UN Cybercrime Convention: Will states give in disagreements for the sake of a global common threat?

As the concluding session of the UN process to negotiate a cybercrime convention approaches, Diplo invited several experts representing different stakeholder groups to discuss past failures, disagreements, and expectations for the final round of UN negotiations.
Text, Blackboard

Will more than two years of interstate negotiations at the UN result in a global comprehensive convention on cybercrime? Why did states previously fail to reach a final agreement? Where do the main disagreements lie? What are the expectations of stakeholders, including civil society and industry, for the final round of UN negotiations?

We at Diplo invited experts representing different stakeholder groups and organisations to help us understand the caveats of these inter-state negotiations. Before the concluding session of the Ad Hoc Committee to Elaborate a Comprehensive International Convention on Countering the Use of Information and Communications Technologies for Criminal Purposes, we also discussed with experts  what their predictions for the outcome of a nearly four-year UN process are. 

Below we’re sharing the main takeaways, and if you would like to watch the entire discussion, follow this link.

What went well and what didn’t? Where do major disagreements lie between states and why? 

Alexander Seger, Head of Cybercrime Division, the Council of Europe, started with the overview of the process and of the current status. He mentioned that two weeks before, updated working documents were circulated, marking a significant step in the ongoing efforts to draft a comprehensive United Nations treaty on cybercrime. Dated 23 May, these documents included an updated draft text for a future treaty, a draft resolution for the General Assembly to adopt this draft text, and some interpretative notes whose status remains somewhat ambiguous.

Unlike the UN Conventions on Organized Crime and Corruption, which were initiated by consensus, the resolution leading to the current cybercrime treaty process was a contested decision, passed by a relative majority in December 2019. Despite these and other challenges, members of the Budapest Convention and the Council of Europe have supported the process in the spirit of multilateralism. The potential value lies in providing a framework for cooperation among states that cannot join the Budapest Convention for political reasons or due to non-compliance with its requirements. 

What went well? Alexander Seger highlighted that the parties and friends of the Budapest Convention have coordinated extremely well throughout this process. At a fairly early stage, provisions based on the Budapest Convention on Cybercrime, such as the list of offences, procedural powers, and specific provisions for international cooperation, were essentially agreed upon. Interestingly, the underlying concepts and definitions in the UN treaty draft are based on those in the Budapest Convention, though they are termed differently for political reasons. For example, a ‘computer system’ is now referred to as an ’information and communication technology system’, but the definition remains almost the same as in the Budapest Convention. Similarly, ’computer data’ is now called ’electronic data’, but with the same definition. This gives a hope for avoiding major inconsistencies in this respect, reflecting a positive outcome of the negotiations.

Tatiana Tropina, Assistant Professor in Cybersecurity Governance, ISGA, Leiden University, underlines other positive aspects of the process, such as the inclusion of stakeholders in the cybercrime treaty negotiations. Although the process is not complete, it represents a significant step forward: non-governmental stakeholders were given specific slots to speak which, despite being limited, marked progress considering the importance of this work. One commendable aspect of the process has been the efforts of the chair, who consistently pushed for consensus and sought to unify differing positions. Additionally, many countries participated in the negotiations in good faith, although this was not universal. A notable success in the process was the suspension of the negotiations to address concerns. States that respect human rights and were wary of the potential negative impacts of the convention pushed back during the last session, disagreeing with the draft.

Why did states fail to reach consensus at earlier sessions? Alexander Seger highlighted several significant disagreements that have emerged during the cybercrime treaty negotiations. A primary contention is the list of offences to be included. Russia, in particular, insists on a comprehensive list of additional offences such as terrorism, extremism, and drug trafficking online, among others. They argue that if these offences are not included, an additional protocol to the convention should be developed.

Another major point of contention is the balance between the scope of the convention and the obligation to cooperate. This involves whether cooperation should extend to any crime, just the offences listed in the treaty, or only electronic evidence related to serious crimes, while also ensuring human rights safeguards.

There are also concerns and differing opinions regarding the article on child sexual abuse materials, particularly the criminalisation of children for distributing self-generated materials among themselves. Tatiana Tropina agreed, highlighting that at the heart of all disagreements in the cybercrime treaty negotiations lies a common denominator: human rights. This fundamental issue influences the entire scope of criminalisation and the potential agreements between countries. While discussions may focus on specific offences like child abuse material and the rights of children to share self-generated images, the broader human rights implications are of significance.

Moreover, paragraph five of the draft resolution reveals a push for countries to agree on developing an additional protocol for further criminalisations, implicitly acknowledging that the current convention is incomplete. This likely implies incorporating offences such as terrorism and extremism, which historically have been used to crack down on free speech, thus raising human rights concerns.

The procedural powers proposed in the draft also lack sufficient safeguards, with some critical protections being diluted. Moreover, the scope of international cooperation is troubling, as it allows any country to designate an offence as a serious crime (punishable by more than five years of imprisonment) and then seek cooperation. This provision risks legitimising human rights abuses on an unprecedented scale.

In general, what is the value of the UN treaty on cybercrime considering that multiple regional and international frameworks already exist?

From a theoretical perspective, having a global comprehensive instrument with robust human rights safeguards, developed inclusively with various stakeholders and building upon existing instruments like the Budapest Convention, would likely add significant value, Tatiana Tropina noted. In an ideal world, she continued, such a treaty would bring countries together, build trust, streamline existing mechanisms, and enhance capacity in countries lacking it, potentially reducing impunity.

However, the series of drafts currently on the table, made over the past six months, suggest that this ideal is far from reality. These drafts leave much to be desired and do not align with the theoretical benefits.

‘It is crucial to understand that what we currently have for the concluding AHC session is not a cybercrime treaty but a global criminal justice treaty. It focuses heavily on the collection and cross-border transfer of electronic evidence for virtually any crime. It is well known that states often use criminal law as a tool for oppression –  to silence political opponents, oppress various groups including marginalised communities, and restrict freedoms and rights.’

Tatiana Tropina, Assistant Professor in Cybersecurity Governance, ISGA, Leiden University

Alexander Seger, at the same time, highlighted that public authorities and criminal justice authorities do not all use the same tools, treaties, or bases for cooperating with others. They rely on a multitude of treaties. For example, some countries do not use the Budapest Convention’s 24/7 network because they have long operated under the G7 24/7 network, which is now becoming increasingly similar to the Budapest Convention network. Conversely, some countries have never used the UN Convention on Transnational Organized Crime, while others, including neighbouring countries, use it daily.

And this is how international cooperation works in practice. 

‘When, and if, a UN treaty is adopted, signed, and ratified by a country, the provisions are not immediately put into universal use. Instead, the treaty becomes an additional tool among the various existing mechanisms that countries may choose to employ based on their specific needs and circumstances.’

Alexander Seger, Head of Cybercrime Division, the Council of Europe

How can the effectiveness of the existing cybercrime treaties be measured? 

We specifically brought this question to better understand what existing frameworks fail to address, for instance, and what could highlight a need for a global, more comprehensive legal instrument instead. Is there available data highlighting how existing treaties help reduce cybercrime? Tatiana Tropina answered that, unfortunately, we don’t have a reliable methodology for measuring the cost and effect of cybercrime. While the Budapest Convention is considered as a golden standard in the development of cybercrime legislation, it is challenging to quantify its impact on reducing cybercrime. Many countries have changed their legislation after ratifying the convention, and even some non-member countries have adopted laws similar to those outlined in the Budapest Convention.

However, we still lack relevant and reliable methodologies to definitively say that cybercrime has decreased as a result of the Budapest Convention or other conventions like the Malabo Convention. Despite this, there have been clear successes. Countries have developed and strengthened their cybercrime legislation and procedural frameworks based primarily on the Budapest Convention. Trust has been built through negotiations, accession, ratification, and cooperation, which are all significant achievements in their own right.

Defining a positive outcome – civil society perspective: What would be the desired elements of a ‘good’ result, from a civil society perspective, after the concluding session?

After making a quick overview of the process, it was important to hear the perspective of different stakeholders, who, as Tatiana Tropina mentioned, were actively involved in the negotiation process. We started with a civil society perspective and asked this question to Katitza Rodriguez, Policy Director for Global Privacy, Electronic Frontier Foundation (EFF) and Paloma Lara-Castro, Public Policy Coordinator, Derechos Digitales.

Katitza Rodriguez pointed out that the convention’s title is misleading and poses both conceptual and practical harms. Efforts to broaden the definition of cybercrime have led to the criminalisation of expression in many countries and risk expansive interpretations globally. Moreover, the treaty fails to adequately protect security researchers and journalists engaged in legitimate cybersecurity activities. Mandatory safeguards are lacking, jeopardising years of progress in court litigation and negotiations on domestic levels. Definitions of electronic data, especially regarding sensitive data like biometrics and neural data, are overly broad and lack mandatory data protection principles and robust mandatory safeguards to limits.

‘The text of the proposed treaty is too flawed to be adopted. Key provisions remain highlighted in red, indicating a lack of consensus on critical issues such as scope, human rights safeguards, and intrusive powers like real-time data collection or communication interception without strong mandatory human rights protections.’

Katitza Rodriguez, Policy Director for Global Privacy, Electronic Frontier Foundation (EFF)

Katitza Rodriguez also echoed Tatiana’s remarks on the need for effective human rights protections, including prior judicial authorization, and transparency in data access, and added that they are now left to national law rather than international standards like those in the Budapest Convention.

Concluding, she urged countries committed to the rule of law should approach this treaty with scepticism. Issues with its scope of cross border surveillance cooperation  and human rights protections remain unresolved, raising concerns of a potential decline in global standards for human rights and privacy protection.

Paloma Lara-Castro agreed, saying that she and her team view this treaty as potentially legitimising surveillance and criminalisation practices that are already concerning worldwide, particularly within their region (Latin America), where Derechos Digitales operates. She stressed that the fight against cybercrime should never compromise human rights.

As Tatiana Tropina highlighted, consensus on human rights, and Paloma Lara-Castro added, specifically on gender issues, remains a significant point of contention. 

‘It’s crucial to recognise that both criminal systems and technology are not neutral; they operate within societies marked by structural inequalities. Effective gender mainstreaming should be a central element of the convention, ensuring that every article is analysed from a gender perspective.’

Paloma Lara-Castro, Public Policy Coordinator, Derechos Digitales

While there have been some advances, Paloma Lara-Castro noted, such as the inclusion of gender mainstreaming in the preamble, which Derechos Digitales applaud, they continue to advocate for its integration throughout other articles.

Concluding, she also urged everyone to recognise how this treaty could impact our lives and engage with local governments, raise awareness, and closely monitor upcoming negotiations. It is crucial to ensure that any international treaty on cybercrime upholds human rights and does not undermine fundamental freedoms.

Defining a desired governance – industry perspective: Does industry anticipate positive changes with the adoption of an international cybercrime treaty? What should an effective international governance to address cybercrime look like?

We posed these questions to our expert guests representing Microsoft and Kaspersky, probably the most vocal voices in this process. Yuliya Shlychkova, Vice President, Public Affairs, Kaspersky, started highlighting that an international harmonised framework is crucial for effective cybercrime investigations, especially when cases span multiple countries, each with its own legal requirements and procedures. While the current framework in Europe benefits from the Budapest Convention, extending these standards globally remains a challenge due to the lack of mutual legal agreements.

Kaspersky, she noted, appreciates particularly the inclusion of dedicated provisions for expedited preservation of digital evidence in the current draft of the convention. However, 

‘Varying local requirements for forensic toolkits across jurisdictions pose a significant challenge. Achieving global acceptance of forensic toolkits would enhance the admissibility of evidence in courts worldwide.’

Yuliya Shlychkova, Vice President, Public Affairs, Kaspersky

Real-time access to network and traffic data is another critical issue, Yuliya Shlychkova highlighted, with current provisions being overly broad. It is essential to implement strict safeguards to prevent misuse of law enforcement powers and ensure transparency and accountability, both from governments and the private sector. Court orders should be mandatory before disclosing sensitive data like biometrics to protect human rights.

Ethical hackers and researchers also need better protection. While there are provisions against persecuting authorised penetration testing, freelancers, Yuliya Shlychkova mentioned, often operate without explicit authorisation. Criteria should focus on criminal intent rather than authorisation status to shield ethical researchers from legal repercussions. 

Concluding, she highlighted, again, that the private sector can play a significant role in technical assistance and capacity building initiatives, especially in under-resourced countries. Their involvement should be recognised and encouraged in the convention’s framework to enhance global cybersecurity efforts effectively.

Nemanja Malisevic, Director, Digital Diplomacy, Microsoft, echoed concerns shared by other panlists and added that Microsoft urges states to clearly define the treaty’s scope and significantly enhance safeguards throughout. In its current form, the treaty risks eroding data privacy, threatening digital sovereignty, and undermining online rights and freedoms globally.

Furthermore, the draft convention lacks effective international governance to address cybercrime adequately, as highlighted by experts. It also poses national security risks by allowing unauthorised disclosure of sensitive data to third states potentially compelling individuals with knowledge to reveal proprietary information.

‘To be clear, in its current form, this treaty, as we have repeatedly called out, remains a data access/global surveillance treaty in the guise of a cybercrime treaty.’

Nemanja Malisevic, Director, Digital Diplomacy, Microsoft

Nemanja Malisevic emphasised the need for a treaty focused on core cybercrime offences with robust safeguards and clear intent requirements. As it stands, he highlighted, the current draft falls short of these principles and, if adopted, could diminish cybersecurity, jeopardise data privacy, and threaten online freedoms worldwide.

Additionally, there is a provision calling for protocols on additional cybercrimes before finalising the convention’s scope, which Microsoft views as insufficient and potentially detrimental. This approach risks further widening the convention’s already overly broad scope, hindering its effectiveness.

In conclusion, Nemanja Malisevic noted unprecedented alignment among industry and civil society regarding concerns with the current draft. This consensus underscores the urgent need for a treaty focused on core cybercrime offences, bolstered by robust safeguards and clear intent requirements. 

Looking ahead: What are predictions for the outcome of the AHC negotiations and for the future of international efforts to address cybercrime? 

Tatiana Tropina gave a straightforward response saying that she doesn’t assume that there would be a convention, and that she doesn’t even believe that, when she looks at the current draft, we need this treaty at all.

Still, even if the miracle happens and states succeed in reaching a consensus at the concluding session in late July, one crucial question remains: Will democratic states sign and ratify this treaty once it is finalised? Alexander Seger noted the answer depends on the final shape of the treaty and whether it can mitigate the highlighted risks. He further highlighted a critical concern about the current title of the treaty, noting its potential to create confusion by encompassing crimes beyond traditional cybercrime, possibly extending into broader cybersecurity issues, thus echoing remarks by civil society and industry experts.

We, at Diplo, invite you all to re-watch the online expert discussion, engage in a broader conversation about the impacts of this negotiation process, and in the meantime – stay tuned. We’ll be monitoring the latest session and will share the reporting soon.