The UN Cybercrime Draft Convention Remains Too Flawed to Adopt

The proposed UN Cybercrime Convention, scheduled for a critical concluding session from 29 July to August 9th, poses a significant threat to global human rights unless major changes are made. Despite two and a half years of intense discussions and seven negotiation sessions, states remain deeply divided on fundamental aspects, leading to a deeply  flawed draft text and a problematic chair’s compromise package from February 2024. They can’t even agree what to call the Convention, much less its scope—should it address only core cybercrime, or any crime committed using technology? 

The February 2024 language continues to risk criminalizing protected speech, granting broad surveillance powers without robust safeguards, and raising serious cybersecurity concerns. Despite continuous advocacy from civil society and industry, these key issues remain unaddressed. A new version of the Convention is expected soon, but without addressing these critical flaws, the risks to human rights remain.

In a joint letter with over 100 NGOs, we state that the Cybercrime Convention must not advance without addressing critical flaws. The letter outlines clear requirements: the Convention must focus solely on cyber-dependent crimes, incorporate comprehensive human rights safeguards, and ensure robust protections for security researchers, whistleblowers, activists, and journalists. Absent these minimum requirements, we call on state delegations to reject the draft Convention and refuse to advance it to the UN General Assembly for adoption.

EFF echoes such requirements, among others:

• First, the Convention must be narrowly focused on cyber-dependent crimes, excluding overly broad content-related crimes that contradict human rights law from the proposed Convention.
• Second, it must include robust protections for security researchers, whistleblowers, activists, and journalists to ensure they are not unjustly criminalized for performing their essential work.
• Third, it must incorporate comprehensive human rights safeguards, including the principles of legality, non-discrimination, legitimate purpose, necessity, proportionality, transparency, effective remedy, and prior judicial authorization applicable throughout the entire Convention.
• Fourth, the scope of procedural measures and international cooperation must be limited to the defined cyber-dependent crimes, with explicit minimum robust safeguards against abuses of surveillance and data sharing, and adequate protection of personal data. 
• Fifth, direct sharing of personal data must be limited to specific criminal investigation, and be subject to robust minimum safeguards mandated in the text itself to prevent misuse, such as the need to comply with the principles of legality, necessity, proportionality, transparency, user notification, and the need for prior judicial authorization.
• Sixth, proactive sharing of personal data must be strictly limited and conditioned on compliance with minimum robust standards and international human rights law.

As is, the Convention will be a tool for states with repressive domestic laws to impose arbitrary and disproportionate restrictions on rights and freedoms. As the negotiations resume, it is crucial to address these issues and ensure the Convention aligns with international human rights standards to prevent disaster.

Many other NGOs and industry representatives have expressed similar