On Friday, February 9, 2024, late-stage negotiations on the UN’s proposed Cybercrime Convention were abruptly suspended amid persistent disagreements between states.
While the suspension is only temporary, it provides a welcome pause. Civil society has long voiced concerns over the grave risks the convention poses to human rights globally and the limited public and media attention paid to these risks.
But what are these risks? And how did we arrive at this fractious and uncertain conjuncture?
Background
To answer both these questions, it’s necessary to go back to the beginning of the process. The convention was first proposed by Russia in 2017, with the purported aim of combatting “the problems and threats posed by crimes in the sphere of information and communications technologies.” In 2019, the UN General Assembly narrowly agreed to develop it via Resolution 74/247, with 79 votes for (a cross-regional grouping mainly from Africa, Asia, the Middle East, and Northern Africa), 60 against (the European bloc, as well as others including Australia, New Zealand, Republic of Korea, Japan, the United States, Paraguay, Panama, and Tonga), and 33 abstentions (many Latin American states and some others).
Cybercrime is, of course, a real threat that endangers human rights. But is a binding, global UN convention to prevent it an effective or proportionate approach? UN human rights bodies and civil society organizations alike have widely documented how existing cybercrime laws at the national and regional levels are frequently misused by states to target human rights defenders, journalists, whistleblowers, and technologists, impose unjustified restrictions on expression, and justify disproportionate surveillance powers.
This abuse of power has been acknowledged by the UN General Assembly itself in Resolution 74/146, which states that cybercrime legislation is “in some instances misused to target human rights defenders or [has] hindered their work and endangered their safety in a manner contrary to international law.”
Misuses at the national and regional levels are damaging enough. But what if these misuses were codified at the global level as the UN Cybercrime Convention risks doing? Developing any global instrument through the UN requires that all signatory states amend existing laws or establish new ones to ensure a degree of legislative harmonization. Given the diversity of UN states—including many with poor human rights records and a history of misusing cybercrime laws—this move innately carries the risk of a legislative “race to the bottom.” As a compounding factor, its negotiation via the UN offices in New York and Vienna means there is limited transparency and few opportunities for engagement by public interest actors.
The latest negotiation session
Despite these concerns and various foundational divergences among states—including the very purpose of the convention, the process rolled along, punctuated by increasingly vocal protestations from civil society groups. In late January 2024, UN states commenced what was due to be the last of the negotiating sessions to agree to the convention.
Ahead of the session, Global Partners Digital joined 100+ civil society groups in issuing an urgent joint statement to the Ad Hoc Committee on Cybercrime (AHC), setting out minimum requirements to ensure the draft convention does not endanger human rights and fundamental freedoms nor undermine cybersecurity.
The statement highlights three pressing concerns with the draft convention. The first relates to its scope of offenses, which extends beyond those typically understood as cybercrime—in certain instances of the text, infractions encompass any crime involving a digital element. In practice, this could lead to the convention being interpreted and applied in a manner that could result in discrimination or persecution. Research by APC and Derechos Digitales has mapped how vaguely drafted cybercrime laws have been used to stifle dissenting voices and criminalize human rights defenders—from a trans influencer in Nicaragua forced into exile for social media posts, to an Egyptian human rights activist sentenced to two years in prison for a video on sexual harassment.
The convention also risks enabling the excessive use of domestic and cross-border information-sharing by law enforcement, which could result in prosecution or extradition through an overly broad scope and lack of specific, meaningful safeguards for the use of its powers, such as the principle of prior judicial authorization and transparency measures. Certain states involved in the negotiations have refused to countenance any or adequate safeguards around these powers, with the common refrain that the convention is not intended to be a human rights treaty.
Finally, the convention also fails to provide adequate protections for security researchers, whistleblowers, activists, and journalists, who are likely to face criminalization due to the overbroad scope.
The urgency of these persisting, foundational flaws in the draft provoked another open letter on the penultimate day of negotiations—this time by an unprecedented grouping of civil society groups, industry representatives, and the technical community, calling on states not to support the convention in its current form.
Subsequently, on the final day of the session, it was confirmed that negotiations would be suspended to reconvene again in New York later in 2024, with the continued aim of agreeing on a final text during the General Assembly’s 78th session (which concludes in September 2024). While the extent of divergences among negotiating states was the critical factor in this decision, it is likely that growing public critique of the treaty from an increasingly broad array of stakeholders also played its part.
What’s next
The pause in negotiations gives us a crucial window to further build public awareness around the risks of the current draft, as well as to push for the convention to be narrowly focused, with robust language that prevents its potential misuse for surveillance, repression, and persecution.
If a narrower and rights-respecting vision cannot be achieved, our message is clear: the convention should not be endorsed by negotiating states. There is a wealth of work already out there to show what alternative, rights-respecting approaches to combating cybercrime might look like. Given the risks of pressing ahead with this flawed and rights-threatening instrument, the time to discuss these ideas may have come.