United Nations Convention against Cybercrime

The United Nations Convention against Cybercrime (sometimes shortened to the Convention on Cybercrime) is a treaty to facilitate international cooperation on issues of cybercrime. It was proposed by Russia in 2017 and adopted by the General Assembly in December 2024 amid resistance from human rights organizations. NGOs, academics, technology companies, and policy experts have criticized the convention for expanding the surveillance and data collection capacities of repressive governments without human rights safeguards. ^[1] Complaints focus on the flexible way it defines the crimes it applies to, including any crime committed using technology, as well as the way it defers to individual countries, including those with a record of human rights abuses, to determine how to protect human rights. A signing ceremony is planned for October 2025, after which member states will decide internally whether to ratify it. The convention will be in force after it is ratified by forty member states. ^[2]

Background and process

United Nations General Assembly Hall

As the proliferation of internet-enabled devices has expanded, the transnational nature of cybercrime has posed challenges to national police and security entities. Frameworks for combating such crimes and capacities for investigation and enforcement vary considerably between countries. ^[3] In the early 2000s, the Council of Europe established the first international treaty to address internet and computer crime, the Budapest Convention, effectively harmonizing national laws, improving investigative techniques, and increasing cooperation among nations. It went into force in July 2004, and has been ratified by 78 states, including several from outside of Europe, as of 2025. ^[4]

The UN cybercrime convention was first proposed in 2017 by Russia, which had long objected to the Budapest Convention, which it regards as a threat to its internet sovereignty and control. ^{[5] [1] [6]} In 2019, the General Assembly voted in favor of moving the resolution forward, 88-58 with 34 abstaining. ^[7] The vote came amid opposition by the European Union, United States, and allies who were satisfied with the Budapest Convention and viewed Russia's proposal as an effort to shore up its censorship and surveillance capacities with obligatory international cooperation. ^{[8] [6] [7]} The vote created what became the Ad Hoc Committee to Elaborate a Comprehensive International Convention on Countering the Use of Information and Communications Technologies for Criminal Purposes, starting the drafting and negotiation process.

The committee met several times between 2021 and 2024, with support from the United Nations Office on Drugs and Crime, producing and approving a draft General Assembly resolution in August 2024. ^[9] During the negotiation process, Iran repeatedly requested votes to remove the language "nothing in this Convention shall be interpreted as permitting suppression of human rights or fundamental freedoms", the removal of which was then supported by Russia, India, Sudan, Venezuela, Syria, North Korea, Libya, and 16 other states, but ultimately failed. ^[1] Class-based human rights protections were weakened during negotiations, and challenged by Iran and Russia until a contingent of member states declared they would not support and additional changes. ^[10]

The resolution was adopted by the General Assembly in December 2024. The full title is United Nations Convention against Cybercrime; Strengthening International Cooperation for Combating Certain Crimes Committed by Means of Information and Communications Technology Systems and for the Sharing of Evidence in Electronic Form of Serious Crimes. ^[11] A signing ceremony is planned for October 2025, after which member states will decide internally whether to ratify it. Individual countries' ratification process varies. The heads of state in non-democratic countries, for example, can simply decide to ratify, while others must work with a congressional or parliamentary body. ^{[12] [13]} The convention will be in force after it is ratified by forty member states. ^[2]

Content

The convention aims to facilitate international cooperation in criminal enforcement of cybercrime laws. It requires participating nations to criminalize certain forms of cybercrime, like illegal access to an information system, data interference, and the use of computer systems for fraud or child exploitation. It also establishes procedures for law enforcement agencies to collect and preserve electronic evidence. It creates frameworks for collaboration, including mutual legal assistance and extradition. There are also provisions for a support system, providing a contact network for fast processing of data requests. Alongside these provisions, the convention discusses the need to respect international human rights law, but it relies on existing instruments like the International Covenant on Civil and Political Rights rather than establish new or expanded standards specific to cybercrime. The implementation of human rights safeguards are left to individual countries to legislate. ^[11]

National positions

According to Joan Barata in Tech Policy Press, after Russia first proposed the law in 2017, it was "particularly promoted by countries willing to build a system alien to the protections granted by most relevant international human rights instruments, including Belarus, China, Iran, Sudan, Venezuela, Nicaragua, North Korea or Cuba". ^[5]

Though opposed to the convention at its start, the United States remained involved in the development of the treaty to avoid it being shaped by its adversaries. ^[12] The Biden Administration in the United States ultimately voted in favor of the resolution, in some part to remain part of the conversation over its implementation, ^[12] amid objections to US-based human rights organizations and lawmakers who argued that it would make it easier for the US's foreign adversaries to surveil their citizens and access data generated inside US borders. ^{[14] [13]} It is unclear whether the US Congress would support ratification. ^[13]

Human rights objections

The potential for such a treaty to facilitate human rights abuses was recognized by the UN from the earliest discussions of the convention, when Russia proposed it in 2017, and its text includes several references to safeguarding human rights. Throughout the drafting process, several NGOs, cybersecurity companies, journalists, the International Chamber of Congress, academics, and the UN High Commissioner for Human Rights raised objections focusing on two central aspects of the convention: the vagueness and flexibility of the crimes it aimed to address, and the way it leaves human rights protections up to the individual member states. ^{[15] [1] [16]}

Other objections concern the obligations of member states. For example, the convention requires states to have laws that compel internet services to collect certain data, and does not require that requests for such data be transparent. There are limited cases when member states may deny a request for data, although there is a provision to do so if a state believes a request is due to "sex, race, language, religion, nationality, ethnic origin, or political opinions". ^[10] The latter statement was weakened during negotiations, and challenged by Iran and Russia until the end of negotiations. ^[10] The International Chamber of Commerce and Microsoft argued the convention was itself a threat to cybersecurity and national security, concerned that it provided grounds to force hackers and other skilled or knowledgeable parties to subvert security systems in ways that would expose infrastructure to attack and allow leaking of sensitive and classified data. ^[10]

Defined crimes

The convention names four types of crimes in particular, which human rights advocates argue are framed too broadly, applicable to any crime committed using an information or communications technology. Many of the crimes it would apply to have only a thin connection to the kind of serious cybercrime, like ransomware and child exploitation, that motivated the convention. ^{[15] [16] [10]} As a result, the convention expands the reach of existing surveillance regimes and the enforcement of controversial, ambiguous laws which countries use to criminalize a range of forms of speech, expression, and dissent, like Jordan's law against "character assassination via social media" or the United Arab Emirates' "condoning sins". ^[17] In a Lawfare article, Eli Scher-Zagier said the treaty "endorses a state criminalizing conduct by anyone, anywhere, so long as the conduct harms one of its nationals". ^[18] The Atlantic Council offered an example of someone displaying a rainbow flag online, which is illegal in Russia. Under the proposed convention, because the crime took place online, it falls within the definition of cybercrime and other countries may be expected to share data to assist in such investigations. ^[10] The Cybersecurity Tech Accord, which represents a large number of technology companies (Microsoft, Meta, Oracle, Cisco, Salesforce, et al.), issued a statement that the convention could criminalize cybersecurity and artificial intelligence research by, among other things, failing to distinguish between malicious and ethical methods or intentions. ^[19]

Protections left to member states

Several organizations highlight the way the convention's language about human rights protections are largely suggestions left to the discretion of member states, including those with a record of human rights abuses. ^{[15] [17]} According to Freedom House, which maintains the Freedom in the World index, Russia and the treaty's cosponsors are all categorized as "Not Free". ^[20] Whereas the Budapest convention of the early 2000s included a wide range of concrete protections due to its context in the European human rights system, the UN convention is both broader in scope and lacking in safeguards. ^[5] The Electronic Frontier Foundation (EFF) argues that without protections built into the convention, it simply provides an expansive spying and surveillance system "to enable transnational repression". ^[15] According to the digital rights organization Access Now, the convention "pays lip service to human rights while lacking any actual safeguards", instead "embolden[ing] authoritarian regimes ... to justify digital repression, at home and abroad, with a veneer of legitimacy". ^[17] According to Nick Benequista of the National Endowment for Democracy, the consequences of ratifying the convention are harmful primarily for people who live in countries without robust protections for free expression, where independent journalists - even in exile, from other countries - could be more easily suppressed or jailed. ^[21]

In the lead-up to the draft going before the General Assembly, the Cybersecurity Tech Accord submitted a letter to the UN outlining objections and recommendations. ^[22] It then joined a dozen human rights organizations in a last-minute open letter "urging governments not to adopt or ratify the UN’s first landmark Cybercrime Convention unless substantial changes are made to address the serious and broad-based concerns in the final draft". ^{[23] [24]} Other notable organizations issuing statements critical of the convention include Amnesty International, Chaos Computer Club, Digitalcourage, Electronic Privacy Information Center, European Digital Rights, Human Rights Watch, ^[25] IFEX, International Press Institute, Privacy International, SHARE Foundation, Statewatch, and the Wikimedia Foundation. ^[26]

Further reading

• Special issue of the Journal of Cyber Policy on the United Nations Convention on Cybercrime (Volume 9, 2024)

References

1. Poireault, Kevin (12 August 2024). "UN Adopts Controversial Cybercrime Treaty". Infosecurity Magazine. Archived from the original on 21 May 2025. Retrieved 25 May 2025.
2. "United Nations Convention against Cybercrime". United Nations : Office on Drugs and Crime. Archived from the original on 27 May 2025. Retrieved 25 May 2025.
3. Barber, Ian Andrew; Kumar, Sheetal (3 May 2024). "Learning from the ground up: lessons from civil society engagement in addressing the human rights implications of cybercrime legislation". Journal of Cyber Policy. 9 (2): 131–148. doi:10.1080/23738871.2023.2240331. ISSN   2373-8871.
4. "Full list - Treaty Office - www.coe.int". Treaty Office. Archived from the original on 3 May 2025. Retrieved 25 May 2025.
5. Barata, Joan (4 September 2024). "New United Nations Cybercrime Convention Sets Unprecedented International Anti-Human Rights Standard | TechPolicy.Press". Tech Policy Press. Archived from the original on 16 February 2025. Retrieved 25 May 2025.
6. Nakashima, Ellen (16 November 2019). "The U.S. is urging a no vote on a Russian-led U.N. resolution calling for a global cybercrime treaty". The Washington Post. ISSN   0190-8286 . Retrieved 12 August 2025.
7. Nakashima, Ellen (19 November 2019). "U.N. votes to advance Russian-led resolution on a cybercrime treaty". The Washington Post. ISSN   0190-8286 . Retrieved 12 August 2025.
8. Hakmeh, Joyce (3 May 2024). "The UN convention on cybercrime: a milestone in cybercrime cooperation?". Journal of Cyber Policy. 9 (2): 125–130. doi:10.1080/23738871.2024.2441549. ISSN   2373-8871.
9. "Ad Hoc Committee - Home". United Nations : Office on Drugs and Crime. Archived from the original on 30 May 2025. Retrieved 25 May 2025.
10. Novo, Lisandra (14 August 2024). "The UN finally advances a convention on cybercrime . . . and no one is happy about it". Atlantic Council. Retrieved 12 August 2025.
11. "UN Cybercrime Convention - Full Text". United Nations : Office on Drugs and Crime. Retrieved 25 May 2025.
12. Miller, Maggie (27 September 2024). "White House agonizes over UN cybercrime treaty". POLITICO. Retrieved 12 August 2025.
13. Smalley, Suzanne (7 October 2024). "UN cybercrime treaty lead negotiator: US will suffer if it doesn't vote yes". The Record. Retrieved 12 August 2025.
14. Miller, Maggie (11 November 2024). "Biden admin to support controversial UN cybercrime convention". Politico . Archived from the original on 30 March 2025. Retrieved 25 May 2025.
15. Gullo, Karen (16 December 2024). "Still Flawed and Lacking Safeguards, UN Cybercrime Treaty Goes Before the UN General Assembly, then States for Adoption". Electronic Frontier Foundation . Archived from the original on 19 May 2025. Retrieved 25 May 2025.
16. Graham-Shaw, Kate. "New U.N. Cybercrime Treaty Could Threaten Human Rights". Scientific American . Retrieved 27 May 2025.
17. Zaghdoudi, Aymen (27 November 2024). "Lessons from the Arab region for UN cybercrime convention". Access Now. Retrieved 25 May 2025.
18. Scher-Zagier, Eli (2 October 2024). "The New UN Cybercrime Treaty Is a Bigger Deal Than Even Its Critics Realize". Lawfare. Archived from the original on 22 May 2025. Retrieved 25 May 2025.
19. McCann, Kristian (18 November 2024). "UN Cybercrime Treaty: Why Is the Tech Industry up in Arms?". cybermagazine.com. Retrieved 12 August 2025.
20. Funk, Allie; Gorokhovaskaia, Yana (12 December 2024). "Authoritarians Are Hijacking Global Tech Cooperation to Undermine Human Rights". Freedom House . Retrieved 12 August 2025.
21. Benequista, Nick (16 October 2024). "UN anti-cybercrime treaty could make journalism a crime". The Hill. Archived from the original on 13 December 2024. Retrieved 12 August 2025.
22. Ravaioli, Edoardo (29 July 2024). "Tech Accord urges changes in flawed final draft of UN Cybercrime Convention, to safeguard security, tech workers, and uphold data and human rights". Cybersecurity Tech Accord. Retrieved 25 May 2025.
23. "Open Letter from Civil Society and Industry Stakeholders on the Final Draft of the Convention on Cybercrime" (PDF). Cyber Tech Accord. 8 August 2024.
24. "UN committee approves first cybercrime treaty despite opposition". euronews. 9 August 2024. Archived from the original on 11 August 2024. Retrieved 25 May 2025.
25. "EU: Member States Should Vote 'No' on UN Cybercrime Treaty | Human Rights Watch". 21 October 2024. Retrieved 12 August 2025.
26. "Joint Letter to the European Union and its Member States concerning the United Nations Cybercrime Convention" (PDF). Epicenter.works.

External links

• United Nations Convention against Cybercrime (full text)