Ad Hoc Committee on Cybercrime

The open-ended Ad Hoc Committee to  Elaborate a Comprehensive International Convention on Countering the Use of Information and Communications Technologies for Criminal Purposes (Ad Hoc Committee on Cybercrime) is an intergovernmental committee composed of experts and representatives of all regions mandated with drafting a new cybercrime convention. The committee was proposed by the Russian Federation and 17 co-sponsors in 2019 and established by the UN General Assembly (UN GA) Resolution 74/247 under the auspices of the Third Committee of the UN GA. The negotiations are text-based, meaning that the member states are drafting, formulating, and compromising on the treaty’s wording at the sessions.

The subject matter of the treaty

Negotiations on adopting a new convention on cybercrime have gained momentum. After the five sessions of the Ad Hoc Committee (AHC), the chair prepared a draft text of the convention (version as of 1 September 2023), based on the outcomes of two readings of the draft chapters during the fourth and fifth sessions, while also taking into account the outcomes of the second and third sessions. The convention has a preamble and nine chapters:

  • I. General provisions
  • II. Criminalization
  • III. Jurisdiction
  • IV. Procedural measures and law enforcement
  • V. International cooperation
  • VI. Preventive measures
  • VII. Technical assistance and information exchange
  • VIII. Mechanism of implementation
  • IX. Final provisions

The draft convention captures alternatives in the use of some terms (e.g. cybercrime vs the use of ICTs for criminal purposes) proposed by delegations and does not yet address terminology entirely, as states earlier agreed to negotiate this at later stages once progress is made in discussing the substantive provisions (see ‘Open issues’ below). Thus, the scope of the convention, which will be defined by the terminology and approach agreed by states, is still to be negotiated.

During the sixth session, member states negotiated pending points of the draft, but did not achieve a consensus on the scope and terminology (learn more about ‘Key takeaways from the sixth UN session on cybercrime treaty negotiations’).

Modus operandi

Mandate

In plain language: the Ad Hoc Committee on Cybercrime is tasked with drafting a new cybercrime convention by February 2024. The work of the committee will be concluded once it presents a draft convention to the UN General Assembly at its 78th session in September 2024.

Schedule

The organisational session was originally scheduled to take place in August 2020 but was postponed to 10–12 May 2021 in New York due to the impact of the COVID-19 pandemic. It was decided that the Ad Hoc Committee on Cybercrime shall convene at least six sessions, each lasting ten days, alternating between New York and Vienna.

After the six sessions, the AHC will convene its 7th concluding session from 29 January - 9 February 2024 in New York.

Procedures

On substantive matters, the committee will first exhaust every effort to reach agreement by consensus. However, should a consensus prove not to be possible, the Bureau of the UN Office on Drugs and Crime (UNODC) will confirm that the decisions shall be taken by a two-thirds majority of the present voting representatives. The chair will then inform the Ad Hoc Committee on Cybercrime that every effort to reach a consensus has been exhausted.

Composition

The Ad Hoc Committee on Cybercrime elected its officers at its organisational session. The committee is chaired by Algeria, with 13 vice chairs: Egypt, Nigeria, China, Japan, Estonia, Poland, the Russian Federation, Dominican Republic, Nicaragua, Suriname, Australia, Portugal, and the USA. Indonesia was appointed as the committee’s rapporteur

Involvement of other stakeholders

The chair may invite, as observers, global and regional intergovernmental organisations, representatives of UN bodies, and representatives of functional commissions of the Economic and Social Council (ECOSOC). Representatives of NGOs with ECOSOC consultative status may attend the sessions. 

The chair and the UN Office on Drugs and Crime (UNODC) drew up a list, approved by member states, of relevant NGOs, civil society organisations, academic institutions, and private sector representatives with expertise in cybercrime who will be allowed to provide input as stakeholders.

 

 

Existing cybercrime instruments

One of the main questions about the negotiations under the UN auspices is how the new draft convention will interplay with existing major instruments – the Budapest Convention in particular. 

The Budapest Convention, formally known as the Convention on Cybercrime, is the most comprehensive and widely accepted legally binding instrument on cybercrime, adopted by the Council of Europe (CoE) in November 2001 and entered into force on 1 July 2004. The convention includes a list of crimes that each signatory state must include in its law. In plain language, it requires the criminalisation of activities such as illegal hacking (including the production, sale, or distribution of hacking tools), acts relating to child pornography, and infringements of copyright and related rights.

The CoE has already adopted its first and second additional protocols. Namely, the First Additional Protocol to the Budapest Convention, which concerns the criminalisation of acts of a racist and xenophobic nature committed through computer systems. The protocol extends the scope of the Budapest Convention and covers offences of racist or xenophobic propaganda in its substantive, procedural, and international cooperation provisions. So far, 35 states have signed and ratified the protocol, while 10 have signed it but have not ratified it. The Second Additional Protocol to the Budapest Convention on enhanced cooperation and disclosure of electronic evidence responds to the challenges and complexity of obtaining evidence that may be stored in foreign or unknown jurisdictions. Namely, the protocol provides tools for direct cooperation with service providers and timely cooperation in emergencies or joint investigations while ensuring effective human rights protection. So far, 40 states have signed the second protocol, but only 2 have ratified it. 

With 68 ratifications – 20 of which are not members of the CoE (including the USA, Japan, Australia, and, most recently, Argentina, Brazil, Cabo Verde, Peru, Colombia, and Ghana) – the Budapest Convention is de facto the accepted international agreement on combating cybercrime, which has inspired numerous regional and national cybercrime regulations. 

Consulting instruments 

States' drafting suggestions include provisions from other international conventions as consulting instruments. 

The first is the UN Convention against Corruption (UNCAC), which obliges states to adopt preventative and punitive measures to combat corruption in both the public and private sectors. Essentially, the convention addresses international cooperation and obliges state parties to assist each other in legal assistance requests, including investigations, prosecutions, and judicial proceedings. It entered into force on 14 December 2005 with 189 state parties and 140 signatories. Most states that referred to UNCAC in their drafting suggestions stated that it should be used as a tool for coordinating international cooperation. 

The second is the UN Convention on Transnational Organized Crime (UNTOC), which provides measures to combat transnational organised crime. It has three additional protocols that refer to the prevention of human trafficking and smuggling of migrants by land, sea, and air, while the third obliges states to implement measures against the illegal manufacture and traffick of firearms. It entered into force on 29 September 2003 with 190 state parties and 147 signatories

Provisions from regional instruments were used as well. These include provisions from the African Union Convention on Cyber Security and Personal Data Protection (Malabo Convention), the Commonwealth of Independent States Agreement on Cooperation in the Fight Against Crimes in the Field of Information Technologies (Dushanbe Agreement), the Budapest Convention, mentioned earlier, and the Arab Convention on Combating Information Technology Offences, as well as recommendations of the Open-ended intergovernmental expert group to conduct a comprehensive study on cybercrime.

Open issues

Why is this convention important?

Once the UNGA adopts the convention, a new global treaty addressing cybercrime with universal adoption across the entire UN Membership will have a significant impact for users of information and communications technologies (ICT). It would therefore bring greater security at national, regional and international levels. In particular, the convention aims to harmonise national approaches in fighting cybercrime and enhance international cooperation between states through developing clearer frameworks for investigation and cross-border data exchange.

At the same time, the convention will have far-reaching consequences for related fields such as cybersecurity research, data protection and privacy, and enforcement. Both civil society and industry have already voiced their concerns over potential risks to human rights and enforcement mechanisms.

 

What would be the scope of the future convention?

The UN General Assembly (UN GA) Resolution 74/247 mandates the Ad Hoc Committee (AHC) to elaborate a comprehensive international convention on countering the use of information and communications technologies (ICTs) for criminal purposes’. At the same time, the future convention has already been tagged as a ‘cybercrime convention’ in public research and the media. First sessions have also shown that states have diverging views on the use of terminology (‘the use of ICTs for criminal purposes’ vs ‘cybercrime’) and its particular scope. For instance, the focus on the first term (use ICTS for criminal purposes) and could presumably broaden the scope (e.g. to include online content) of issues to be regulated by the future convention.

At the same time, states and the international community (including accredited stakeholders) seem to generally agree that the convention should focus on cyber-dependent offences. The question remains whether and how cyber-enabled offences shall be covered by the convention. In this regard, a number of delegations have stressed that the future convention should create added value and should not overlap with existing legal instruments, such as UNCAC and UNTOC

As a possible option, some delegations have submitted a proposal for clear criteria to distinguish which cyber-enabled offences should be included. 

A number of delegations submitted a proposal for clear criteria to distinguish which cyber-enabled offences should be included and how the scale and impact of damages should be addressed. The UN Office of the High Commissioner for Human Rights stated that only a narrow set of offences inherent to cyberspace should be criminalised.

The published consolidated negotiating document (21 January 2023) does not include provisions on terminology as delegations have agreed to move on to other areas with greater potential for reaching consensus. So it is yet to be seen during the 5th and 6th sessions of the AHC if and how states reach an agreement on the scope and terminology.

Criminalisation of certain conduct: How should the future convention define the conduct to be criminalised? Which criteria should be applied to offences in this regard?

The definition of criminal intent in the criminalisation of certain conduct and, in particular, what constitutes illegal access is another area where states have expressed diverging views, and one whose importance non-state stakeholders have emphasised. In particular, the published consolidated negotiating document (21 January 2023) shows a variety of terms preferred by different delegations: ‘unlawful’ vs. ‘without authority’ and/or ‘unauthorised’ as well as ‘acts committed intentionally’ or ‘unlawfully’ or ‘without right’ or ‘unauthorised’.

These nuances are important. The careful use of terms in the future convention are critical to avoid the criminalisation of activities conducted in good faith and for legitimate purposes, such as ethical cybersecurity and vulnerability research, penetration testing, and similar activities. Criminalising such activities would discourage so-called ethical and white-hat hackers from searching for vulnerabilities in ICT and responsibly reporting about them to facilitate a reduction in security risks and provide greater safety for users. 

Another area that concerns the information security industry is the amendment proposed by some states to criminalise cases based on information released by a company for transparency and risk mitigation. This might make manufacturers of software and hardware subject to criminal charges if their products have a vulnerability exploited for criminal activity (Article 10). In practice, it is not realistic to expect vendors to predict all possible vulnerabilities in their products, nor feasible to determine and prove whether manufacturers had criminal intentions in making such products and/or information available. 

An analysis of the latest state interventions (after the 4th session) shows that a group of states prefer avoiding the use of the term unlawful since this usually means that certain conduct cannot be illegal (unlawful) until it is criminalised. At the same time, each country may have, under domestic law, its own interpretation of what is unlawful, which might create a different interpretation of the future convention. In this regard, some delegations stress that terms such as without authority and unauthorised would be clearer and more appropriate for the criminalisation chapter. At the same time, delegations have said that without authority would not be appropriate for all offences – e.g. certain conduct cannot be lawful even with authority (such as child sexual abuse-related offences). Careful use of terms in each particular context (i.e. provision) is essential to ensure a balanced approach and appropriate regulation.

Another point not yet clarified is which crimes should be criminalised. Some delegations advocate imposing more serious penalties for crimes targeted at critical infrastructures, such as ICT infrastructures, and non-state stakeholders call for states to develop a clear threshold for serious crimes. In contrast, some delegations have supported using the definition found in the UNTOC, where serious crime is defined in article 2 (b) as conduct constituting an offence punishable by a maximum deprivation of liberty of at least four years or a more serious penalty’, defining it by its penalty rather than by the type of crime.

Specifics in national laws and practices of domestic regulation might determine a lower threshold, and states would need to reach an agreement here. This issue receives special attention from privacy-concerned stakeholders since the threshold for serious criminal offences would determine in which case states have the power to collect electronic evidence, to send requests for real-time collection of information (if this provision remains at all in the future convention), to intercept data, expedited preservation of data, and retain traffic data and/or content data.

What impacts would the convention have on harmonising national laws and the dual criminality principle?

There seems to be broad agreement across national delegations and non-state stakeholders that dual criminality is the foundational principle for international cooperation for the future convention. The dual criminality requirement mandates that acts be considered a crime in both involved jurisdictions when mutual legal assistance is provided to ensure the principle of legality is upheld. A closer analysis of states’ views also shows a broader agreement that the future convention should follow examples of UNTOC and UNCAC in specifying grounds for refusing a mutual legal assistance request, for example.

At the same time, the future convention should increase effective cross-border international cooperation in the investigation of cybercrime, although the consolidated negotiating document (21 January 2023) reflects a lack of clear precision on how conflicts among national jurisdictions would be avoided in, for instance, joint investigations. Furthermore, certain provisions (such as in Article 45 para 1(b)) grant powers for extraterritorial jurisdiction where specific measures might be taken by competent authorities of state A about a service provider ‘offering its services’ in the territory of such a state ‘to submit subscriber information relating to suspected criminal offences/in that service provider’s possession or control’. Several non-state stakeholders from the business and civil society sectors have voiced their concerns in this regard.

On the other hand, the current negotiation process does not experience the same level of inter-state disagreements regarding transborder access to stored computer data as it was for the negotiation of the Budapest Convention (and particularly for Article 32 (b)) – which is believed to be one of the most advanced legal frameworks in this regard. However, it remains unclear how the future convention and the Budapest Convention, as well as international vs national laws, would interplay to issue warrants and get transborder access to electronic evidence.

Human rights perspectives and safeguards: To what extent are they protected?

Already from the first session, some states and stakeholders emphasised the need to ensure the protection of human rights and fundamental freedoms within the future UN cybercrime convention, specifically, that the legal provisions under the convention be in line with the international human rights law treaties and that the implementation of such provisions on the national level ensures protection of human rights.

The consolidated negotiating document (21 January 2023) stresses under Art. 5 (Respect for human rights) that ‘states should carry out their obligations under the convention in accordance with their obligations under international human rights law treaties and other international human rights instruments to which they are members.’ However, this is not enough to guarantee effective protection on a national level because, depending on the criminal offence, legislative measures and the definition are left to the discretion of the states. Considering the ongoing negotiations on the wording of Art.5, it is still uncertain how this will be applied.

For example, the inclusion of Art. 25 bis. on the Dissemination of false information establishes a high risk of violating the freedom of expression as no guarantees of protection are provided. Art. 25 (2) bis. states that the definition of false information and serious social disorder shall be defined in accordance with the domestic laws of each State Party Considering that many states oppose the inclusion of Art. 25 (2) it is uncertain whether it will stay in the future convention.

Another example is the conditions and safeguards regarding establishing and implementing the application of powers for law enforcement under Art. 42. There are divergent views on the level of protection of human rights and freedoms needed. One group of states aims to leave the implementation of powers to the discretion of states. In contrast, a second group wishes to emphasise the inclusion of international human rights law treaties and ensure that any derogation of privacy and protection of personal data be in accordance with the principles of legality, necessity, and proportionality. Establishing such guarantees could be  critical to the inclusion of provisions regarding the collection of data as well as requests for real-time collection and interception of data, which are currently under informal consultations. At the same time, Art. 55 bis. aims to ensure cooperation between authorities and service providers, which allows the potential to create risks for individuals’ fundamental rights, such as privacy and personal data protection during investigative procedures. 

Which governing body can ensure the effective implementation of the future UN convention?

The development of a new UN convention on cybercrime has demonstrated the challenges that might come with its implementation. Human rights protections, the definitions of crimes, and the implementation of regulatory processes at national levels are among the main open points that the updated consolidated document has highlighted. Ensuring its effective implementation through a governing body on an international level is yet another possibility to be addressed.

An option noted in the consolidated negotiating document (21 January 2023) states that ECOSOC’s Commission on Crime Prevention and Criminal Justice should be the implementing body of the convention. On the other hand, some states and some stakeholders believe that the oversight body should be a conference of parties to avoid ‘conflation of other treaty commitments’, while also allowing non-members to take part in the consultation process.

Since the specification of a governing body will be further discussed in the fifth session of the AHC, we are waiting for new provisions to be proposed.

The next steps

The next step in the process is the concluding session of the AHC on Cybercrime, where states will vote over a final version of the convention. After the 6th session, the chair will also present compromise proposals on the pending provisions for the concluding 7th session to be held in New York from 29 January to 9 February 2024.