After three years of negotiations, the UN member states at the Ad Hoc Committee (AHC) adopted the draft of the first globally binding legal instrument on cybercrime. This convention will now be presented to the UN General Assembly for formal adoption later this year.
The chair emphasised that the convention is a criminal justice legal instrument and the aim is, therefore, to combat cybercrime by prohibiting certain behaviours by physical persons, rather than to regulate the behaviour of member states. The treaty is now set to take effect once ratified by 40 member countries, and it establishes a global criminal justice policy to protect society against cybercrime by ‘fostering international cooperation’.
Consult the drafting process at the Ad Hoc Committee on Cybercrime | the annotated text of the UN Convention Against Cybercrime
The adoption of the convention has proceeded despite significant opposition from human rights groups, civil society, and technology companies, who have raised concerns about the potential risks of increased surveillance. In July, Diplo hosted experts from various stakeholder groups to discuss their expectations before the final round of UN negotiations and to review the draft treaty.
Experts noted an unprecedented alignment between industry and civil society on concerns with the draft, emphasising the urgent need for a treaty focused on core cybercrime offences, strengthened by robust safeguards and clear intent requirements. Moreover, it was hard to imagine that states would have been able to reach a consensus given how many issues they disagreed with earlier.
How did it happen? Did states change their views suddenly? What was the last round of negotiations about?
Cyber vs ICTs: Debates about the convention’s title, scope, and terminology
The debates surrounding the title of the convention highlighted ongoing challenges among states in agreeing on the scope and terminology for this legal instrument. During the final session, the majority of delegations advocated for a succinct title, suggesting ‘United Nations Convention Against Cybercrime’ for clarity’s sake.
However, the term ‘cybercrime’ has not been agreed upon by all states in the use of terms. Russia, in particular, criticised the use of ‘cyber’ terminology, arguing that it does not align with the mandate and instead supported the use of ‘information and communications technology’ (ICTs), which had been agreed upon by states and included in the use of terms (Article 2).
United States argued that the title should not define ‘cybercrime’ as it is the globally accepted term for such issues and it is immediately clear from the title ‘Convention Against Cybercrime’ what conduct the treaty covers, and why.
Switzerland requested further discussion on the title at the beginning of the session, and the Czech Republic argued that the terms ‘cybercrime’ and ‘ICT crimes’ should not be treated as synonymous, as they represent different concepts. South Africa supported the title reflecting the committee’s mandate and expressed its flexibility in working with other delegations to find a suitable title.
Negotiations resulted in the adoption of the title
Draft United Nations convention against cybercrime
with a subtitle:
Strengthening international cooperation for combatting certain crimes committed by means of information and communications technology and for the sharing of evidence in electronic form of serious crimes’.
These debates reflected the long-standing disagreements between states about the scope. At the beginning of the session, the Russian Federation said that the draft convention did not meet the objectives and mandate, which are to come up with a comprehensive convention.
Russia advocated for the inclusion of certain serious crimes that involve the use of ICTs, including extremist crimes, illegal trafficking in arms and drugs, and offences involving youth. Russia argued that such crimes should be explicitly covered in a dedicated article within the criminalisation chapter.
New Zealand, on the other hand, expressed the concern that the current scope (in Article 4), particularly the procedural measures and international cooperation chapter, extends beyond the primary purpose of the convention, namely combating cybercrime.
Negotiations resulted in the adoption of Article 4 on ‘Offences established in accordance with other United Nations conventions and protocols’ which says:
1. In giving effect to other applicable United Nations conventions and protocols to which they are Parties, States Parties shall ensure that criminal offences established in accordance with such conventions and protocols are also considered criminal offences under domestic law when committed through the use of information and communications technology systems.
2. Nothing in this article shall be interpreted as establishing criminal offences in accordance with this Convention.
Consult the topic page on cybercrime
Same old, same old: What did states agree on concerning human rights protections and safeguards?
Human rights protections and safeguards were among the most contested areas in the draft treaty throughout the negotiation process. We provided a detailed analysis of these disagreements earlier, for example, here.
During the final session, states held differing views to the Chair’s proposal for Article 6.2 which suggested adding the phrase ‘and in a manner consistent with applicable international human rights law’ to address concerns about human rights safeguards.
India proposed replacing ‘suppression’ with ‘restriction’ in Article 6.2, while Iraq called for the deletion of Article 6.2 entirely. Egypt called for the deletion of the listed rights in Article 6.2 and proposed additional language to reflect duties and responsibilities associated with certain rights as per international human rights law. Other countries, including Malaysia and Pakistan, also suggested revisions to Article 6.2, advocating for a more general statement on human rights without a detailed list. Sudan argued that singling out specific human rights could imply a hierarchy, which undermines the holistic and inclusive approach in the convention.
Overall, states were divided: one group (e.g. Cuba, Iran, Russia, etc.) repeatedly emphasised that this is not a human rights treaty and criticised the draft for having too many references to human rights but lacking specific references to crimes and criminal uses of ICTs.
This group of states (e.g. China and Iraq, in particular) argued that human rights should not become an obstacle to effective cross-border cooperation in combating cybercrime, while others (e.g. New Zealand, Canada, Australia, Liechtenstein, the USA, Switzerland, etc.) believed that the lack of explicit references to human rights is itself a barrier to such cooperation.
A significant portion of the session was dedicated to debating Articles 14 and 16 of the draft resolution, which pertain to child sexual exploitation material and the dissemination of intimate images, respectively. Concerns were raised about the phrase ‘without right’ in these articles, which some member states felt could potentially legitimise access to such material.
A joint statement by the Syrian Arab Republic, on behalf of a group of countries, called for the removal of exceptions in these articles to ensure robust protection for children and adherence to international human rights standards. Many states, including Saudi Arabia, Iran, Rwanda, and Egypt, expressed strong opposition to this wording, fearing it could create legal loopholes for child exploitation material.
These countries called for its removal or revision to eliminate any ambiguity, with Rwanda suggesting alternative phrasing such as ‘committed intentionally and without permission by law’. On the other hand, Japan defended the current wording, emphasising the need to balance combating harm with protecting freedom of expression.
Iran, along with the Democratic Republic of Congo, also voiced strong objections to Paragraph 3 of Article 14. They argued that the provision created exceptions in combating child sexual exploitation, which they found unacceptable. Both countries requested the deletion of this paragraph, citing its inconsistency with international laws, such as the Convention on the Rights of the Child.
Switzerland and other countries supported the text as presented in rev. 3, particularly paragraph 4 of Article 14, arguing that the phrase was necessary for national authorities to act against criminal online material.
Article 16 also sparked significant debate. Countries like Yemen and Uganda questioned the inclusion of the term ‘non-consensual’, arguing that it did not align with their domestic legal interpretations. They called for more restrictive language to prevent potential exploitation of legal loopholes, such as those involving self-generated content or material used for legitimate purposes.
Negotiations resulted in the adoption of Article 6 on ‘Respect for human rights’, which says:
1. States Parties shall ensure that the implementation of their obligations under this Convention is consistent with their obligations under international human rights law.
2. Nothing in this Convention shall be interpreted as permitting suppression of human rights or fundamental freedoms, including the rights related to freedom of expression, conscience, opinion, religion or belief, peaceful assembly and association, in accordance with applicable international human rights law.
With regard to Articles 14 and 16, UN member states adopted articles containing
‘without right’ and ‘non-consensual’.
Political offences exceptions: Why did states disagree?
At the beginning of the session, Costa Rica proposed for Article 40.21 to include an additional reason for the refusal of mutual legal assistance (MLA) requests related to political offences. Several countries, including Liechtenstein, France, Canada, the USA, and others supported this proposal, while others (e.g. Russia, Nigeria, Pakistan) rejected new grounds for refusal, including political offences, due to their subjective nature and potential misuse.
Negotiations resulted in the adoption of Article 40.21, which doesn’t explicitly exclude grounds for political offences and says that mutual legal assistance may be refused:
(a) If the request is not made in conformity with the provisions of this article;
(b) If the requested State Party considers that execution of the request is likely to prejudice its sovereignty, security, ordre public or other essential interests;
(c) If the authorities of the requested State Party would be prohibited by its domestic law from carrying out the action requested with regard to any similar offence, had it been subject to investigation, prosecution or judicial proceedings under their own jurisdiction;
(d) If it would be contrary to the legal system of the requested State Party relating to mutual legal assistance for the request to be granted.
Ratification: What divided states?
In discussing the ratification of the convention and following steps, states were split on two issues: a number of required ratifications for the convention to come into effect, and the need for additional protocols.
On the first aspect, some delegations supported a higher threshold for ratification to ensure inclusivity and give states time for domestic legislative harmonisation. Others were satisfied with the Chair’s proposal of a lower threshold.
Mexico made an argument for setting the threshold at 60 ratifications, arguing that this would ensure the convention’s broad and representative international support, thus enhancing its effectiveness and universality. This proposal was supported by several delegations, including New Zealand and Liechtenstein, who underscored the need for inclusivity, especially for smaller states that may need additional time to ratify the convention.
Conversely, Russia called for a lower threshold of 30 ratifications, underlining the pressing necessity for a universal instrument to address the inherently transnational nature of ICT crimes. This position found support among several delegations, including Iran and Azerbaijan, who contended that a lower threshold would facilitate more immediate global action against cybercrime.
Negotiations resulted in the adoption of the threshold of 40 ratifications and adopted Article 65 on ‘Entry into force’, which says:
1. This Convention shall enter into force on the ninetieth day after the date of deposit of the fortieth instrument of ratification, acceptance, approval or accession. For the purpose of this paragraph, any instrument deposited by a regional economic integration organization shall not be counted as additional to those deposited by member States of that organization.
On the second aspect, the Chair’s proposal for additional protocol and the process for its consideration sparked mixed views. Concerns were raised about the immediate timing, the predetermined outcome, and the inclusivity of the process.
Some delegates supported the Chair’s proposal as a balanced approach. For example, Pakistan argued that immediate negotiations on an additional protocol would be needed to review the list of crimes, while Nigeria also highlighted that the additional protocol would help address the specific serious crimes in line with the draft.
At the same time, other delegations (e.g. Mexico, Malaysia, the Netherlands, France, Germany, Chile) suggested that it is too early to discuss the possibility of additional protocols, given that there are differences between states concerning the scope.
Negotiations resulted in the adoption of Article 61 on ‘Relation with protocols’, which says in paragraph 1:
‘This Convention may be supplemented by one or more protocols.’
as well as Article 62 on ‘Adoption of supplementary protocols’, which states in paragraph 1 that
‘at least 60 States Parties shall be required before any supplementary protocol is considered for adoption by the Conference of the States Parties. The Conference shall make every effort to achieve consensus on any supplementary protocol. If all efforts at consensus have been exhausted and no agreement has been reached, the supplementary protocol shall, as a last resort, require for its adoption at least a two-thirds majority vote of the States Parties present and voting at the meeting of the Conference’.
So did states agree on everything?
While we outlined some of the examples of issues which sparked debates at the session, it’s worth noting that UN member states adopted the draft with reservations.
In particular, while Iran expressed gratitude for the Chair’s leadership before the voting and the adoption of the draft, the delegation raised concerns about the reinsertion of certain provisions in the draft text despite strong objections. Iran emphasised the lack of consensus on key aspects, particularly within the preamble and various articles, and called for further deliberation to address outstanding issues.
The Chair clarified that in the absence of consensus, decisions on substantive matters would be made by a two-thirds majority. Iran requested votes on specific contentious paragraphs, including Articles 6, 14, 16, and 24. These proposals to delete certain paragraphs were ultimately rejected through voting, despite Iran’s reservations.
Russia, while choosing not to oppose the consensus on the convention’s text, expressed dissatisfaction with the title, arguing that it did not accurately reflect the document’s scope as per the mandate of the ad hoc committee. Russia highlighted that it dissociates itself from the consensus on the title of the convention and intends to make the interpretive statement when signing or ratifying this instrument.
Nigeria also dissociated itself from specific provisions, particularly those in Article 14, arguing that they were inconsistent with its domestic laws and cultural norms. Nigeria emphasised that the best interests of the child should be paramount in any provisions aimed at protecting children and requested that its objections be recorded in the official report.
Cuba raised broader concerns about the convention’s comprehensiveness and effectiveness. Cuba criticised the limited number of crimes covered in the text, arguing that the convention should address a wider range of serious crimes associated with the use of ICTs, such as terrorism, hate speech, and crimes against the environment.
Additionally, Cuba pointed out ambiguities in key terms like ‘dishonest intention’ in several Articles as well as argued that Articles 33 and 37, which deal with witness protection and extradition, should be excluded as they are typically governed by national legislation and bilateral agreements. Cuba indicated, in the end, that it did not feel bound by certain provisions.
The session concluded with adopting the draft convention and the associated General Assembly resolution, despite the objections and reservations from several member states.
Consult the drafting process at the Ad Hoc Committee on Cybercrime | the annotated text of the UN Convention Against Cybercrime |
We will continue reporting on the convention and associated developments. Stay tuned for Diplo’s updates.
