United Nations Convention against Cybercrime

Last updated

United Nations Convention against Cybercrime
Strengthening International Cooperation for Combating Certain Crimes Committed by Means of Information and Communications Technology Systems and for the Sharing of Evidence in Electronic Form of Serious Crimes
Hanoi Convention logo.svg
Drafted2017
Signed25 October 2025
Location Hanoi, S.R. Viet Nam
ConditionThis Convention shall enter into force on the ninetieth day after the date of deposit of the fortieth instrument of ratification, acceptance, approval or accession.
Signatories74

The United Nations Convention against Cybercrime, also known as the Hanoi Convention, is a treaty to facilitate international cooperation in the enforcement of cybercrime laws. It was proposed by Russia in 2017 and adopted by the General Assembly in December 2024 amid resistance from human rights organizations. NGOs, academics, technology companies, and policy experts have criticized the convention for expanding the surveillance and data collection capacities of repressive governments without human rights safeguards. [1] Complaints focus on its vague definition of cybercrime, which can include any crime committed using technology, as well as the way it defers to individual countries, including those with a record of human rights abuses, to determine how to protect human rights.

Contents

The signing ceremony was held in Hanoi, Vietnam in October 2025. [2] As of January 2026 there are 74 signatories, and it has not yet been ratified by any member state.

Background and process

United Nations General Assembly Hall UN General Assembly hall.jpg
United Nations General Assembly Hall

As internet-enabled devices have proliferated, the transnational nature of cybercrime has posed challenges to national police and security agencies. Countries differ widely in how they investigate, enforce, and legislate against cybercrime. [3] In the early 2000s, the Council of Europe established the first international treaty to address internet and computer crime, the Budapest Convention, effectively harmonizing national laws, improving investigative techniques, and increasing cooperation among nations. It went into force in July 2004, and has been ratified by 81 states, including several from outside of Europe, as of 2025. [4]

The UN cybercrime convention was first proposed in 2017 by Russia, which had long objected to the Budapest Convention, viewing it as a threat to its internet sovereignty and control. [5] [1] [6] In 2019, Russia introduced it to the General Assembly, which passed it as Resolution 74/247, with 88 votes in favor, 58 against, and 34 abstaining. [7] [8] [9] The vote took place amid opposition by the European Union, United States, and allies who were satisfied with the Budapest Convention and viewed Russia's proposal as an effort to shore up its censorship and surveillance capacities with obligatory international cooperation. [10] [6] [7]

The resolution created what became the Ad Hoc Committee to Elaborate a Comprehensive International Convention on Countering the Use of Information and Communications Technologies for Criminal Purposes, starting the drafting and negotiation process. [11] The committee met several times between 2021 and 2024, with support from the United Nations Office on Drugs and Crime, producing and approving a draft General Assembly resolution in August 2024. [12] During the negotiation process, Iran repeatedly requested votes to remove the language "nothing in this Convention shall be interpreted as permitting suppression of human rights or fundamental freedoms", the removal of which was then supported by Russia, India, Sudan, Venezuela, Syria, North Korea, Libya, and 16 other states, but ultimately failed. [1] Class-based human rights protections were weakened during negotiations until a group of member states declared they would not support any additional changes. [13]

The resolution was adopted by the General Assembly in December 2024. The full title is United Nations Convention against Cybercrime; Strengthening International Cooperation for Combating Certain Crimes Committed by Means of Information and Communications Technology Systems and for the Sharing of Evidence in Electronic Form of Serious Crimes. [14]

The signing ceremony and high-level conference was held in October 2025 in Hanoi, Vietnam. It is the first treaty to be signed in Vietnam and the first to be named after a Vietnamese location. [15] According to Reuters, the choice to host it in Vietnam was controversial given human rights concerns expressed over the convention and Vietnam's record on human rights issues. [16] The convention will be in force after 40 member states consent to be bound by it through ratification, accession, approval, or adoption. [17] As of January 2026, there are 74 signatories, which indicates an intent to ratify, but not yet any ratifications. [18]

Content

A conference during the signing ceremony in Hanoi. CLD at Hanoi Convention side event.jpg
A conference during the signing ceremony in Hanoi.

The convention sets forth an international framework for cooperation in the prevention of cybercrime and enforcement of cybercrime laws. It aims to ensure that cybercrime can be prosecuted wherever it occurs, recognizing that it is frequently transnational. If ratified and implemented, it would require participating nations to criminalize certain forms of cybercrime, like illegal access to an information system, data interference, and the use of computer systems for fraud or child exploitation. The convention effectively establishes a broad set of investigative powers and cooperation procedures that cater to electronic evidence, like expedited preservation or disclosure of data, orders to produce data, search and seizure of data, real-time collection of internet traffic, and confiscation of ill-gotten proceeds. It would require around-the-clock points of contact for rapid cooperation. It creates frameworks for other forms of law enforcement associated with cybercrime, including extradition. The convention text addresses a range of details associated with such cooperation, like personal legal liability, statues of limitations, and jurisdictional rules. Alongside these provisions, the convention discusses the need to respect state sovereignty and international human rights law, but it relies on existing instruments rather than establish new or expanded standards specific to cybercrime. The implementation of human rights safeguards are left to individual countries to legislate. [14] [19] [20] [21]

National positions

Russia introduced the resolution in 2017 and has been involved throughout the process. In an article for Just Security, Alexander Seger addresses the question of why "the single biggest source of cybercrime" would pursue a cybercrime treaty, concluding that it was due not to a desire to cooperate to stop cybercrime but to institute a system of "international information security" whereby governments can exert control of information without foreign interference. [9] Though Russia did sign the treaty, according to Seger it did not get the tool it wanted, which is more like the Budapest Convention and has more human rights safeguards than it sought. [9] Arun Sukumar and Arindrajit Basu likewise described the process as a way for China and Russia to replace the "liberal cyber order" with a model of "cyber sovereignty", solidifying state control over citizens, reorienting data access to be about crime and not human rights, and limiting the ability of companies or NGOs to set standards for access, encryption, and privacy. [22]

According to Joan Barata in Tech Policy Press, following its introduction it was "particularly promoted by countries willing to build a system alien to the protections granted by most relevant international human rights instruments, including Belarus, China, Iran, Sudan, Venezuela, Nicaragua, North Korea or Cuba". [5]

The Biden Administration in the United States ultimately voted in favor of the resolution, in some part to remain part of the conversation over its implementation, [23] amid objections to US-based human rights organizations and lawmakers who argued that it would make it easier for the US's foreign adversaries to surveil their citizens and access data generated inside US borders. [24] [25] The US declined to sign, and it is unclear whether it will support ratification. [25] [26]

As of January 2026, the following 74 participants have signed the treaty: Algeria, Angola, Australia, Austria, Azerbaijan, Belarus, Belgium, Brazil, Brunei Darussalam, Burkina Faso, Cambodia, Chile, China, Costa Rica, Côte d'Ivoire, Cuba, Czech Republic, Democratic People's Republic of Korea, Democratic Republic of the Congo, Djibouti, Dominican Republic, Ecuador, Egypt, European Union, Fiji, France, Ghana, Greece, Guinea-Bissau, Iran (Islamic Republic of), Ireland, Jamaica, Kazakhstan, Lao People's Democratic Republic, Libya, Luxembourg, Malaysia, Maldives, Mali, Mauritius, Morocco, Mozambique, Namibia, Nauru, Nicaragua, Nigeria, Palau, Papua New Guinea, Peru, Philippines, Poland, Portugal, Qatar, Russian Federation, Rwanda, Saudi Arabia, Slovakia, Slovenia, South Africa, Spain, Sri Lanka, State of Palestine, Sweden, Thailand, Togo, Türkiye, Uganda, United Kingdom of Great Britain and Northern Ireland, United Republic of Tanzania, Uruguay, Uzbekistan, Venezuela (Bolivarian Republic of), Vietnam, and Zimbabwe. [18]

Human rights objections

The potential for such a treaty to facilitate human rights abuses was recognized by the UN from the earliest discussions of the convention, when Russia proposed it in 2017. [10] Throughout the drafting process, several NGOs, cybersecurity companies, journalists, the International Chamber of Congress, academics, and the UN High Commissioner for Human Rights raised objections focusing on two central aspects of the convention: the vagueness and flexibility of the crimes it aimed to address, and the way it leaves human rights protections up to the individual member states. [19] [1] [27]

Other objections concern the obligations of member states. For example, the convention requires states to have laws that compel internet services to collect certain data, and does not require that requests for such data be transparent. There are limited cases when member states may deny a request for data, although there is a provision to do so if a state believes a request is due to "sex, race, language, religion, nationality, ethnic origin, or political opinions". [13] The latter statement was weakened during negotiations, and challenged by Iran and Russia until the end of negotiations. [13] The International Chamber of Commerce and Microsoft argued the convention was itself a threat to cybersecurity and national security, concerned that it provided grounds to force hackers and other skilled or knowledgeable parties to subvert security systems in ways that would expose infrastructure to attack and allow leaking of sensitive and classified data. [13]

Vaguely defined crimes

The convention names four types of crimes in particular, which human rights advocates argue are framed too broadly, applicable to any crime committed using an information or communications technology. Many of the crimes it would apply to have only a thin connection to the kind of serious cybercrime, like ransomware and child exploitation, that motivated the convention. [19] [27] [13] As a result, the convention expands the reach of existing surveillance regimes and the enforcement of controversial, ambiguous laws which countries use to criminalize a range of forms of speech, expression, and dissent, like Jordan's law against "character assassination via social media" or the United Arab Emirates' "condoning sins". [28] In a Lawfare article, Eli Scher-Zagier said the treaty "endorses a state criminalizing conduct by anyone, anywhere, so long as the conduct harms one of its nationals". [29] The Atlantic Council offered an example of someone displaying a rainbow flag online, which is illegal in Russia. Under the proposed convention, because the crime took place online, it falls within the definition of cybercrime and other countries may be expected to share data to assist in such investigations. [13] The Cybersecurity Tech Accord, which represents a large number of technology companies (Microsoft, Meta, Oracle, Cisco, Salesforce, et al.), calls the convention a "surveillance treaty" and argued, along with the Electronic Frontier Foundation (EFF), that it could jeopardize cybersecurity research by failing to distinguish ethical from malicious methods. [30] [31]

Human rights protections are only suggestions

Several organizations highlight the way the convention's language about human rights protections are largely suggestions left to the discretion of member states, including those with a record of human rights abuses. [19] [28] According to Freedom House, which maintains the Freedom in the World index, Russia and the treaty's cosponsors are all categorized as "Not Free". [32] Whereas the Budapest convention of the early 2000s included a wide range of concrete protections due to its context in the European human rights system, the UN convention is both broader in scope and lacking in safeguards. [5]

The digital rights organization Access Now issued a statement that the convention "pays lip service to human rights while lacking any actual safeguards", instead "embolden[ing] authoritarian regimes ... to justify digital repression, at home and abroad, with a veneer of legitimacy". [28] According to Nick Benequista of the National Endowment for Democracy, the consequences of ratifying the convention are harmful primarily for people who live in countries without robust protections for free expression, where independent journalists – even in exile, from other countries – could be more easily suppressed or jailed. [33] Similarly, the EFF argued that without protections built into the convention, it simply provides an expansive spying and surveillance system "to enable transnational repression". [19]

In the lead-up to the draft going before the General Assembly, the Cybersecurity Tech Accord submitted a letter to the UN outlining objections and recommendations. [34] It then joined a dozen human rights organizations in a last-minute open letter "urging governments not to adopt or ratify the UN’s first landmark Cybercrime Convention unless substantial changes are made to address the serious and broad-based concerns in the final draft". [35] [36] Other notable organizations issuing statements critical of the convention include Amnesty International, Chaos Computer Club, Digitalcourage, Electronic Privacy Information Center, European Digital Rights, Human Rights Watch, [37] IFEX, International Press Institute, Privacy International, SHARE Foundation, Statewatch, and the Wikimedia Foundation. [38]

Further reading

References

  1. 1 2 3 4 Poireault, Kevin (12 August 2024). "UN Adopts Controversial Cybercrime Treaty". Infosecurity Magazine. Archived from the original on 21 May 2025. Retrieved 25 May 2025.
  2. Mishra, Vibhu (25 October 2025). "Sixty-five nations sign first UN treaty to fight cybercrime, in milestone for digital cooperation | UN News". UN News. United Nations. Archived from the original on 27 October 2025. Retrieved 25 October 2025.
  3. Barber, Ian Andrew; Kumar, Sheetal (3 May 2024). "Learning from the ground up: lessons from civil society engagement in addressing the human rights implications of cybercrime legislation". Journal of Cyber Policy. 9 (2): 131–148. doi: 10.1080/23738871.2023.2240331 . ISSN   2373-8871.
  4. "Full list - Treaty Office - www.coe.int". Treaty Office. Archived from the original on 3 May 2025. Retrieved 25 May 2025.
  5. 1 2 3 Barata, Joan (4 September 2024). "New United Nations Cybercrime Convention Sets Unprecedented International Anti-Human Rights Standard | TechPolicy.Press". Tech Policy Press. Archived from the original on 16 February 2025. Retrieved 25 May 2025.
  6. 1 2 Nakashima, Ellen (16 November 2019). "The U.S. is urging a no vote on a Russian-led U.N. resolution calling for a global cybercrime treaty". The Washington Post. ISSN   0190-8286 . Retrieved 12 August 2025.
  7. 1 2 Nakashima, Ellen (19 November 2019). "U.N. votes to advance Russian-led resolution on a cybercrime treaty". The Washington Post. ISSN   0190-8286. Archived from the original on 28 October 2022. Retrieved 12 August 2025.
  8. "Resolution adopted by the General Assembly on 27 December 2019". United Nations General Assembly. 20 January 2020. Archived from the original on 21 September 2025. Retrieved 27 September 2025.
  9. 1 2 3 Seger, Alexander (7 October 2025). "Russian Motivations Behind the "Hanoi Convention" Against Cybercrime". Just Security. Archived from the original on 13 November 2025. Retrieved 18 January 2026.
  10. 1 2 Hakmeh, Joyce (3 May 2024). "The UN convention on cybercrime: a milestone in cybercrime cooperation?" . Journal of Cyber Policy. 9 (2): 125–130. doi:10.1080/23738871.2024.2441549. ISSN   2373-8871.
  11. "Ad Hoc Committee to Elaborate a Comprehensive International Convention on Countering the Use of Information and Communications Technologies for Criminal Purposes". United Nations : Office on Drugs and Crime. Archived from the original on 16 November 2023. Retrieved 27 September 2025.
  12. "Ad Hoc Committee - Home". United Nations : Office on Drugs and Crime. Archived from the original on 30 May 2025. Retrieved 25 May 2025.
  13. 1 2 3 4 5 6 Novo, Lisandra (14 August 2024). "The UN finally advances a convention on cybercrime . . . and no one is happy about it". Atlantic Council. Archived from the original on 24 July 2025. Retrieved 12 August 2025.
  14. 1 2 "UN Cybercrime Convention - Full Text". United Nations : Office on Drugs and Crime. Archived from the original on 2 July 2025. Retrieved 25 May 2025.
  15. Pham, Xuan Dung (30 October 2025). "Hanoi Convention: Vietnam's Middle Power Moment". The Diplomat . Archived from the original on 15 November 2025. Retrieved 30 October 2025.
  16. Guarascio, Francesco (22 October 2025). "UN cybercrime pact to be signed in Hanoi raises hopes, concerns". Reuters . Retrieved 17 January 2026.
  17. "United Nations Convention against Cybercrime". United Nations : Office on Drugs and Crime. Archived from the original on 27 May 2025. Retrieved 25 May 2025.
  18. 1 2 "United Nations Treaty Collection". treaties.un.org. Archived from the original on 29 December 2025. Retrieved 17 January 2026.
  19. 1 2 3 4 5 Gullo, Karen (16 December 2024). "Still Flawed and Lacking Safeguards, UN Cybercrime Treaty Goes Before the UN General Assembly, then States for Adoption". Electronic Frontier Foundation . Archived from the original on 19 May 2025. Retrieved 25 May 2025.
  20. Rodriguez, Katitza (27 August 2024). "The UN Cybercrime Convention: Analyzing the Risks to Human Rights and Global Privacy". Just Security. Archived from the original on 6 December 2025. Retrieved 18 January 2026.
  21. Scher-Zagier, Eli (2 October 2024). "The New UN Cybercrime Treaty Is a Bigger Deal Than Even Its Critics Realize". Lawfare. Archived from the original on 22 May 2025. Retrieved 25 May 2025.
  22. Sukumar, Arun; Basu, Arindrajit (3 May 2024). "Back to the territorial state: China and Russia's use of UN cybercrime negotiations to challenge the liberal cyber order". Journal of Cyber Policy. 9 (2): 256–287. doi:10.1080/23738871.2024.2436591. hdl: 1887/4212105 . ISSN   2373-8871.
  23. Miller, Maggie (27 September 2024). "White House agonizes over UN cybercrime treaty". POLITICO. Archived from the original on 15 July 2025. Retrieved 12 August 2025.
  24. Miller, Maggie (11 November 2024). "Biden admin to support controversial UN cybercrime convention". Politico . Archived from the original on 30 March 2025. Retrieved 25 May 2025.
  25. 1 2 Smalley, Suzanne (7 October 2024). "UN cybercrime treaty lead negotiator: US will suffer if it doesn't vote yes". The Record. Archived from the original on 5 September 2025. Retrieved 12 August 2025.
  26. Arntz, Pieter (28 October 2025). "Around 70 countries sign new UN Cybercrime Convention—but not everyone's on board". Malwarebytes. Archived from the original on 9 November 2025. Retrieved 17 January 2026.
  27. 1 2 Graham-Shaw, Kate. "New U.N. Cybercrime Treaty Could Threaten Human Rights". Scientific American . Archived from the original on 27 May 2025. Retrieved 27 May 2025.
  28. 1 2 3 Zaghdoudi, Aymen (27 November 2024). "Lessons from the Arab region for UN cybercrime convention". Access Now. Archived from the original on 29 April 2025. Retrieved 25 May 2025.
  29. Scher-Zagier, Eli (2 October 2024). "The New UN Cybercrime Treaty Is a Bigger Deal Than Even Its Critics Realize". Lawfare. Archived from the original on 22 May 2025. Retrieved 25 May 2025.
  30. Bogaciov, Ilinca (12 December 2023). "Press Release: Cybersecurity Tech Accord expresses continued concern over latest draft of UN Cybercrime Treaty, calls for extensive changes". Cybersecurity Tech Accord. Retrieved 17 January 2026.
  31. Staff (25 October 2025). "UN cybercrime treaty to be signed in Hanoi to tackle global offences". Reuters .
  32. Funk, Allie; Gorokhovaskaia, Yana (12 December 2024). "Authoritarians Are Hijacking Global Tech Cooperation to Undermine Human Rights". Freedom House . Retrieved 12 August 2025.
  33. Benequista, Nick (16 October 2024). "UN anti-cybercrime treaty could make journalism a crime". The Hill. Archived from the original on 13 December 2024. Retrieved 12 August 2025.
  34. Ravaioli, Edoardo (29 July 2024). "Tech Accord urges changes in flawed final draft of UN Cybercrime Convention, to safeguard security, tech workers, and uphold data and human rights". Cybersecurity Tech Accord. Archived from the original on 2 June 2025. Retrieved 25 May 2025.
  35. "Open Letter from Civil Society and Industry Stakeholders on the Final Draft of the Convention on Cybercrime" (PDF). Cyber Tech Accord. 8 August 2024. Archived (PDF) from the original on 2 July 2025. Retrieved 25 May 2025.
  36. "UN committee approves first cybercrime treaty despite opposition". euronews. 9 August 2024. Archived from the original on 11 August 2024. Retrieved 25 May 2025.
  37. "EU: Member States Should Vote 'No' on UN Cybercrime Treaty | Human Rights Watch". 21 October 2024. Retrieved 12 August 2025.
  38. "Joint Letter to the European Union and its Member States concerning the United Nations Cybercrime Convention" (PDF). Epicenter.works. Archived (PDF) from the original on 22 September 2025. Retrieved 12 August 2025.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.