The U.S. issued an updated position regarding the UN Convention Against Cybercrime, a controversial treaty that is intended to improve the global community’s ability to combat evolving cybercrime threats.
In our last blog post, we explored the key issue areas of the convention that were holding up the finalization of the text, including scope, human rights, security research, and surveillance power. Despite the overarching concerns that stakeholders may seek to misuse the convention or leverage national frameworks that do not contain strong human rights safeguards, the U.S. has issued a statement that they will be “joining consensus with the goal of moving the process forward and with the intent of advancing further clarifications and interpretive guidance to address stakeholder concerns.”
The U.S. Position
There has been debate regarding whether the U.S. would eventually support the UN Convention Against Cybercrime, particularly considering the number of disputed topics within the text and the original Russian intentions to replace the Budapest Convention, of which they are not a signatory. Critics have voiced that signing onto the Convention would render the U.S. complicit in a treaty that lacks sufficient human rights protections, while advocates pushed that the U.S. would not be able to further influence the document in a positive direction if it removed itself from negotiations altogether.
The “Explanation of Position of the United States on the Adoption of the Resolution on the UN Convention Against Cybercrime in UNGA’s Third Committee” underscores that the Budapest Convention is the “gold standard” for international cooperation related to cyber crimes. But the UN Cybercrime Convention — when implemented with robust domestic safeguards — holds potential to improve the international community’s ability to combat ransomware, widespread cyber-enabled fraud, and illegal intrusions into computers and networks. The Convention also garners recognition for Articles 14 and Article 16, which significantly improve international coordination in combating the non consensual distribution of intimate images, child sexual abuse material, and online grooming of children for sexual purposes.
However, the concern remains that certain states may deliberately fail to implement human rights and safeguard provisions, as required by the Convention. Issue areas include:
- Potential human rights abuses like extraterritorial surveillance and the targeting of human rights defenders.
- Targeted harassment of security researchers.
- Potential abuse of e-evidence requests.
- Misuse of national cybercrime, data access, and other cyber related domestic statutes to target dissidents.
- Expanding surveillance laws and technical capabilities without domestic safeguards.
Domestic Safeguards
The U.S. acknowledges these concerns and makes clear that the implementation of Convention provisions have to be coupled with domestic safeguards, oversight, investments in capacity building, and strong rule-of-law institutions. The recent publication even states that the U.S. may not ratify until meaningful human rights and other legal protections are implemented by the signatories.
Furthermore, the U.S. emphasizes that the Convention requires critical safeguards for the use of domestic powers such as search and seizure, including when providing mutual assistance to other parties. It highlights the need for constraints on law enforcement tools through conditions that protect human rights, including grounds for justifying investigative powers, limitations on scope and durations, judicial review, and the right to effective remedy.
Moving Forward
If a country invokes the Convention in a way that violates the prohibition against using the Convention to suppress human rights or fundamental freedoms, the Conference of States Parties (COSP) will serve as a mechanism for exposing and condemning any abuses committed under the framework of the Convention while also fostering efforts to prevent future misuse. However, doubts persist about the effectiveness of this mechanism in deterring misuse particularly by authoritarian governments, which may exploit the Convention’s framework while disregarding international scrutiny or sanctions.
Additionally, the U.S. will participate in the drafting of the UN legislative guide for states seeking to ratify or implement the Convention to ensure full compliance with the protections in the Convention, including on issues of implementation of the criminalization provisions into domestic legislation. Finally, the U.S. has committed to integrating capacity building efforts for this Convention into ongoing global programing on domestic cybercrime legislation, in addition to bolstering a cross-sectoral coalition to monitor the implementation of the Convention.
The likelihood of the U.S. officially signing onto the UN Cybercrime Convention during next month’s General Assembly final vote remains uncertain, particularly given its dependence on certain authoritarian states, such as Russia, implementing robust domestic safeguards—an outcome that seems improbable. These safeguards, while critical, are not mandated by the Convention itself, further complicating the path to U.S. support.
Although the U.S. has joined consensus to advance discussions and address issues of concern, how it will ultimately respond in the General Assembly remains to be seen. Furthermore, the U.S. has a history of not ratifying UN treaties for fear that it could infringe on national sovereignty and give the UN authority over domestic policies. This uncertainty underscores the complexity of balancing U.S. international cooperation with its commitment to human rights and the rule of law.
Read Next
EU’s Cyber Resilience Act Enters Into Force
New product cybersecurity requirements are coming to the EU single market after years of intense debate and negotiation in Brussels, as the European Union’s Cyber Resilience Act officially enters into force.
Through the Looking Glass: An Updated Vision for the Office of the National Cyber Director
The ONCD was established to advise the President on cybersecurity and has matured into a key component of cybersecurity policymaking. However, changes are needed to ensure the efficacy of the office, especially as it relates to other agencies.
The U.S. Data Security EO with Lee Licata and Grant Dasher (Part 2)
For the first time in the Distilling Cyber Policy podcast, Alex and Jen are re-joined by guests from earlier this season: Lee Licata, from the Department of Justice, and Grant Dasher, from CISA.