks. In this environment, there is a possibility of political instrumentalization of the treaty to maintain and deepen the persecution of these subjects. In addition to the obvious damage to their fundamental rights, this would also result in serious social harm due to the inhibition that such an environment would cause in these activities, which would reduce informational security and transparency in society. All of this reinforces the need to deepen the debate on the convention, not just to proceed with full and uncritical adherence.

In conclusion

Brazil is a country internationally recognized for its regulatory environment related to digital rights. Norms such as the Internet Bill of Rights and the General Data Protection Law are a global reference not only because of their content, which exhibits enormous technical maturity, but also because of their democratic construction processes. These construction processes were broad, multi-sectorial and participatory. This legacy must be preserved as the country advances towards other legislative innovations in the area of human rights in the digital area.

The way the debate has been conducted, however, the Brazilian adhesion to the Budapest Convention through LDP 255/2021 seems to signal the opposite: an unnecessarily hasty process and visibly little participation. It is worth remembering that the country still has three years to decide on its adhesion, a period in which it would be possible to build a broad and truly democratic debate. In the current situation, we run a serious risk of imposing setbacks to the advances achieved over the last decade in the digital field and giving up Brazilian sovereignty.

If you have been interested in finding out more about the importance of harmony in internet regulation, check out our post on the subject.

The views and opinions expressed in this blogpost are those of the author. 
Illustration by Freepik Stories.