The UN General Assembly and the Fight Against the Cybercrime Treaty

The final text of the United Nations Convention Against Cybercrime, adopted last Thursday by the United Nations Ad Hoc Committee, is now headed to the UN General Assembly for final approval. The last hours of deliberations were marked by drama as Iran repeatedly, though unsuccessfully, attempted to remove almost all human rights protections that survived in the final text, receiving support from dozens of nations. Although Iran’s efforts were defeated, the resulting text is still nothing to celebrate, as it remains riddled with unresolved human rights issues. 

The Fight Moves to the UN General Assembly

The UN General Assembly could consider the treaty as soon as next month. If it passes, Member States will be invited to sign and ratify the treaty, a process that often involves legislative debate and votes. The treaty will officially come into force 90 days after at least 40 countries ratify it.

This presents  a vital opportunity for us to push back. We must rally a strong, unified opposition to ratification and demand that the treaty, if ratified, be augmented with robust human rights safeguards and accountability. Civil society, defense attorneys, and data protection authorities must ensure implementation laws adhere to the highest human rights standards—especially where the treaty is silent or vague. 

Throughout more than three years of advocacy, we fought for clearer definitions, narrower scope, and stronger human rights protections. Yet, instead of merely facilitating cooperation on cybercrime, this treaty introduces new surveillance powers and cross-border procedures that could facilitate repression under the guise of the UN Treaty system.

The Unsettling Concessions in the Treaty Negotiations

The key function of the Convention, if ratified, will be to create a means of requiring legal assistance between countries that do not already have mutual legal assistance treaties (MLATs) or other cooperation agreements. This would include repressive regimes who may previously have been hindered in their attempts to engage in cross-border surveillance and data sharing, in some cases because their concerning human rights records have excluded them from MLATs. For countries that already have MLATs in place, the new treaty’s cross-border cooperation provisions may provide additional tools for assistance.

A striking pattern throughout the Convention as adopted is the leeway that it gives to states to decide whether or not to require human rights safeguards; almost all of the details of how human rights protections are implemented is left up to national law. For example, the scope and definition of many offenses “may" or may not include certain protective elements. In addition, states are not required to decline requests from other states to help investigate acts that are not crimes under their domestic law; they can choose to cooperate with those requests instead. They may refuse to help with surveillance requests that appear to be pretexts for persecution, but the treaty also lets them choose to assist.

This pattern continues. For example, definitions of cybercrimes—which may sweep in good faith security research and certain journalistic activities—let states choose whether specific elements must be included before an act will be considered a crime, for example that the offense was done with dishonest intent or that it caused serious harm. Sadly, these elements are optional, not required.

Similarly, provisions on child sexual abuse material give states the option—but no requirement—to narrow the scope of what’s criminalized so that it focuses only on media depicting actual harm to a real child. Requiring states to do so wo