The final text of the United Nations Convention Against Cybercrime, adopted last Thursday by the United Nations Ad Hoc Committee, is now headed to the UN General Assembly for final approval. The last hours of deliberations were marked by drama as Iran repeatedly, though unsuccessfully, attempted to remove almost all human rights protections that survived in the final text, receiving support from dozens of nations. Although Iran’s efforts were defeated, the resulting text is still nothing to celebrate, as it remains riddled with unresolved human rights issues.
The Fight Moves to the UN General Assembly
The UN General Assembly could consider the treaty as soon as next month. If it passes, Member States will be invited to sign and ratify the treaty, a process that often involves legislative debate and votes. The treaty will officially come into force 90 days after at least 40 countries ratify it.
This presents a vital opportunity for us to push back. We must rally a strong, unified opposition to ratification and demand that the treaty, if ratified, be augmented with robust human rights safeguards and accountability. Civil society, defense attorneys, and data protection authorities must ensure implementation laws adhere to the highest human rights standards—especially where the treaty is silent or vague.
Throughout more than three years of advocacy, we fought for clearer definitions, narrower scope, and stronger human rights protections. Yet, instead of merely facilitating cooperation on cybercrime, this treaty introduces new surveillance powers and cross-border procedures that could facilitate repression under the guise of the UN Treaty system.
The Unsettling Concessions in the Treaty Negotiations
The key function of the Convention, if ratified, will be to create a means of requiring legal assistance between countries that do not already have mutual legal assistance treaties (MLATs) or other cooperation agreements. This would include repressive regimes who may previously have been hindered in their attempts to engage in cross-border surveillance and data sharing, in some cases because their concerning human rights records have excluded them from MLATs. For countries that already have MLATs in place, the new treaty’s cross-border cooperation provisions may provide additional tools for assistance.
A striking pattern throughout the Convention as adopted is the leeway that it gives to states to decide whether or not to require human rights safeguards; almost all of the details of how human rights protections are implemented is left up to national law. For example, the scope and definition of many offenses “may” or may not include certain protective elements. In addition, states are not required to decline requests from other states to help investigate acts that are not crimes under their domestic law; they can choose to cooperate with those requests instead. They may refuse to help with surveillance requests that appear to be pretexts for persecution, but the treaty also lets them choose to assist.
This pattern continues. For example, definitions of cybercrimes—which may sweep in good faith security research and certain journalistic activities—let states choose whether specific elements must be included before an act will be considered a crime, for example that the offense was done with dishonest intent or that it caused serious harm. Sadly, these elements are optional, not required.
Similarly, provisions on child sexual abuse material give states the option—but no requirement—to narrow the scope of what’s criminalized so that it focuses only on media depicting actual harm to a real child. Requiring states to do so would ensure that scientific, artistic, or educational materials are not wrongfully targeted, and that consensual, age-appropriate exchanges between minors would be excepted from criminalization.
The broad discretion given to states under the Convention was likely a deliberate compromise to secure agreement from countries with varying levels of human rights protections. But though it allows states with strong protections to keep them, it likewise allows states with weaker protections to keep theirs as well. While the negotiators were proud of this compromise, we see it as trading away our human rights for the sake of manufacturing consensus and concluding negotiations.
These numerous options in the convention are also disappointing because they took the place of what would have been preferred: advancing the protections in their national laws as normative globally, and encouraging or requiring other states to adopt them.
Exposing States’ Contempt For Rights
Iran’s last-ditch attempts to strip human rights protections from the treaty were a clear indicator of the challenges ahead. In the final debate, Iran proposed deleting provisions that would let states refuse international requests for personal data when there’s a risk of persecution based on political opinions, race, ethnicity, or other factors. Despite its disturbing implications, the proposal received 25 votes in support from countries like India, Cuba, China, Belarus, Korea, Nicaragua, Nigeria, Russia, and Venezuela.
That was just one of a series of proposals by Iran to remove specific human rights or procedural protections from the treaty at the last minute. Iran also requested a vote on deleting Article 6(2) of the treaty, the general human rights clause that explicitly states that nothing in the Convention should be interpreted as allowing the suppression of human rights or fundamental freedoms, as well as Article 24, which establishes the conditions and safeguards—the essential checks and balances—for domestic and cross-border surveillance powers.
Twenty-three countries, including Jordan, India, and Sudan, voted to delete Article 6(2), with 26 abstentions from countries like China, Uganda, and Turkey. This means a total of 49 countries either supported or chose not to oppose the removal of this critical clauses, showing a significant divide in the international community’s commitment to protecting fundamental freedoms. And 11 countries voted to delete Article 24, with 23 abstentions.
These and other Iranian proposals would have removed nearly every reference to human rights from the convention, stripping the treaty of its substantive human rights protections and impacting both domestic legislation and international cooperation, leaving only the preamble and general clause, which states: “States Parties shall ensure that the implementation of their obligations under this Convention is consistent with their obligations under international human rights law.”
Additional Risks of Treaty Abuse
The risk that treaty powers can be abused to persecute people is real and urgent. It is even more concerning that some states have sought to declare (by announcing a future “reservation”) that they don’t intend to follow Article 6.2 (general human rights clause), Article 24 (conditions and safeguards for domestic and cross border spying assistance), and Article 40(22) on human rights based grounds for refusing mutual legal assistance, despite their integral roles in the treaty. Such reservations should be prohibited. According to the International Law Commission’s “Guide to Practice on Reservations to Treaties,” a reservation is impermissible if it is incompatible with the object and purpose of the treaty. Human rights safeguards, while not robust enough, are essential elements of the treaty, and reservations that undermine these safeguards could be considered incompatible with the treaty’s object and purpose.
Furthermore, the Guide states that reservations should not affect essential elements necessary to the general tenor of the treaty, and if they do, such reservations impair the raison d’être of the treaty itself. Therefore, allowing reservations against human rights safeguards may not only undermine the treaty’s integrity but also challenge its legal and moral foundations.
All of the attacks on safeguards in the treaty process raise particular concerns when foreign governments use the treaty powers to demand information from U.S. companies, who should be able to rely on the strong standards embedded in US law. Where norms and safeguards were made optional, we can presume that many states will choose to forego them.
Cramming Even More Crimes Back In?
Throughout the negotiations, several delegations voiced concerns that the scope of the Convention did not cover enough crimes, particularly those related to free speech and online content. Russia, China, Nigeria, Egypt, Iran, and Pakistan advocated for broader criminalization, including crimes like incitement to violence and desecration of religious values. In contrast, the EU, the U.S., and Costa Rica advocated for a treaty that focuses solely on computer-related offenses, like attacks on computer systems, and some cyber-enabled crimes like child sexual abuse material (CSAM) and grooming.
Despite significant opposition, Russia, China, and other states successfully advanced the negotiation of a supplementary protocol for additional crimes, even before the core treaty has been ratified and entered into force. This move is particularly troubling as it leaves unresolved the critical issue of consensus on what constitutes a crime—a ticking time bomb that could lead to further disputes.
Under the final agreement, it will take 40 ratifications for the treaty to enter into force and 60 for any new protocols. While consensus remains the goal, if it cannot be reached, a protocol can still be adopted with a two-thirds majority vote of the countries present.
The treaty negotiations are disappointing, but civil society and human rights defenders can unite to fight ratification, ensuring these flawed provisions do not undermine human rights across the globe.