Understanding the UN’s New International Treaty To Fight Cybercrime

In 2022, the Government of Costa Rica declared a national emergency after a ransomware attack brought 27 government bodies offline, disrupting everyday functions for months. In 2023, an employee of a multinational corporation in Hong Kong transferred $25.6 million after being instructed to do so during a Zoom call with colleagues he recognized. The other attendees, however, were deepfakes, and the money was sent to sham accounts.    

The frequency, sophistication, and costliness of cybercrimes have continued to increase in recent years, and they are becoming notoriously difficult to counter. International consensus and cooperation are becoming more critical to address the rapidly evolving risks these crimes pose to States, businesses, and individuals.  

In 2021, the Ad Hoc Committee to Elaborate a Comprehensive International Convention on Countering the Use of Information and Communications Technologies for Criminal Purposes held its first organizational session, with the ultimate goal of drafting a convention to address cybercrime ("the Convention"). However, defining the precise purpose and scope of such a convention is fraught with complexities; balancing the need for effective law enforcement with the protection of privacy and human rights remains a significant challenge.    

After three years of negotiation, this group will hold its reconvened concluding session from 29 July to 9 August 2024. During this session, it is expected to reach an agreement on the final text of the Convention; the most recent draft was released on 23 May 2024. The text of the Convention may change significantly during the upcoming negotiations. This primer addresses some key aspects and debates related to the current text. They can be summarized as follows:  

• The Convention criminalizes a range of core cyber-dependent crimes, and a limited number of cyber-enabled crimes. It also obligates States to develop digital investigation and enforcement capabilities, and to apply these new powers to other crimes conducted using computer networks;
• Cyber investigations can be invasive, and digital rights groups argue that the expanded scope and lack of sufficient safeguards endanger human rights;
• The Convention uses technologically neutral language; it addresses activities, not methods, so that it will remain relevant as technology changes; and
• The Convention focuses on combating negative uses of technology, not promoting positive uses.  

What is a "Cybercrime?"

There is no international consensus on what constitutes a cybercrime, and the current draft of the Convention does not provide an explicit definition. Cybercrime is used as an umbrella term for a range of online activity with two broad categories: cyber-enabled and cyber-dependent crimes.

Much traditional criminal activity is conducted online but doesn’t require the use of a computer. These are called cyber-enabled crimes. Examples include drug and weapons trafficking, identity theft, fraud, and incitement of violence. Cyber-dependent crimes, on the other hand, are crimes that can be committed only through the use of Information and Communication Technology (ICT) devices. You can’t spread malware if there’s no computer or network to infect.  

Negotiations on Scope

Throughout its negotiations, parties have disagreed if this Convention should address crimes that can be committed only through the use of computers or networks, or also cover other crimes if committed through the use of an ICT. In the case of the former, the treaty would define and criminalize a range of cyber-dependent crimes and provide procedural measures through which States would cooperatively investigate and enforce those activities. Some States that align with this vision—including New Zealand, Canada, and the United States—have suggested that specified cyber-enabled crimes may also be within the scope of the treaty if they have exploded in scale through the use of ICTs, such as digital fraud and the dissemination of child sexual abuse material.  

On the other side of the debate, States including Russia and China expect the Convention to address a wide range of criminal activities conducted using ICTs (cyber-enabled) in addition to cyber-dependent crimes. India, China, and Indonesia were among States that proposed the Convention criminalize the dissemination of disinformation or “harmful information.” Russia’s 2021 submission enumerated 24 unlawful acts to be established under the Convention, including narcotics trafficking, coercion to suicide, and “extremism-related offences.”  

Human and digital rights organizations have opposed the latter vision, warning of the serious threats to human rights that a broad scope poses, especially without adequate safeguards and protections in place. A wide scope, either through defined cyber-enabled crimes or through vague language, risks criminalizing content and activities, including political dissent, independent journalism, and LGBTQ+ resources.

Investigating crimes committed via ICTs can be a highly invasive process and can be used to justify vast surveillance. Digital rights organizations and UN bodies, including the Office of the High Commissioner for Human Rights, have raised concern over how domestic cybercrime laws are often used to justify restricting freedoms of speech, assembly, and association.

There are legitimate reasons for capacity development and international cooperation in investigating crimes committed through ICTs. However, human rights advocates emphasize that a narrow scope, clear limitations, and explicit safeguards for human rights are necessary to prevent infringement of privacy, excessive information collection, criminalization of legitimate online speech, and the undermining of transparency and trust in digital communications.   

Scope of the Current Draft: Criminalization, Enforcement, and Cooperation  

Article 3 of the most recent draft defines the Convention’s scope in two parts. First, the text addresses “the prevention, investigation and prosecution” of activities criminalized in the Convention (Articles 7–17), which are:  

• Illegal access to an ICT system;
• Illegal interception of electronic data;
• Interference with electronic data or an ICT system;
• Misuse of devices for the above purposes;
• Forgery, theft, or fraud related to an ICT system;
• Solicitation, production, distribution, or possession of child sexual abuse material through ICTs;
• Dissemination of intimate images without consent of the subject through ICTs; and
• Laundering of proceeds of any of the above crimes.

Article 3(b) broadens the scope to include the collection and preservation of a range of electronic data related to “other criminal offenses”—including domestic crimes—committed through an ICT (Article 23), and wide international cooperation in collecting and sharing evidence (Article 35).  

This means that the robust investigative powers States are obligated to develop under the Convention may be exercised for almost any reason, so long as the targeted activity is illegal under a State’s domestic law. Procedural measures and enforcement to which this scope applies include empowering State authorities to order, collect, or obtain:  

• The preservation of traffic data, content data, and subscriber information;
• Specified electronic data stored within its territory;
• The assistance of service providers or other entities in control of the data in search and seizure;
• Collection of real-time traffic data; and
• Interception of content data.  

Provisions in the procedural scope obligate States to compel service providers to keep their mandatory involvement with the preservation or collection of data confidential. In theory, this means that the Convention empowers and legitimizes States to conduct vast levels of potentially invasive surveillance for any activity deemed illegal under their domestic law, including through forced assistance of service providers in procedures that evade transparency or oversight.  

The definition of “electronic data”—which is subject to preservation, production, and search and seizure—includes all data, whether or not it has been communicated. Documents and notes saved on personal devices are therefore subject to production and seizure from authorities.      

That this collection applies to domestic laws means that digital surveillance could be conducted to investigate activity protected throughout much of the world. For example, LGBTQ+ people could be targeted in the 64 UN Member States in which homosexuality is illegal (this number is based on 2023 data).  

It’s important to remember that States could conduct similar digital investigations in their territory without this Convention; the treaty requires States to pass legislation in their respective countries that could come into effect without international obligation. The Convention would, however, require the global development of these systems. Furthermore, the Convention would obligate international cooperation on a range of digital investigations and prosecutions.  

There are practical benefits to this. States have legitimate authority to collect evidence related to criminal investigations and prosecutions, but many lack the infrastructure and procedural systems to do so with digital data. This Convention would motivate them to develop infrastructure and procedures, and provisions in the text provide for technological assistance to be made available for developing States.  

Article 35 defines the scope of international cooperation on the “collection, obtaining, preserving and sharing of evidence in electronic form.” Related provisions in the current draft require “the widest measure of mutual legal assistance” for investigations and prosecutions of crimes established in the Convention, as well as for “serious crimes” committed using an ICT.

Requiring that these investigations be motivated by serious crimes (or an activity criminalized in the Convention) is also a limitation applied to the collection of content data. A serious crime is defined in the text as a crime for which the applicable domestic penalty carries a maximum sentence of four years imprisonment or more. Therefore, a State could reasonably increase the sentence for any crime it wants covered by the Convention, thereby making the offense “serious.”     

Safeguards and Limitations

Parallel with debates over scope, States have had wide disagreements over the extent to which the Convention should articulate safeguards for human rights. While the draft text contains human rights provisions, many organizations argue they are insufficient to meaningfully prevent human rights violations.  

Article 6 provides safeguards that apply to the entirety of the Convention, and Article 24 describes those that apply to domestic surveillance powers. Neither provision specifically references existing human rights treaties; they require States’ implementation of the treaty to be “consistent with their obligations” under international human rights law. Article 6 also includes an additional safeguard, adopted from a proposal from Canada, which asserts that States cannot interpret anything in the Convention as “permitting suppression of human rights or fundamental freedoms.”    

Article 24 upholds that the implementation of surveillance powers is subject to safeguards provided for under each State’s domestic law. Unfortunately, the limitations that are necessary to ensure human rights are absent in many domestic legal systems. The Article also maintains that these powers incorporate the principle of proportionality. It does not, however, require accordance with other key principles, including legality, non-discrimination, legitimate purpose, and necessity.

Artificial Intelligence in the Convention and Beyond

Throughout negotiations, parties have been in general agreement that the Convention should use technologically neutral language so that the activity remains illegal if and when methods or targets change. Methods and mechanisms used in cyberattacks evolve rapidly, and the release of ChatGPT and other generative artificial intelligence (AI) models has given new meaning and scope to cybercrimes.  

This technological neutrality means that criminalization is not evaded through the malicious use of AI. The use of deepfakes to deceive employees in Hong Kong, for example, is criminalized under Article 13, which addresses ICT-related theft and fraud. Article 11 obligates States to criminalize “a device, including a program, designed or adapted primarily for the purpose of committing” a cyber-dependent crime defined in Articles 7–10. This language appears to criminalize AI models fine-tuned to generate malware and other malicious code.

Similarly, Article 14 defines child sexual abuse material it criminalizes as sexualized content that “depicts, describes or represents” a minor. This includes the criminalization of AI-generated material; although the text permits States to require the subject to be a real child. Article 16, which criminalizes “non-consensual dissemination of intimate images,” on the other hand, addresses “visual recording[s] of a person,” not generated content.  

In thinking through these aspects, parties should investigate what problem the treaty is trying to address: Is it criminalizing malicious activities that didn’t exist before the advent of the internet, or promoting capacity-building and cooperation in digital enforcement of "traditional" crimes conducted online? If the latter, are those crimes defined by domestic or international law? In either case, it’s critical to consider how enforcement can be optimized to both efficiently prioritize resource distribution and safeguard a wide range of human rights.  

When considering dynamic technological landscapes, policymakers often respond by segmenting digital space as a separate policy area. But is it? ICTs are an integral means by which individuals and institutions conduct a range of malicious, beneficial, and benign activities. If these activities are the subject of governance, then is a blanket policy over the means by which the activity is conducted effective? Instead, perhaps States should consider whether existing issue-specific international instruments—such as those dedicated to drugs and crimes—can be made more effective by incorporating digital dynamics.

Learn more:  

• In January 2024, over 100 groups from around the world signed a Joint Statement on the Proposed Cybercrime Treaty Ahead of the Concluding Session and issued it to UN negotiators.  
• In July 2024, 22 civil society organizations signed an urgent appeal to EU delegates to address critical flaws in the Convention draft.
• During a recent media briefing, the Electronic Frontier Foundation shared an oral statement text and draft FAQ on the subject and Convention.