Draft UN Convention Against Cybercrime: Implications for Digital Global Governance
On August 9, the United Nations (UN) reached consensus on a landmark agreement that, while aimed at combating cybercrime, could seriously undermine the internet ecosystem.
The agreement in question, a draft text of the United Nations Convention Against Cybercrime, would represent the creation of the first legally-binding, global treaty on cybercrime, expanding beyond the more limited Budapest Convention on Cybercrime, which counts only 50 signatories. This comes at a time when digital threats are growing in scope and impact, with cybercrime by some estimates on track to cost the world economy $10.5 trillion in 2025. Following the August 9 agreement between UN delegates, the UN General Assembly will vote on the Convention in the fall. If the treaty passes, member states will individually sign and ratify the treaty, which will come into effect 90 days after at least 40 countries ratify it.
Indeed, effective cross-border collaboration is necessary to respond to the rise in cybercrime, and the work behind this Convention highlights the need for a shared framework that defines cybercrime and appropriate response mechanisms, while balancing the interests of governments, industry, and civil society. However, the draft Convention largely falls short of these goals, and risks undermining cybersecurity, human rights, and the digital economy.
The Cybercrime Convention process was borne out of UN General Assembly Resolution 74/247, adopted in January 2020, which established a temporary Committee to draft the text. However, the committee-led negotiations stalled, as delegates strongly disagreed on certain provisions. This process evolved in a manner that undermined inclusive, multi stakeholder participation. First, extended negotiations incurred significant financial costs, with committee meetings estimated at $1 million each, hampering effective participation by smaller, less-well resourced delegations, and raising pressure to reach an agreement as soon as possible. Second, to break the deadlock, the committee chair implemented a two-tiered process to funnel contentious portions of the text into informal, closed-door discussions, where outside stakeholders had less access and influence. As a result, the final text adopted by country delegates was a rushed compromise, and has been widely panned by civil society and industry for containing several flawed provisions.
First, the draft Convention adopts an overly broad scope of criminal activity. It seeks to tackle the misuse of information and communication technology systems for criminal purposes, with broad latitude afforded to individual countries in defining criminality in the context of their domestic laws. This approach extends beyond the more commonly accepted definition of cybercrime as offenses with criminal intent against the confidentiality, integrity and availability of computer data and systems. Without a clearer, more narrow definition of cybercrime that includes criminal intent the Convention risks empowering governments to criminalize legitimate public interest activities, such as journalistic investigation and ethical hacking. It also fails to establish a uniform definition of cybercrime, exacerbating the challenge of regulatory patchworks.
Second, it gives governments the authority to compel service providers to turn over data upon request with little oversight or guardrails, potentially harming consumers, privacy, and the digital economy. This provision scopes such requests as they relate to “serious crimes, as determined by domestic law” or “other criminal offences committed by means of an information and communications technology system,” a broad standard that could force companies to turn over data to enforce authoritarian policies. Moreover, the articles allow governments to compel service providers to keep such requests confidential, even when no longer necessary for the purposes of an investigation. Such expansive authority removes outside oversight and denies consumers opportunities for redress or legal challenge. For international businesses, this would accelerate the trend of “hostage provisions,” where employees in specific jurisdictions are compelled to enforce authoritarian laws or face arrest, further undermining participation in the digital economy.
Third, it lacks sufficient protections for human rights, as has been argued by leading civil society organizations and the Office of the United Nations High Commissioner for Human Rights. The draft Convention largely defines human rights in the context of domestic law, resulting in uneven protections across countries that defer human rights protections to governments’ individual interpretation. The included human rights safeguards lack clear references to either legality, necessity, and proportionality, or to transparency, oversight, and access to remedies. On the processing of personal data, the text overly defers to domestic laws of the government requesting the data, and does not include due diligence requirements that set best practices on requesting and handling the transfer and storage of personal data. Consumers users could have their data collected and stored by a government, under suspicion of violating vague national laws, without ever being notified, even if the investigation failed to produce any results. Despite modest improvements inserted in the text in the last rounds of negotiations, and failed, last-minute efforts by member states to remove what limited human rights safeguards remain, the draft Convention still enables authoritarian governments to engage in digital repression.
While a legally-binding treaty on cybercrime has significant potential to respond to the evolving digital threat landscape, this draft Convention includes serious flaws. By imposing onerous obligations on service providers and promoting a regulatory patchwork of human rights safeguards, the Convention would undermine the international business environment, harming economic growth. By empowering broad data collection and storage by governments, it could increase the risk of security breaches and unauthorized access to critical information. Moreover, it would chill legally ambiguous actions taken in the public interest, such as ethical hacking, resulting in a less secure cyber environment. Companies might limit bug bounties and universities might stop training students in penetration testing, critical activities that contribute to cybersecurity safety. If adopted in the fall, the draft UN Convention Against Cybercrime would represent a step back in effective digital global governance, and the U.S. and like minded countries should explore all potential avenues to mitigate its ill effects.
