After years of negotiating, the United Nations Ad Hoc Committee to Elaborate a Comprehensive International Convention on Countering the Use of Information and Communications Technologies for Criminal Purposes (AHC) held what was supposed to be its final negotiating session in February. 

The Convention was poised to be the first binding UN instrument on cybersecurity serving as an framework for international cooperation on mitigating cybercrime. The text was scheduled to be finalized in the last session and then presented at the next United Nations General Assembly (UNGA) in September for ratification by member states. However, large scale disagreements on scope, terminology, and other details lead to the states agreeing to suspend the Convention and tentatively decided to reconvene another session of up to 10 days in New York at a future date, with the goal to still present the draft Convention at the September UNGA.

Background

In a previous blog, the Russian motivations behind launching this initiative to replace the Budapest Convention were explored, the current international mechanism to address cybercrime, of which Russia is not a signatory. States were hopeful that the UN Convention would make it easier to address cybercrime in non-Budapest signatory countries, while maintaining a high standard of safeguards for human rights. However, as the February negotiating session came to a close, it was clear there would be no consensus among the negotiating parties, and a suspension was likely. 

The text is riddled with disagreement on key issues such as terminology, human rights protection, and government surveillance. The inability to make progress on these concerns has spurred outrage from civil society, academia, and the broader stakeholder community, emphasizing the dangers of ratifying the convention in its current state. In this context, a suspension was the less harmful outcome: avoiding renegotiating the treaty mandate or having ratifying a treaty that would have undermined protections for human rights advocates, security researchers, and many other key stakeholders.

Prior to the final round of negotiations, a joint civil society statement with more than 100 signatories was released calling on the AHC to ensure the Convention narrowed its focus on tackling cybercrime, and “not be used as a tool to undermine human rights.” This was followed by an open letter to the Chair of the AHC on Cybercrime that draws “urgent attention to the critical flaws” in the current draft of the treaty, that if left unchanged would make cyberspace even more vulnerable. 

Additionally, a broad collection of members from the security research community released a statement with concerns on the impact of the Convention to the rights of good faith cybersecurity researchers, outlining the problematic language in each of the relevant articles. These public statements make clear the overarching sense of frustration among civil society that their feedback is not being taken seriously or integrated into subsequent drafts of the Convention. The key issues remain the following:

Scope: The current text contains an overly broad scope, potentially criminalizing legitimate cyber activities, and creates legal uncertainty through Article 17’s reference to crimes under other “applicable international conventions and protocols.” The vague scope leaves room for the Convention to be exploited, criminalizing legitimate online activities like ethical security research or exercising freedom of speech. The scope of the Convention needs to be narrowed to specifically defined cyber-dependent crimes to avoid the potential misuse of certain provisions. 

Human Rights: The Convention also lacks appropriate references to obligations under international human rights law, and fails to set safeguards in accordance with principles of non-discrimination, legality, legitimate purpose, necessity, and proportionality. Additionally, the text lacks effective gender mainstreaming which would ensure the Convention does not undermine a person’s human rights on the basis of their gender. The text also lacks strong victim assistance mechanisms, deferring to domestic law in many places which may not contain effective protections, leaving victims without legal guarantees or the right to seek recourse. 

Security Research: One of the detriments of the Convention’s overly broad scope, is the potential to victimize security research as criminal activity. Ethical security research is meant to discover and report vulnerabilities for the purposes of enhancing technological safety and educating the public on important cybersecurity matters. The text fails to incorporate sufficient safeguards for ethical hackers, whistleblowers, activists, and journalists from the possibility of prosecution. We suggest the Convention specify that only acts with “malicious” or “criminal” intent be eligible for prosecution.

Surveillance Power: The treaty also includes provisions that would expand state surveillance power and information sharing beyond the scope of specific criminal investigations and without explicit data protection and human rights safeguards. The current text authorizes states to conduct intrusive cross-border data collection without prior judicial authorization or oversight. Service providers would be unable to notify users about data collection, and individuals would not know when their data was being accessed. Without mandating prior judicial authorization for information sharing and cross-border investigations, the Convention risks enabling human rights violations and secret large-scale data collection.

* * *

Moving Forward & Potential Outcomes

The Convention text was supposed to be finalized at the conclusion of the February sessions, but with the current suspension the future is unclear. The AHC on Cybercrime mandate specifies that the Convention must “conclude its work in order to provide a draft Convention to the General Assembly at its seventy-eighth session” in September 2024.

Time is running out. There are also concerns regarding budget and location logistics for the extra negotiating session which could put strain on smaller states with constrained resources. Informal discussions are likely to take place in Vienna in the following months, however, they exclude larger stakeholder engagement which limits the ability for civil society to provide feedback, dampening the transparency of the overall process. 

If the Convention fails to produce a treaty – which requires a two-thirds majority vote – and fails to agree on a joint resolution, the decision would be passed to the UNGA. The Committee can ask the UNGA to vote on an extension, but this would require a new resolution and renegotiating the mandate. Additionally, the UNGA could vote on the text as it stands, but a simple majority vote would result in conflicting resolutions being adopted. It is unclear how the states will reach consensus on the wide breadth of issues, but it’s critical that the treaty ensures proper safeguards for human rights, ethical security research, and tailoring the scope of the treaty to malicious cyber activity. 

Alexis Steffaro

Read Next

EU’s Cyber Resilience Act Enters Into Force

New product cybersecurity requirements are coming to the EU single market after years of intense debate and negotiation in Brussels, as the European Union’s Cyber Resilience Act officially enters into force.

Through the Looking Glass: An Updated Vision for the Office of the National Cyber Director

The ONCD was established to advise the President on cybersecurity and has matured into a key component of cybersecurity policymaking. However, changes are needed to ensure the efficacy of the office, especially as it relates to other agencies.

The U.S. Data Security EO with Lee Licata and Grant Dasher (Part 2)

For the first time in the Distilling Cyber Policy podcast, Alex and Jen are re-joined by guests from earlier this season: Lee Licata, from the Department of Justice, and Grant Dasher, from CISA.