UN Cybercrime Negotiations: Protecting victims of cybercrime must be paramount, not optional

CyberPeace Institute

States are currently engaged in the process of elaborating a global Cybercrime Convention. The United Nations Ad Hoc Committee tasked with drafting the Treaty has met in six substantive iterations over less than two years and its work is expected to be completed in February. The Committee published a highly anticipated revised draft text of the Convention last November. This negotiating document has alarmed the multistakeholder community with its potentially far-reaching negative consequences for human rights and freedoms. 

The lack of consensus among countries, on a myriad of substantive matters, which marked the negotiations since the beginning, remains profound. Previous sessions have further seen a relentless push by some States to re-introduce harmful provisions. The revised text now expands the Convention’s scope while watering down its safeguards. States must consider, as they formulate their final positions, the human costs and risks of adopting the first legally binding Treaty for cyberspace under the UN flag that does not take into account the real-world deleterious impacts to rights and freedoms.

As it stands now, the risks of the Treaty outweigh its potential benefits. A wide swath of civil society organisations, industry, and academia have raised serious concerns that the proposed scope as such – and the scope of criminalization, procedural and law enforcement powers, and international cooperation in particular – are overbroad and problematic. This Convention should only be agreed upon by Member States once it can meet the necessary standards for the protection of the rights and dignity of those impacted by its application. Significant changes of the final draft text are needed to prevent the Treaty from being used by governments as a tool of repression.

Scope matters: Troubling provisions keep broadening the Treaty’s application

The list of criminal offences covered under this UN instrument should be clear, narrow, precise, and specific. If criminal conduct is defined in broad terms, certain types of speech online may become criminalised. The current language falls short of protecting excessively targeted groups such as journalists, whistleblowers, human rights defenders, civil society representatives, and political dissenters. 

This Treaty risks making cyberspace less secure as ethical hackers, cybersecurity researchers, and pen-testers may face criminal prosecution for good-faith legitimate activities. To avoid this, the definition that determines criminal conduct must require criminal intent and harm, and avoid references to ambiguous standards such as ‘dishonest intent’, ‘without authorization’ or ‘without right’. White hackers, cybersecurity researchers, and pen-testers that keep the digital ecosystem secure must be protected.

The revised text gives a boost to cross-border police surveillance. The overly broad language on procedural and law enforcement powers expand intrusive practices, such as real-time collection of data traffic and granting governments wide discretion to request data on unclear terms. These provisions are foreseen to apply to the collection of electronic evidence related to virtually any activity considered criminal that leverages technology in its commission. The accompanying guardrails are weak, defer to domestic law which may not contain effective protections and guarantees, and omit the principles of legality, necessity, and proportionality. This Treaty must not pave the way for practices that compromise the security, integrity, and confidentiality of digital communication channels or that undermine trust. Explicit references to international standards such as prior authorisation by judicial authority and the right to effective remedy are core requirements to protect people’s rights.

The Convention risks increasing coercive powers of governments to investigate, detain, and prosecute individuals and presents significant risks, especially to people in positions of vulnerability. The principle of dual criminality should be made obligatory and not optional as is foreseen in the current text. This principle requires that conduct must be considered a criminal offence in cooperating countries to make the request for international cooperation valid. It provides a level of protection for individuals by reducing the opportunities for their persecution or other human rights violations. The obligation for dual criminality as a prerequisite for international cooperation should also be further secured with references to the necessity of meeting international safeguards and standards protecting human rights. 

Cybercrime victims must not be left behind 

Despite States having agreed that obtaining justice for victims of cybercrime and the necessity to address the needs of persons in vulnerable situations is important, witness and victim protections remain weak. The Treaty leaves individuals and organisations impacted by cybercrime with no legal guarantees or rights to seek recourse and return of property. Standards for their protection are foreseen to be subject to domestic law which may or may not meet international human rights standards and offer adequate remedies and redress mechanisms. 

The CyberPeace Institute has called on States to ensure that the Cybercrime Convention protects victims of cybercrime. We have stressed the dire situation of vulnerable people and entities that face increased risks in cyberspace. The core purpose of any new law on cybercrime must be to create venues for improved access to justice for cybercrime victims and guarantee strong protections for all, especially the most vulnerable. 

Civil society’s role in combating cybercrime

Many civil society organisations contributed their experience and expertise to improve the text of the Convention. The statements put forward by the CyberPeace Institute helped to orient the discussions by informing about the lived realities and needs of cybercrime victims and proposed evidence-based recommendations. The Institute is a proud partner in the Cybercrime Stakeholder Initiative coordinated by the UNODC Civil Society Unit, which brings underrepresented voices to the UN venues and supports multi-stakeholder approaches to tackling cybercrime. 

Stressing the need for this Convention to protect individuals and their rights while effectively combating cybercrime, the CyberPeace Institute and the Cybersecurity Tech Accord came together to call for the prioritisation of human-centric principles in the cybercrime negotiations. Our joint statement Revisiting the Multistakeholder Manifesto at the 11th Hour uses the 2021 Multistakeholder Manifesto supported by over 50 civil society and industry representatives as a guide to assess how these principles have and have not been reflected in cybercrime deliberations. The emerging UN instrument must recognize that fighting cybercrime across borders and safeguarding people’s rights go hand in hand. By addressing both, there can be a better investigation and prosecution of cybercrimes.

© Copyright 2023: The concepts and information contained in this document are the property of the CyberPeace Institute, an independent non-governmental organization headquartered in Geneva, unless indicated otherwise from time to time throughout the document. This document may be reproduced, in whole or in part, provided that the CyberPeace Institute is referenced as author and copyright holder.


Support the CyberPeace Institute

Individual lives can be changed dramatically by the acts of cyber criminals. We need your support to assist victims of cyberattacks in the NGO, humanitarian and healthcare sectors.


Subscribe to our newsletter

Receive monthly news on what’s happening at the Institute: our impact, publications, events and important milestones.