United Nations approves controversial cybercrime treaty

After a cumulative three years of work, the United Nations voted to adopt a draft version of its cybercrime convention last Friday, slated to be implemented by the General Assembly later this year in what the organization calls the first global legally-binding instrument on cybercrime. 

“The finalization of this Convention is a landmark step as the first multilateral anti-crime treaty in over 20 years and the first UN Convention against Cybercrime at a time when threats in cyberspace are growing rapidly,” said UNODC Executive Director Ghada Waly in a Friday press release. 

The treaty outlines multiple objectives centered around halting the use of technology that can facilitate firearm and drug trafficking, terrorism, and other transnational crimes. It stresses a need for member state coordination on legislative fronts to enforce the provisions of the convention.

Despite the General Assembly’s passage of the convention, privacy groups have long taken umbrage with the treaty’s text. On Thursday, the Human Rights Watch issued a statement disavowing the convention, citing inappropriate monitoring of global information flows. 

“The global cybercrime treaty that the UN has now adopted will be a disaster for the human rights of people around the world,” Deborah Brown, deputy technology and rights director at HRW, said in a statement. “Member countries have created an unprecedented surveillance tool without adequate safeguards. The treaty will effectively be a legal instrument of repression against journalists, activists, and others across the world’s borders.”

This isn’t the first time the HRW spoke out against the convention. In a letter signed by the HRW along with dozens of other international organizations, the Electronic Frontiers Foundation spearheaded objections to the wording in multiple articles of the convention.

“From the start, EFF has opposed the need for this treaty. There’s already an existing international framework on cybercrime, and introducing another treaty is not just redundant—it’s dangerous,” Katitza Rodríguez, EFF Policy Director for Global Privacy, told Nextgov/FCW. “By providing a legal basis for repressive regimes to cooperate in collecting and sharing evidence for the investigation of crimes that are dubiously ‘serious,’ this treaty risks being exploited for repression rather than justice. 

Despite the treaty’s emphasis on mitigating international cybercrime, experts fear its lack of adequate data sharing safeguards open the door to dangerous potential for artificial intelligence models. 

“This treaty not only fails to protect human rights—it actively enables abuses by allowing the exchange of massive datasets and AI training data without proper oversight,” Rodríguez continued. “Biometric data, face and voice recognition, have been abused in some countries against protesters, minorities, journalists, and migrants. The convention should not provide an opportunity to escalate these dangerous patterns beyond borders.”

Rodríguez highlighted several articles as potentially problematic. One, Article 47(1)(c), which provides necessary data for investigative purposes, is particularly lacking in adequate safeguards to protect personal data. She said that this clause and the treaty would be improved by qualifying conditions under which sensitive data can be accessed.

“These sensitive pieces of information must be protected by strong data protection and privacy safeguards. But the treaty fails to provide them,” she Rodríguez said. “Even worse, the article on conditions and safeguards explicitly excludes the powers under Article 47 from its scope.” 

Predictive policing is another concern Rodríguez and her colleagues share as well. In Articles 23 and 35 of the convention, Rodríguez underscored the usage of the term “criminal investigations” as functionally vague. She said that the EFF saw interpretive notes –– addendums with dubious legal enforcement –– clarify that in this context, “criminal investigations” refers to “situations where there’s solid evidence that a crime has happened or is happening,” including efforts to stop a crime in progress based on reasonable evidence. 

“The idea is that law enforcement can act when there’s real, factual evidence of criminal activity, but the treaty doesn’t always make it clear when or how these investigations should be connected to specific crimes, which is where things can get murky,” she said. “In theory, this requirement should preclude the use of [investigative and information-sharing powers for] generalized or speculative tactics like predictive policing, which often rely on broad data patterns or algorithms rather than specific evidence of a crime.”

How the convention’s text will impact existing domestic laws is also under scrutiny. 

The European Union is home to some of the most stringent data privacy laws. Rodríguez said that Article 18 in particular is just one example within the convention that is lacking in clarity surrounding the liability of online platforms for offenses committed by their users, which struggles to reconcile itself with the provisions in the EU Digital Services Act and the 2001 Budapest Convention. 

“This poses the risk that online intermediaries could be held liable for information disseminated by their users, even without actual knowledge or awareness of the illegal nature of the content (as set out in the EU Digital Services Act), which will incentivize overly broad content moderation efforts by platforms to the detriment of freedom of expression,” she said. 

The U.S. government, which voted in favor of the convention, said it “welcomed” the treaty but noted its strong posture against digital persecution.

“The United States will continue to strongly condemn and work to combat the persistent human rights abuses that we see around the globe by governments who misuse and abuse cybercrime laws and other cyber-related statutes and tools to target human rights defenders, journalists, dissidents, and others,” State Department spokesperson Matthew Miller said in a press release.

Authoritarian regimes have already begun to try to dismantle portions of the convention that do not suit their domestic governance. Rodríguez said since the convention was approved last week, multiple nations, including Iran and Venezuela, have made claims to alter the applications to articles of the convention explicitly dealing with human rights.

“These countries' pushback on these articles lays bare their true intentions. The treaty already gives them enough leeway to carry out their repressive tactics, but by specifically targeting safeguards like Articles 6.2 and 24, they’re making it clear their intention…to exploit this treaty for their repressive tactics,” she said.  

In response to the criticism, the UN reiterated a stance from its May 2023 policy brief on Global Digital Compact to Nextgov/FCW, stating via email that the UN “is ‘committed to applying human rights online and to putting in place specific measures to protect people and communities […]’ and this remains the case with the approval of the draft cybercrime convention.”