UN Cybercrime Treaty: A Trojan Horse For Transnational Repression
This week, the United Nations General Assembly is set to adopt the UN Cybercrime Convention, almost exactly five years after it approved a resolution to launch its negotiation. The Convention text has been widely panned by digital security experts, human rights organizations, industry, even the UN’s own human rights office, among many others. Yet still it moves forward, propelled by prosecutors and justice ministries the world over and the treaty’s own internal processes, creating a vehicle for the further negotiation of tools for transnational repression.
History: an authoritarian power-play
The negotiations originated as an authoritarian power-play. In a letter to the UN Secretary General back in 2017, the Russian delegation to the UN proposed a treaty draft, one superficially hitting all the high notes of UN principles but substantively aiming to give states broad power to seek user data across borders in the context of ill-defined and often deeply repressive criminal offenses.
Its agenda was made all the clearer in the list of co-sponsors of the 2019 resolution, a who’s-who of authoritarians: Algeria, Angola, Azerbaijan, Belarus, Bolivia, Burundi, Cambodia, China, Cuba, North Korea, Egypt, Eritrea, Iran, Kazakhstan, Laos, Libya, Madagascar, Myanmar, Nicaragua, Russian Federation, Sudan, Suriname, Syria, Tajikistan, Uzbekistan, Venezuela, and Zimbabwe. These are states that are unlikely to share data of criminal activity by their own nationals, or those within their countries, but they sure are eager to obtain data that may be held by companies headquartered in democracies, particularly if that data belongs to dissidents and others they deem to be criminals.
An international cybercrime treaty would give their data demands the veneer of international authorization.
At that original stage back in 2019, the United States and the member states of the European Union, among others, saw through the dictators’ agenda and opposed the launch of a negotiation. For these states, a new cybercrime treaty driven by authoritarians was not only a threat to individual rights and data protection; it just made no sense politically or institutionally.
Seventy-six states are parties to the Budapest Convention on Cybercrime, a treaty that already provides a framework for transnational cooperation to address cybercrime. Any government anywhere, so long as it ensures that its domestic law provides the necessary protections for transnational data-sharing, can join Budapest. While, like every treaty, it has certain weaknesses and loopholes, Budapest has become the global standard, with strong support from the United States and others.
So why bother with a new treaty backed by authoritarians who simply would never commit to Budapest’s rules and oversight?
The big mistake: believing working within the system could limit the authoritarian power play
That, at least, was the leading argument for resisting negotiation of a new treaty. It made perfect sense then and it continues to make perfect sense now. But democratic states, after opposing the launch of the negotiation process in 2019, later made a strategic error.
They concluded that they should be a part of the negotiation in order to ensure that it would not establish new norms of data-sharing that could harm their interests. Inside the negotiation, they thought, they could prevent the worst of what the authoritarians would propose while perhaps getting better law enforcement cooperation on things that matter to them, such as prosecuting child endangerment and ransomware.
One can understand that original attitude, particularly if we see the negotiators as the giant squid working in the sushi bar in a New Yorker cartoon (“He feels he can do more good working within the system”). Democratic states engaged in a years-long negotiation and succeeded, from a defensive perspective, in removing problematic “crimes” from the treaty and providing at least a basis for guardrails against abuse. But it remains a deeply flawed treaty, in its drafting language and its substance, and it remains shocking to many observers that democratic states would support it.
Over three years of negotiations brought states from all over the world to hash out the treaty text within something called the Ad Hoc Committee. The negotiation stretched from 2021 to the summer of 2024, with states meeting over a dozen times in Vienna and New York. Democratic states fought for the best treaty they thought they could get, and a core cohort of human rights experts from civil society and UN institutions fought for serious protections against a treaty that would enable bad actors to use the treaty as a way to intimidate human rights defenders and journalists, among others.
The original sponsors, especially the Russian negotiators, resisted what they claimed to see as the watering down of significant new authorities and international crimes. Because this left the various key players often at loggerheads, the negotiation seemed on life-support as recently as early this year, only to revive, such that the Ad Hoc Committee adopted a final text unanimously in early August.
The treaty contains a preamble and nine chapters totaling sixty-eight articles, a dense international agreement that provides considerable room for abuse, not to mention debate over interpretation of key terms.
The first article lays out its purposes to “prevent and combat cybercrime more efficiently and effectively,” to “strengthen international cooperation” to address cybercrime (perhaps the key purpose from the sponsors’ perspective), and to build prevention capacity especially among developing countries.
Article 3 provides that the treaty will apply to “prevention, investigation and prosecution of the criminal offenses established in accordance with this Convention, including the freezing, seizure, confiscation and return of the proceeds from such offences” and to the “collecting, obtaining, preserving and sharing of evidence” for criminal investigations and proceedings.
This is a lot of words when the key obligation, evidence-sharing, is buried at the end.
The U.S. decides to embrace the treaty
U.S. negotiators cheered the treaty’s conclusion. In the U.S. Government’s explanation of its support for adoption of the treaty, its diplomats argued that it “reflects an historic achievement in the effort to combat the nonconsensual distribution of intimate images,” particularly on the ability to protect women and girls and to counter child sexual abuse material (CSAM). They added that the treaty will improve how the world prevents and punishes “ransomware, widespread cyber-enabled fraud, and illegal intrusions into computers and networks.”
They do not offer much more of substance than these areas of protection, apart from generic references to combating “pervasive and evolving cybercrime threats.” They recognize concerns about abuse of the treaty and, in a break from the traditional U.S. government approach of resisting vague treaty language in the principal instrument, seek to acknowledge the vagueness and danger inherent in the treaty.
Indeed, the U.S. explanation emphasizes, “we are joining consensus with the goal of moving the process forward and with the intent of advancing further clarifications and interpretive guidance to address stakeholder concerns.” This reason to join a treaty process – to fix it? – is naive on its face, particularly given the possibility that the second Trump administration could lean more toward the Russian than the American positions.
For argument’s purposes, let’s assume that the United States and other democratic supporters are correct that the treaty offers particular benefits. There is no doubt that some parts of civil society that focus particularly on crimes against children support it. It’s possible to acknowledge gains on that score and yet still ask, is that enough to embrace it?
Given the treaty’s purpose to facilitate the prevention and prosecution of crime, does it provide adequate safeguards – as all criminal systems must – to protect individual rights to privacy, to freedom of expression, to protest and dissent, to fair trial processes? Does it provide protection against an interpretation that enables a broad claim for what kinds of crimes fall under the treaty? I posed these questions to the European Commission’s Directorate-General for Migration and Home Affairs, which responded as follows.
… the Commission certainly disagrees with your assessment that this Convention would be a ‘gift’ to its original sponsors. On the contrary, the text could not be farther from the draft text initially proposed by Russia. The recently agreed draft text of the Convention draws inspiration from the Council of Europe Budapest Convention on cybercrime, and from previous UN criminal conventions such as the UN Convention against Transnational Organized Crime (UNTOC) and the UN Convention Against Corruption (UNCAC). This ensures that the new UN Convention is fully consistent with the existing and well-established framework on the fight against cybercrime.
Furthermore, The UN cybercrime convention will set a new and unprecedented benchmark of conditions and safeguards for any future UN criminal law instruments in terms of ensuring respect for fundamental rights. There are several safeguards and grounds for refusal in the text that for example, exclude the possibility of using the future convention in any manner that would lead to the suppression of human rights and fundamental freedoms, including the freedom of expression, contrary to international human rights law or allow to refuse requests for international cooperation altogether.
The amendments tabled by Iran and supported by a number of authoritarian countries in the world as well as the harsh statement made by the Russian delegation at the end of the session also demonstrate that Russia and its allies are very dissatisfied with the final draft of the Convention
The full response can be found here and is also embedded below.
The Cybercrime Treaty is still a disaster for human rights
Notwithstanding the Commission’s fervent defense, very serious and experienced analysts and advocates disagree. Katitza Rodriguez, EFF’s policy director for global privacy and one of civil society’s indefatigable soldiers in the battle against the treaty, has written in article-by-article fashion about the treaty’s pervasive risks to human rights. Nick Ashton-Hart, another key player in the fight against the treaty, summarized it as “a data access treaty allowing governments worldwide to exchange citizens’ personal information in perpetual secrecy on any offense any two governments agree is a ‘serious’ crime.”
A former Justice Department official, now in private practice, has written with a colleague that the treaty “would weaken the United States’s ability to resist requests from authoritarian governments . . . [and] the United States’s ability to dissuade foreign states from assisting in improper, suppressive investigations launched from states such as Russia or Iran.”
Many ways the Cybercrime Treaty is open to abuse
Anyone with an interest should read these reviews of the treaty for their detailed assessment, and there are many others as well. Among the most fatal problems, at least from this author’s perspective, are the following:
First, the treaty obligates states to cooperate with one another for the purpose of, among other things, “collecting, obtaining, preserving and sharing of evidence in electronic form of any serious crime” (Article 35(1)(c)). They are to “afford one another the widest measure of mutual legal assistance” in the context of “serious crimes” and other Convention offenses (Article 40(1)).
Not only does this apply in normal criminal law processes, but the Convention also requires states to make available a point of contact “24 hours a day, 7 days a week” to provide “immediate assistance” to foreign law enforcement authorities in relation to Convention offenses and “serious crime.”
So what is “serious crime”? The Convention defines the term as “conduct constituting an offence punishable by a maximum deprivation of liberty of at least four years or a more serious penalty.”
That’s it.
It is a phrase that refers only to the extent of the penalty. It is not an uncommon phrase, but for the purposes of this treaty, it opens the door to assertions that any number of offenses should be the subject of data-sharing and enforcement cooperation to which states are obligated to adhere.
In Thailand, for instance, lese majeste penalties may be three to fifteen years imprisonment. Russia’s 2022 law prohibiting the defamation of the military comes with penalties of up to fifteen years imprisonment.
States around the world have similar sorts of repressive, anti-democratic laws, and the Convention provides them with a clear basis to demand cooperation in its enforcement.
Why? Because it’s evidently serious crime.
Second, and following up on that, it may be argued, as European and American negotiators do, that the Convention provides adequate safeguards so that they would never be required to share information in the context of serious crimes that have illegitimate purposes under human rights law.
Typically, they refer to Article 6, which provides, in full, the following:
Article 6. Respect for human rights
1. States Parties shall ensure that the implementation of their obligations under this Convention is consistent with their obligations under international human rights law.
2. Nothing in this Convention shall be interpreted as permitting suppression of human rights or fundamental freedoms, including the rights related to the freedoms of expression, conscience, opinion, religion or belief, peaceful assembly and association, in accordance and in a manner consistent with applicable international human rights law.
Treaty advocates argue that Article 6 provides adequate protection against the use of the treaty for purposes such as enforcement of the Thai and Russian laws, both of which are plainly inconsistent with international human rights law’s guarantees of freedom of expression.
But the language of Article 6 is weak.
For one thing, the first paragraph is based on an assumption that all states agree as to the nature of their obligations. Thai authorities may agree that its lèse-majestélaw implicates the freedom of expression, but they may argue that it is justified as a protection of the rights or reputations of others, or of public security.
When I raised concerns with the Thai government about application of the law to a student in 2017, for instance, the government responded exactly on these grounds.
This is just one example, and one can imagine an array of situations where states will demand the sharing of data, arguing their demand is consistent with international human rights law. To be sure, governments are free to disagree and refuse to share data, but the weaker the state, or the more it wants to find grounds for cooperation with the demanding government, the less likely Article 6 will provide any serious protection.
Meanwhile, the second paragraph of Article 6 is bizarre. On the one hand, its very presence suggests that democratic states believed the treaty could be interpreted to enable suppression of fundamental rights. Why else would they require this paragraph? But it also does not make much sense, because no “suppression” of human rights is permissible under human rights law; that is simply not how the law operates.
The article adds nothing to existing obligations states have under human rights law. Is it good that the democratic states insisted on this provision? It doesn’t hurt. And in fact, Iran tabled a resolution to have it removed, underlining its perspective. But it nevertheless does not provide the kind of protection these states may think it provides, certainly not in the context of states less able than the United States to resist demands from economically powerful states like China or Saudi Arabia.
Where are the safeguards against abuse?
Related to the above, the treaty does not provide anywhere close to the kind of specific safeguards it promises and that supportive states claim for it. In addition to the weak and generic Article 6, Article 24 aims toward an assurance that states may only carry out their treaty authorities “subject to conditions and safeguards provided for under its domestic law, which shall provide for the protection of human rights, in accordance with its obligations under international human rights law, and which shall incorporate the principle of proportionality.”
This is ineffective, but most importantly, it seems to suggest that human rights law’s main focus restricting state power is proportionality. While proportionality is indeed a core human rights concept, restrictions on fundamental rights also require demonstrations of legality (the principle that law be precise enough to avoid vagueness and not confer undue discretion on the state), necessity (that is measure is designed to achieve its goal and is the least intrusive means to do so) and legitimacy (that the purpose is proper under human rights law). Proportionality is just one element of the test.
This loose statement might be fine in a law review essay, but it is dangerous in a treaty implicating individual rights and international law enforcement cooperation.
The authoritarians are still happy with the treaty
Third, the treaty is also a framework for further work. And this is where the original authoritarian sponsors are most excited. Article 62 of the Convention provides for the negotiation of “supplementary protocols” once there are sixty states parties (i.e., sixty ratifications, not mere signatures).
This is where the future action will be, and Russia has already indicated that it is planning for this possibility. In a statement at the UN on December 4th, its representative said:
In August 2024, all UN Member States agreed on a draft Convention against Cybercrime, which, once approved by the General Assembly, will become the first international treaty in the field of international information security. We are convinced that this is the first step towards a universal international legal regulation of the use of ICTs.”
This goes far beyond any notion of criminal evidence-sharing, as problematic as that is. The Cybercrime Convention sets up an opportunity for Russia, China and others to press for continued negotiation to expand the scope of its coverage and seek international cover for the ‘regulation of the use of ICTs.’
Consider just three of the categories in Russia’s initial proposals for crimes to be covered under the Convention: creation and use of digital data to mislead the user; incitement to subversive or armed activities; extremism-related offenses. There are other proposals in its earlier interventions as well, but these three underscore the real nature of the authoritarian effort: to expand domestic repression into legitimate areas for global cooperation and pressure.
This was the main objective from the beginning: to provide a basis for states to enforce repressive laws in a digital context, wherever the underlying data may be held, or at the very least to provide a normative basis for them to seek to apply their laws across borders.
What now?
What’s next? The Cybercrime Convention, once adopted by the General Assembly, will be open for signature by states at a signing ceremony in early 2025, likely to be held in the well-known free speech nirvana, Vietnam. It requires forty states to ratify it before it will enter into force.
Having joined consensus and allowed this problematic treaty to move forward, democratic states need to rethink their positions. Key organizations in civil society will almost certainly urge the United States, Canada, EU states and other democracies not to ratify, and these states should pay them heed.
But the damage may already be done, a new instrument that lays the groundwork for an expansion of transnational repression, a normative foundation to undermine human rights law’s protection of freedom of expression, as Article 19 of the International Covenant on Civil and Political Rights provides, “regardless of frontiers.”
With a new American administration whose leadership has long seemed sympathetic to the tropes of authoritarianism, a future of resistance and protection of digital rights cannot be guaranteed.
David Kaye is a law professor at UC Irvine School of Law, former independent chair of the
Global Network Initiative, and UN Special Rapporteur on freedom of opinion and expression
from 2014 – 2020