The UN’s cybercrime treaty: where do things stand?

At the time of writing, around thirty countries and the EU have responded to the Chair of the Ad Hoc Committee on Cybercrime’s initial consultation on the scope, objectives and structure of what would be the UN’s first treaty on cybercrime. If negotiations are successful, and the resulting treaty is widely ratified, it will have a far-reaching and unprecedented impact on how cybercrime is understood and tackled globally. But success is far from assured—with the role of human rights among several issues likely to prove contentious in the coming discussions. 

In this blog, we review a selection of current responses to the treaty consultation, unpacking the key areas of agreement and disagreement which are likely to shape discussions when they begin in January 2022. Before going in, it should be noted that most of the current submissions come from Europe and the Americas, with a scattering from the Middle East—so there are still many views that have not yet been shared.

Areas of (some agreement)

• All of the submissions emphasise the need for the convention to promote more effective cooperation to address cybercrime between countries (e.g. by providing agreed investigative tools or minimum standards for cooperation). Instead, it is the concepts, terminology and definitions of cybercrime (or the ‘scope’ of crimes) where there is the clearest disagreement.
• Some submissions emphasise the need for the convention to be ‘technology-neutral’ and futureproofed to withstand technological developments. The countries who note this don’t actually explain what they mean here; but, presumably, it refers to the need for specificity regarding the scope of criminalisation but not the means (i.e. not specifying what a computer or other device is in a way that could become inapt).
• Countries in the Western Grouping (Australia, New Zealand, North America and Europe) and a number of Latin American countries also agree that the discussions should remain focused solely on criminal justice issues and not other issues related to cyberspace, such as cybersecurity or international peace and security in cyberspace (which is discussed within the UN General Assembly’s First Committee). However, there may yet be disagreement once the detail is discussed, particularly around certain topics (e.g. the regulation of ransomware used by criminal groupings in state-sponsored attacks). 
• Submissions indicate broad agreement on the need to build on existing instruments, such as the Budapest Convention and the United Nations Convention against Transnational Organized Crime. Interestingly, however, the EU submission does not mention the Budapest Convention—presumably to avoid politicising the instrument in the discussions. Of course, this doesn’t mean that, in practice, the Budapest Convention won’t act as a key and main reference point for countries who are party to that treaty.
• More than half of the submissions emphasise the importance of ensuring the compatibility of the convention with the international human rights framework. But the devil is in the detail. Many countries refer to the need for “rapid” and “effective” cooperation between authorities in their submissions, and the US would like to see a legal framework that facilitates cooperation to collect and obtain electronic evidence for any type of crime, begging the question: how this would work with the Mutual Legal Assistance Treaty (MLAT) process? MLATs are often criticised for being slow and cumbersome, but they often contain a number of important human rights safeguards that could be at risk if replaced with another framework that doesn’t adequately protect human rights. In fact, considering the very wide range of human rights records that exist among UN member states, it is critically important that the mutual legal assistance principle, underpinned by strong safeguards which allow a party (and service providers) to refuse a request for data or some other form of assistance where they consider that it could pose a risk to an individual’s human rights, is maintained in any treaty. This is one of the reasons why it will be so important to have civil society, including human rights experts, present in discussions.

Areas of disagreement

• A majority of the countries that have provided submissions want to see the scope of the treaty focus on cyber-dependent crimes (e.g. illegally accessing computer systems and data), with cyber-enabled crimes limited to those where there is widespread agreement in existing instruments (e.g. child sexual abuse material, computer enabled fraud and copyright). But others, such as Russia, Jordan and Indonesia suggest a much wider range of offences, including a range of content-based offences. Indonesia’s submission includes “disinformation” and “the dissemination of hoax material”. Jordan suggests a very broad list of crimes, including those related to “insulting religions, countries and symbols”. Mexico seems to be trying to strike a middle ground by suggesting that a wide range of potential offences be “discussed”, without outright suggesting they are included as crimes in the convention. From a human rights perspective, there are real concerns over expanding the scope of criminal offences beyond a core number of cyber-dependent crimes. We have already seen how, at the national level, broad offences relating to speech have been included in cybercrime legislation and used to restrict legitimate expression around political, religious and other sensitive subjects. It would be deeply concerning to see these also restricted through global instruments, which could, in turn, have a knock-on effect on the terms of service and content moderation policies of tech companies, whether US-based or otherwise.
• So far, only countries in the Western Grouping and Japan note the importance of an open, inclusive and transparent process that allows non-governmental stakeholders to contribute. The application process for attendance of the first substantive meeting of the Committee is currently open to all interested stakeholders. While there is as yet no guarantee that some countries will not invoke the UN’s no-objection rule to dismiss the attendance of groups (as happened at the first Open ended Working Group on ICTs at the First Committee) the Committee’s modalities do provide for some more transparency, and allow for it to take any final decisions as a whole including via a vote.

Next steps

The agenda for the first meeting in January isn’t yet publicly available, but it will most likely begin with a discussion and agreement of the main elements of the convention, which have already taken shape from the submissions provided: principles, scope, types of offences/definitions of cybercrimes, procedural provisions and accompanying safeguards, methods of international cooperation, and capacity building. After that, states will need to agree on the substance. As current submissions show, this will be the tricky part. We’ll be following discussions closely—for regular updates, sign up to our monthly Digest.