EFF’s Concerns About the UN Draft Cybercrime Convention

The proposed UN Cybercrime Convention is an extensive surveillance pact that imposes intrusive domestic surveillance measures and mandates states’ cooperation in surveillance and data sharing. It requires states to aid each other in cybercrime investigations and prosecutions, allowing the collection, preservation, and sharing of electronic evidence for any crime deemed serious by a country’s domestic law, with minimal human rights safeguards. This cooperation extends even to countries with poor human rights records.  Negotiations for this treaty began in 2022, initiated by a controversial proposal from the Russian Federation. If adopted, it will rewrite surveillance laws worldwide. Millions of people, including human rights defenders, journalists, security researchers, and those speaking truth to power, will be affected. Without clear, enforceable safeguards, the treaty risks becoming a tool for state abuse and transnational repression rather than protecting human rights. Below are our main concerns. For a comprehensive list, please refer to our redlines and appeal to EU Delegates. 

EFF’s Key Concerns  

The Title of the Draft Convention is Misleading and Problematic: Cybercrime is a real issue but equating it with any crime involving ICTs is conceptually and practically harmful. Recent efforts at the domestic level to broaden its definition have led to the criminalization of legitimate activities, such as online criticism, religious expression, or LGBTQ support. In the proposed treaty, it encourages expansive interpretations that could lead to human rights abuses and transnational repression. Recommendation: Restrict the definition to "core cybercrimes" like technical attacks on computers, devices, data, and communications systems. Exclude human rights-protected activities from the scope of the treaty to prevent misuse and ensure these rights are not unjustly targeted due to equating cybercrime with any crime using ICT.    Expansive Scope and Over-Criminalization Risks: The draft Convention's criminalization chapter dangerously broadens its scope by including crimes like “grooming” and CSAM, not just cybercrimes. Its CSAM definition risks criminalizing consensual conduct between minors. Even worse, a proposed Protocol could add two more Ad Hoc sessions to discuss even more crimes, further expanding its broad scope. Recommendation: Criminalization must be limited to Articles 7 to 11. Narrow the scope of the CSAM article to target only intentional, malicious actions, exclude from criminalization consensual activity between minors, make exemptions for self-generated content by minors mandatory, ensure financing provisions target only those knowingly involved in illegal activities, and exclude the public interest use of such materials, such as evidence in crime investigations, and scientific or artistic materials.  

Overbroad Scope of Evidence Gathering Powers Will Enable Domestic and Cross-Border Spying on Acts of Expression: The open-ended scope of Chapters IV & V risks undermining law enforcement cooperation on actual cybercrime offenses by diluting resources. It lets governments spy on people to gather potential evidence for any crime if they’ve been committed using ICT. It also allows one state to help another in surveillance for any so-called serious crime. These expansions turn the treaty into an extensive surveillance pact. Article 23(2)(c) greenlights invasive measures for minor offenses and protected expressions abusively criminalized in some countries. Article 35(1)(c) means cooperation for serious crimes, defined as offenses punishable by four years or more, which can include acts of expression considered serious offenses in national law. This broad scope risks massive abuse of power. Recommendation: Limit Articles 23(2)(c) and 35(1)(c) to Articles 7 to 11 and delete Article 23(2)(b). Support OHCHR’s recommendation to revise the definition of serious crimes to mean only “those involving death, injury, or other grave harms,” as merely suggesting respect for human rights within such a broad scope is important but insufficient because it lacks enforceable protections against misuse and abuse. Ensure cooperation is limited to situations where there is a reaso