The United Nations Convention against Cybercrime (sometimes shortened to the Convention on Cybercrime) is a treaty to facilitate international cooperation on issues of cybercrime. It was proposed by Russia in 2017 and adopted by the General Assembly in December 2024 amid resistance from human rights organizations. NGOs, academics, technology companies, and policy experts have criticized the convention for expanding the surveillance and data collection capacities of repressive governments without human rights safeguards. [1] Complaints focus on the flexible way it defines the crimes it applies to, including any crime committed using technology, as well as the way it defers to individual countries, including those with a record of human rights abuses, to determine how to protect human rights. A signing ceremony is planned for October 2025, after which member states will decide internally whether to ratify it. The convention will be in force after it is ratified by forty member states. [2]
As the proliferation of internet-enabled devices has expanded, the transnational nature of cybercrime has posed challenges to national police and security entities. Frameworks for combating such crimes and capacities for investigation and enforcement vary considerably between countries. [3] In the early 2000s, the Council of Europe established the first international treaty to address internet and computer crime, the Budapest Convention, effectively harmonizing national laws, improving investigative techniques, and increasing cooperation among nations. It went into force in July 2004, and has been ratified by 78 states, including several from outside of Europe, as of 2025. [4]
The UN cybercrime convention was first proposed in 2017 by Russia, which had long objected to the Budapest Convention, which it regards as a threat to its internet sovereignty and control. [5] [1] [6] In 2019, the General Assembly voted in favor of moving the resolution forward, 88-58 with 34 abstaining. [7] The vote came amid opposition by the European Union, United States, and allies who were satisfied with the Budapest Convention and viewed Russia's proposal as an effort to shore up its censorship and surveillance capacities with obligatory international cooperation. [8] [6] [7] The vote created what became the Ad Hoc Committee to Elaborate a Comprehensive International Convention on Countering the Use of Information and Communications Technologies for Criminal Purposes, starting the drafting and negotiation process.
The committee met several times between 2021 and 2024, with support from the United Nations Office on Drugs and Crime, producing and approving a draft General Assembly resolution in August 2024. [9] During the negotiation process, Iran repeatedly requested votes to remove the language "nothing in this Convention shall be interpreted as permitting suppression of human rights or fundamental freedoms", the removal of which was then supported by Russia, India, Sudan, Venezuela, Syria, North Korea, Libya, and 16 other states, but ultimately failed. [1] Class-based human rights protections were weakened during negotiations, and challenged by Iran and Russia until a contingent of member states declared they would not support and additional changes. [10]
The resolution was adopted by the General Assembly in December 2024. The full title is United Nations Convention against Cybercrime; Strengthening International Cooperation for Combating Certain Crimes Committed by Means of Information and Communications Technology Systems and for the Sharing of Evidence in Electronic Form of Serious Crimes. [11] A signing ceremony is planned for October 2025, after which member states will decide internally whether to ratify it. Individual countries' ratification process varies. The heads of state in non-democratic countries, for example, can simply decide to ratify, while others must work with a congressional or parliamentary body. [12] [13] The convention will be in force after it is ratified by forty member states. [2]
The convention aims to facilitate international cooperation in criminal enforcement of cybercrime laws. It requires participating nations to criminalize certain forms of cybercrime, like illegal access to an information system, data interference, and the use of computer systems for fraud or child exploitation. It also establishes procedures for law enforcement agencies to collect and preserve electronic evidence. It creates frameworks for collaboration, including mutual legal assistance and extradition. There are also provisions for a support system, providing a contact network for fast processing of data requests. Alongside these provisions, the convention discusses the need to respect international human rights law, but it relies on existing instruments like the International Covenant on Civil and Political Rights rather than establish new or expanded standards specific to cybercrime. The implementation of human rights safeguards are left to individual countries to legislate. [11]
According to Joan Barata in Tech Policy Press, after Russia first proposed the law in 2017, it was "particularly promoted by countries willing to build a system alien to the protections granted by most relevant international human rights instruments, including Belarus, China, Iran, Sudan, Venezuela, Nicaragua, North Korea or Cuba". [5]
Though opposed to the convention at its start, the United States remained involved in the development of the treaty to avoid it being shaped by its adversaries. [12] The Biden Administration in the United States ultimately voted in favor of the resolution, in some part to remain part of the conversation over its implementation, [12] amid objections to US-based human rights organizations and lawmakers who argued that it would make it easier for the US's foreign adversaries to surveil their citizens and access data generated inside US borders. [14] [13] It is unclear whether the US Congress would support ratification. [13]
The potential for such a treaty to facilitate human rights abuses was recognized by the UN from the earliest discussions of the convention, when Russia proposed it in 2017, and its text includes several references to safeguarding human rights. Throughout the drafting process, several NGOs, cybersecurity companies, journalists, the International Chamber of Congress, academics, and the UN High Commissioner for Human Rights raised objections focusing on two central aspects of the convention: the vagueness and flexibility of the crimes it aimed to address, and the way it leaves human rights protections up to the individual member states. [15] [1] [16]
Other objections concern the obligations of member states. For example, the convention requires states to have laws that compel internet services to collect certain data, and does not require that requests for such data be transparent. There are limited cases when member states may deny a request for data, although there is a provision to do so if a state believes a request is due to "sex, race, language, religion, nationality, ethnic origin, or political opinions". [10] The latter statement was weakened during negotiations, and challenged by Iran and Russia until the end of negotiations. [10] The International Chamber of Commerce and Microsoft argued the convention was itself a threat to cybersecurity and national security, concerned that it provided grounds to force hackers and other skilled or knowledgeable parties to subvert security systems in ways that would expose infrastructure to attack and allow leaking of sensitive and classified data. [10]
The convention names four types of crimes in particular, which human rights advocates argue are framed too broadly, applicable to any crime committed using an information or communications technology. Many of the crimes it would apply to have only a thin connection to the kind of serious cybercrime, like ransomware and child exploitation, that motivated the convention. [15] [16] [10] As a result, the convention expands the reach of existing surveillance regimes and the enforcement of controversial, ambiguous laws which countries use to criminalize a range of forms of speech, expression, and dissent, like Jordan's law against "character assassination via social media" or the United Arab Emirates' "condoning sins". [17] In a Lawfare article, Eli Scher-Zagier said the treaty "endorses a state criminalizing conduct by anyone, anywhere, so long as the conduct harms one of its nationals". [18] The Atlantic Council offered an example of someone displaying a rainbow flag online, which is illegal in Russia. Under the proposed convention, because the crime took place online, it falls within the definition of cybercrime and other countries may be expected to share data to assist in such investigations. [10] The Cybersecurity Tech Accord, which represents a large number of technology companies (Microsoft, Meta, Oracle, Cisco, Salesforce, et al.), issued a statement that the convention could criminalize cybersecurity and artificial intelligence research by, among other things, failing to distinguish between malicious and ethical methods or intentions. [19]
Several organizations highlight the way the convention's language about human rights protections are largely suggestions left to the discretion of member states, including those with a record of human rights abuses. [15] [17] According to Freedom House, which maintains the Freedom in the World index, Russia and the treaty's cosponsors are all categorized as "Not Free". [20] Whereas the Budapest convention of the early 2000s included a wide range of concrete protections due to its context in the European human rights system, the UN convention is both broader in scope and lacking in safeguards. [5] The Electronic Frontier Foundation (EFF) argues that without protections built into the convention, it simply provides an expansive spying and surveillance system "to enable transnational repression". [15] According to the digital rights organization Access Now, the convention "pays lip service to human rights while lacking any actual safeguards", instead "embolden[ing] authoritarian regimes ... to justify digital repression, at home and abroad, with a veneer of legitimacy". [17] According to Nick Benequista of the National Endowment for Democracy, the consequences of ratifying the convention are harmful primarily for people who live in countries without robust protections for free expression, where independent journalists - even in exile, from other countries - could be more easily suppressed or jailed. [21]
In the lead-up to the draft going before the General Assembly, the Cybersecurity Tech Accord submitted a letter to the UN outlining objections and recommendations. [22] It then joined a dozen human rights organizations in a last-minute open letter "urging governments not to adopt or ratify the UN’s first landmark Cybercrime Convention unless substantial changes are made to address the serious and broad-based concerns in the final draft". [23] [24] Other notable organizations issuing statements critical of the convention include Amnesty International, Chaos Computer Club, Digitalcourage, Electronic Privacy Information Center, European Digital Rights, Human Rights Watch, [25] IFEX, International Press Institute, Privacy International, SHARE Foundation, Statewatch, and the Wikimedia Foundation. [26]