UN Cybercrime Convention: negotiators request more time as consensus remains elusive

Charlotte Lindsey (Curtet)
Pavlina Pavlova

The concluding session of the Ad Hoc Committee (AHC) negotiating a new United Nations cybercrime convention took place in New York from 29 January to 9 February. While some progress on the Treaty has been made, it was not sufficient to reach a consensus. Member states agreed to “suspend” the meeting and reconvene at a later date. This procedural move enables delegations to extend the cybercrime deliberations under the same modalities whilst keeping the initial deadline to deliver the draft Convention to the UN General Assembly at its seventy-eighth session.

The more things change, the more they stay the same

The need to reach a consensus has been highlighted since the launch of these negotiations. However, a key disagreement remains between a group of countries over the scope of criminal activities committed with the use of ICTs, with some States calling for a wide scope and others for a narrow scope within the guardrails of core cybercrime. To achieve any meaningful progress, States will have to decide whether this instrument is a tool for streamlining cooperation on transnational cybercrime or a “general access treaty” that facilitates cooperation on a wide range of crimes.

A critical concern is the Treaty’s potential to authorise States to have intrusive cross-border data collection, devoid of prior judicial authorization, genuine oversight, and conducted in secrecy. A broad scope for international cooperation on electronic evidence could violate States’ obligations to respect privacy and other rights. This conflict is more pronounced if the text offers only limited grounds for refusal, weak human rights safeguards, and an open-ended provision allowing for the addition of more crimes to the Treaty in the future.

In this context, conditionalities on technology transfers as part of technical assistance between countries merit careful consideration. Building capacity of State agencies to effectively fight cybercrime is vital for an effective implementation of the agreed upon provisions. However, it poses risks that can eventuate into both intended and unintended harms and can have wide-ranging consequences that impact local communities. This is particularly the case when capacity building activities include the transfer of dual-use tools. Surveillance technologies are prone to abuse and misuse, posing substantial risks to human rights and fundamental freedoms.

Human rights protection was the subject of extensive discussions at the concluding session in New York, bearing in mind the potentially severe negative impacts this Treaty may have on freedoms and safety online. The Chair introduced several proposals for a compromise “package deal” that included provisions on the core issues that aimed to achieve a widely acceptable balance between the scope and safeguards. These efforts were met with a long list of delegations who took the floor to request changes. While some progress has been made on less contentious points, it is essential to exercise caution, bearing in mind the principle that nothing is agreed until everything is agreed in the draft text.

Civil society and industry join forces

While time-pressed delegates failed to find a compromise outcome, civil society and industry showed unprecedented unity. Revisiting the Multistakeholder Manifesto at the 11th Hour, the CyberPeace Institute and the Cybersecurity Tech Accord called for a cybercrime treaty that adheres to the human-centric principles set out in the Multistakeholder Manifesto. Prior to the negotiations, civil society issued a joint statement signed by over hundred NGOs that outlined the red lines that should be adhered to. In the process of the two-week negations, a broad spectrum of the global security research community came forward to express serious concerns with the present text. More than hundred and twenty researchers and other experts working on cybersecurity signed a letter that sounded the alarm about the Treaty’s substantial risks to good faith cybersecurity research.

A decisive moment for effective cross-stakeholder cooperation came on the eve of the last working day when an open letter signed by civil society, industry, and technical community representatives was delivered to the Chair. At the time when delegates considered whether the negotiations needed additional time to achieve a more balanced and impactful outcome, this letter urged governments to consider withholding support for the Treaty in its current incarnation. As later remarked by the Chair, from discussions it was clear that not all negotiating parties at the AHC were convinced the draft Convention should be adopted at this stage, but there is consensus that a treaty is urgently needed.

On the margins of the current Cybercrime Stakeholder Engagement Initiative, the Civil Society Unit of the United Nations Office on Drugs and Crime (UNODC)  and its civil society and industry partners, including the CyberPeace Institute, facilitated regional cybercrime consultations. These online events gather diverse stakeholders with the goal of exchanging knowledge about the ongoing negotiations and exploring areas of engagement for the Treaty’s future implementation. The first round of regional consultations for Africa, Asia, and the Americas took place in January, and the second round has been scheduled for March.

It is not over until it is over

The extension of AHC negotiations gives delegations more time to find an acceptable outcome but nothing is guaranteed. Informal discussions will take place in Vienna in the coming months. These discussions are closed to stakeholders and thus miss the opportunity for broader participation and statements. Many civil society organisations and industry representatives have been systematically involved in the AHC process and such exclusion from the plenary rooms limits our ability to provide timely feedback and inform the discussions. One option to enhance the transparency of the negotiations could be to organise an intersessional consultation in Vienna, similar to those which occurred between the first and sixth substantive sessions.

The concluding AHC session is expected to be convened this summer in New York. However, as an unplanned extra meeting, it is pending an approval from the UN General Assembly allocating the extra budget required. Events added to the negotiating schedule at this late point also put an additional strain on Member States’ resources. As noted by Liechtenstein, holding a further two-week session will have financial implications for delegations, who had not budgeted for such an expense.

The AHC mandate will expire with the concluding session. If a convention is not agreed upon, the Committee can ask the UN General Assembly to vote on its extension. This step would require a new resolution and could mean a renegotiation of the mandate and the modalities, including stakeholders’ participation. It is still unclear what path Member States will take to try to reach a compromise. Consensus will not come without concessions, however, governments must consider the far-reaching human rights implications of a legally binding international treaty for cyberspace, and ensure meaningful human rights safeguards.

© Copyright 2023: The concepts and information contained in this document are the property of the CyberPeace Institute, an independent non-governmental organization headquartered in Geneva, unless indicated otherwise from time to time throughout the document. This document may be reproduced, in whole or in part, provided that the CyberPeace Institute is referenced as author and copyright holder.


Support the CyberPeace Institute

Individual lives can be changed dramatically by the acts of cyber criminals. We need your support to assist victims of cyberattacks in the NGO, humanitarian and healthcare sectors.


Subscribe to our newsletter

Receive monthly news on what’s happening at the Institute: our impact, publications, events and important milestones.