What is the UN cybercrime treaty and why does it matter?

Explaining the UN cybercrime treaty, its potential benefits and risks, key issues in the negotiations, and likely paths forward.

Explainer Updated 4 August 2023 Published 2 August 2023 6 minute READ

What is the UN cybercrime treaty?

Since May 2021, UN member states have been negotiating an international treaty on countering cybercrime. If adopted by the UN General Assembly, it would be the first binding UN instrument on a cyber issue. The treaty could become an important global legal framework for international cooperation on preventing and investigating cybercrime, and prosecuting cybercriminals.

But without a clearly defined scope and sufficient safeguards, the treaty could endanger human rights – both online and offline – and repressive governments could abuse its provisions to criminalize online free speech. It could also threaten digital rights by legitimizing intrusive investigations and unhindered law enforcement access to personal information.

What is cybercrime?

There is no universally accepted definition of cybercrime. A common approach is to define it in two categories: cyber-dependent crimes and cyber-enabled crimes.

Cyber-dependent crimes are crimes that can only be committed by using Information and Communication Technologies (ICTs). A notorious example is ransomware: hacking into an organization or individual’s device, encrypting data and demanding payment for decryption.

Without a clearly defined scope and sufficient safeguards, the treaty could endanger human rights – both online and offline – and repressive governments could abuse its provisions to criminalize online free speech.

Cyber-enabled crimes are so-called traditional crimes that have been transformed in speed, scale and scope through the use of ICTs, such as online banking scams, identity theft or fraud, and online child sexual exploitation.

Why does a new cybercrime treaty matter?

Over the past 20 years, new technologies and threat actors have evolved at an unprecedented pace. In parallel, there have also been many different national and international efforts to counter the criminal use of ICTs.

Victims of cybercrime range from individuals and communities to entire businesses and governments. Cyber scams, fraud, extortion and harassment are on the rise. In the past five years alone, it is estimated that romance scams cost individual victims at least $1.3 billion. In 2022, Costa Rica’s government was forced to declare a state of emergency following a ransomware cyberattack that impaired the country’s digital infrastructure for months.

Perpetrators of cybercrime are equally diverse. They range from small-scale scammers to transnational cybercrime gangs and even state-sponsored actors. Cybercriminals often target victims in different national jurisdictions, making cybercrime a global threat with local impact. Recently, organized criminal groups offering cybercrime as a service has become increasingly common.

Against this backdrop, the intended purpose of the treaty is intended to tackle cybercrime and improve cooperation and coordination between states.

What is the treaty process?

In December 2019, the UN passed a resolution which established an open-ended ad hoc committee (AHC) tasked with developing a ‘comprehensive international convention on countering the use of ICTs for criminal purposes’.

Negotiations started in early 2022. The treaty roadmap has six negotiating sessions, three in Vienna and three in New York. Each meeting has addressed different parts of the treaty, including chapters on criminalization, procedural measures, the role for law enforcement, international cooperation, technical assistance, preventive measures and implementation.

States are expected to negotiate by consensus but, if this cannot be reached, two-thirds majority voting rules apply. In the two most recent sessions, informal working groups were created for states to discuss divisive issues. In June, the chair published the draft text of the convention, which states will discuss in August 2023.

While states are responsible for negotiating, adopting, ratifying and implementing the treaty, civil society and the private sector have played a crucial role in shaping the convention, through statements, consultations and side events.

What are the main areas of disagreement?

The treaty process is complex. The draft text is the synthesis of months of negotiations and hundreds of proposed amendments, with nine chapters and over 60 articles.

The main areas of disagreement covered by this explainer concern the scope of the treaty, human rights safeguards, how to address gaps in state capacity, how the treaty should harmonize with other instruments, and the relevance of gender to the treaty.

It does not address issues like data protection or the role of the private sector and civil society. Similarly, it highlights just some of many terminological disagreements.

Additionally, the AHC process coincided with the start of Russia’s full-scale invasion of Ukraine. Many state representatives have condemned Russia’s aggression and questioned whether they can negotiate with Russia in good faith.

What cybercrimes should the treaty address?

Some states advocate for a treaty that criminalizes cyber-dependent crimes and a broad range of cyber-enabled crimes, including content-based offences. On the most extreme side of the spectrum is a group of countries including Russia, Belarus, China, Nicaragua and Cuba, whose proposals have included highly controversial suggestions to criminalize ‘incitement to subversive or armed activities’ and ‘coercion to suicide’ by means of ICTs. China has proposed criminalizing the ‘dissemination of false information… that could result in serious social disorder’, while India has advocated for criminalizing offences related to ‘cyber terrorism’.

Other states – including EU member states, the US, the UK, Japan and Australia – want to include core cyber-dependent crimes and a very limited number of cyber-enabled crimes that have been drastically transformed by digital technologies, the main example of the latter being offences related to child sexual abuse and exploitation (CSAM). These states argue that a treaty with a long list of cyber-enabled offences risks being abused or misinterpreted.

Approaches to criminalization also affect the treaty’s overall scope. States in favour of a narrow approach have expressed their willingness to consider more comprehensive agreements on international cooperation and other chapters: for example, using the treaty as a basis to exchange evidence between jurisdictions relating to any crime with a digital evidence component, not just crimes covered by the treaty.

Some states also take issue with the terminology used to describe the treaty itself, arguing that the phrase in the AHC’s title – ‘the use of ICTs for criminal purposes’ – supports an expansive approach to criminalization, because it could refer to any criminal activity in which an ICT device has been used. Nowadays, this could include nearly every crime. Although the term ‘cybercrime’ is still ambiguous, it is generally considered to be narrower.

Although most states agree that commitments to human rights are essential, some argue that the treaty is not a human rights treaty, and so references should be left to a minimum.

A treaty with a long list of crimes – especially content-related ones – increases the likelihood of duplication and contradiction with existing frameworks and endangers freedom of expression and other human rights by criminalizing online content. There is also a risk that legitimate activities, such as those of security researchers, ‘white hat hackers’ and investigators, could become inadvertently criminalized.

Although negotiations are still ongoing, the draft text published in June adopts a relatively narrow approach to criminalization.

How and why should the treaty protect human rights?

Measures aiming to counter cybercrime can jeopardize human rights. Some states have used cybercrime laws to criminalize online content and limit free speech by targeting journalists, activists and political opposition, or to police behaviour through so-called ‘morality clauses’.

Furthermore, cybercrime investigations can be highly invasive. The interception and collection of traffic data may pose privacy risks, as may the mishandling of sensitive personal data by law enforcement agencies.

Although most states agree that commitments to human rights are essential, some argue that the treaty is not a human rights treaty, and so references should be left to a minimum. For some states, this means including a single article on human rights in the treaty’s opening chapter, without referencing specific rights or frameworks. For others, this means including explicit references to specific treaties and reiterating human rights commitments throughout the convention where necessary.

There is a smaller camp of states opposed to any human rights reference. They often cite the UN’s conventions against corruption and transnational organized crime, which have proved effective without human rights commitments.

Civil society stakeholders, including Chatham House, have highlighted the importance of multiple, specific references to human rights and child protection as they create clear expectations and binding commitments for states implementing the treaty.

The draft text of the convention encourages states to ensure consistency between implementing the treaty and abiding by their obligations under international human rights law. However, it does not reference specific instruments, apart from a single mention of the Convention on the Rights of the Child in the sub-article on safeguarding children accused of offences relating to CSAM.

How should the treaty address gaps in capacity?

There are global asymmetries in state capacity (including funding and resources) and skills required to counter cybercrime. Developing states are disproportionately vulnerable to the direct and indirect impacts of cybercrime, making capacity-building a particularly urgent priority.

The treaty’s chapter on technical assistance outlines state parties’ duties and expectations for addressing gaps in capacity. Some developing states have requested commitments to technology transfer, which could include ‘dual-use’ technologies that have both civil/commercial and weapons/military applications. Other states have refused these proposals, citing concerns about the potential scope for abuse.

Developing states are disproportionately vulnerable to the direct and indirect impacts of cybercrime, making capacity-building a particularly urgent priority.

Irrespective of terminology, while capacity-building and technical assistance activities are important, they generate their own risks, such as human rights risks from the intentional misuse of dual-use tools, unintentional harms from inadequate or ineffective training, and the reinforcement of existing global inequalities through conditional agreements. It is essential to root capacity-building in established, shared principles, such as those proposed by the UN Open-Ended Working Group on cybersecurity.

Several developed countries have also stressed technical assistance should be delivered on a voluntary, non-prescriptive basis.

How should the treaty harmonize with existing efforts?

While a new treaty could become a valuable tool in the global effort against cybercrime, it must harmonize with existing international mechanisms and networks that occupy similar spaces.

Ratified by almost all member states, UN conventions against transnational organized crime and corruption are important parts of existing global responses to transnational crime. Many states suggest borrowing – and tailoring – articles from these instruments for the cybercrime treaty.

content

More severe disagreements relate to existing cybercrime instruments. For over 20 years, and with nearly 70 state parties, the Council of Europe’s Budapest Convention has sought to define what counts as cybercrime and how law enforcement agencies should cooperate. Many states have modelled their own legislation on the convention.

But not all countries have ratified it. Some countries – such as Russia – have consistently argued that the Budapest Convention is not globally relevant and threatens principles like state sovereignty and non-interference. This led them to champion the resolution establishing the AHC, which passed despite opposition from many Western states and civil society representatives.

State proposals in the treaty process have also referenced provisions from regional instruments, such as the African Union’s Convention on Cyber Security and Personal Data Protection.

How has gender featured in treaty negotiations?

States such as Chile, Canada and the UK have supported a reference to ‘mainstreaming a gender perspective’ as part of the treaty’s article on human rights, on the basis that this language would build a stronger, more inclusive cybercrime instrument. This is because people of different gender identities face specific risks when encountering cybercrime and cybercrime governance, particularly in jurisdictions where LGBTQI+ identities and expressions are themselves criminalized.

These states therefore also advocate for mainstreaming gender throughout the treaty. For example, strengthening an article on extradition with language on gender identity could enable a requested state party to refuse an extradition request if they believe an offender would be punished on account of their gender.

Other states remain firmly opposed to any mention of gender in the treaty. Some have argued that states define sex and gender differently, making it impossible to reach consensus on references to gender equality, while others have questioned singling out the protection of women and girls over other vulnerable groups.

Different genders experience both cyber-dependent and cyber-enabled crimes and ‘associated practices, institutions, and policies’ in different ways. An effective, future cybercrime instrument needs to be responsive to the harms, risks and experiences of all genders.

What happens next?

With five of the six negotiation sessions completed, negotiations have now reached a pivotal stage. In August 2023, state representatives will meet in New York to discuss the draft text of the convention, which is the basis for the final treaty. Negotiations will continue into early 2024, with the aim of adopting the treaty during the UN General Assembly in September 2024.

Chatham House’s cyber policy team will continue to follow the negotiations closely and provide analysis on key milestones and issues.