Procedure as Substance in the UN Cybercrime Convention

Over the weekend, the UN Cybercrime Convention opened in Hanoi, Vietnam, for signature. The convention is nominally about combating cybercrime—about adopting a common set of definitions and procedures for handling this transnational issue. Seen this way, portions of the convention read as parallel in substance to the Western-led Budapest Convention on Cybercrime. Other parts raise concerns about authoritarian states using provisions to legitimize suppression of dissent and more. 

But both of these framings neglect a substantial, less apparent dimension of the decision states face in deciding whether to sign the convention: The convention is essentially a global mutual legal assistance treaty (MLAT) for all crimes, not just cybercrime. Support for the convention may turn on whether states are in favor of a global mutual legal assistance regime, or not. And the convention’s success in achieving that aim may turn on the decision of the U.S.—the holder of vast amounts of electronic evidence—to join the club.

Background: Fragmentation Over Cybercrime

The Budapest Convention opened for signature in 2001, developed by the Council of Europe with select additional states. For the next quarter-century, five other multilateral mechanisms for dealing with cybercrime emerged—the Minsk (2001), Yekaterinburg (2009), Cairo (2010), Malabo (2014), and now UN (also called Hanoi) Conventions.

I have argued that concerns about and desires to architect visions of sovereignty in cyberspace largely drove this fragmentation. Both the drafting conditions and the provisions of the Budapest Convention raised sovereignty concerns for non-Western states. The resulting fragmentation reflects states forum shopping—or forum creating—to craft approaches that better serve their interests. This fragmentation was unusual in that a broad range of states, from aspiring hegemons to states with relatively little internet infrastructure, supported these efforts. As Eyal Benvenisti and George Downs argue, this kind of strategy is often deployed only by the most powerful states.

Many of these differences show up in the substance of how cybercrime is defined. For example, the Budapest Convention took an “ordinary crime” approach to the issue, prohibiting acts that would typically be found in an anti-hacking statute, such as illegal access and interception, data interference, misuse of devices, computer fraud, etc. But the joint Russian and Chinese approach expanded cybercrime to include acts that threaten the security of the state, such as “use of the information space” to violate “rights and freedoms” not just of individuals but also of the state. And the African Union and the League of Arab States scoped cybercrime to include unique threats to political stability, including within the scope of cybercrime political insults, justifying genocide, and spreading religious fanaticism. Each of these variations represents a unique concern about sovereignty.

It would be easy to slot the UN Convention into this sequence of fragmentation as the latest form of contestation of the Budapest Convention. Seen in that way, the UN Convention should be the latest version of non-Western states developing a mechanism that better accounts for their interests. Done through the UN, this version has the potential to be even more powerful in terms of both practical and normative authority. This account fits neatly within existing international relations theories of fragmentation and convergence. States sometimes pursue legal fragmentation as a way of postponing the development of a (for example) UN mechanism until conditions are more favorable to their interests. 

Substantive Similarities

But the UN Convention’s text suggests otherwise. With respect to the scope of cybercrime—an issue on which regional conventions diverged substantially—the text is substantially parallel. Most significantly, the UN Convention retains the Budapest Convention’s “ordinary crime” approach to cybercrime, including its primary prohibition on intentional “mere access” to computer systems. As described above, in contrast, other regional conventions took much broader approaches to definitions of cybercrime. 

The only difference in how the UN Convention scopes this “mere access” approach to cybercrime comes in its limiting clauses. Like the Budapest Convention, states may choose to narrow this prohibition on mere access on three bases: access “committed by infringing security measures,” access “with the intent of obtaining electronic data”, or access “with dishonest or other criminal intent.” The only difference from the Budapest Convention is the addition of “criminal” intent as a limiting basis.

Critics have seized on the addition of the word “criminal,” arguing that its inclusion massively broadens what counts as a cybercrime. For instance, Andrew Adams and Daniel Poldair argue in Lawfare that this addition would allow the kind of problematic expansion that happened in the regional conventions. For example, the term “criminal” might allow a state to define certain kinds of journalist or critical conduct online as criminal and then use the UN Convention as a basis for prosecution.

Here’s why that fear might not be true—or, at least, this clause may not be the source of that fear. “With criminal intent” functions as a limiting clause. The baseline requirement of both the Budapest and UN Conventions is that “mere access” to computer systems be prohibited. The only mental state required by the Budapest Convention is that the access itself be intentional, not accidental. So the kind of conduct Adams and Poldair are concerned about could already be punished under either convention. States may choose to limit the prohibition on mere access to access in certain circumstances—including circumstances in which the accessor has criminal intent. But this is still a limit on an otherwise broader provision. 

Procedural Divergence

Where the UN Convention does diverge substantially from the Budapest Convention is on matters of criminal procedure: on extradition, jurisdiction, and mutual legal assistance.

On extradition, the UN Convention takes a narrower approach than the Budapest Convention because it explicitly allows more grounds on which a state could refuse extradition. The UN Convention allows for refusal of extradition where  “substantial grounds for believing that the request has been made for the purpose of prosecuting or punishing a person on account of that person’s sex, race, language, religion, nationality, ethnic origin or political opinions [exist], or that compliance with the request would cause prejudice to that person’s position for any one of these reasons.” That is a substantial divergence from the Budapest Convention’s approach, which largely defers to existing extradition agreements between countries to set such exceptions.

The UN Convention also dramatically expands jurisdiction for cybercrime offenses. As Eli Scher-Zagier has written for Lawfare, the treaty adopts passive personal jurisdiction (PPJ), allowing a state jurisdiction over any covered conduct that demonstrably harmed one of its nationals. This approach is a departure from the Budapest Convention’s more traditional approach, which allows both territorial and active personality jurisdiction. The latter describes instances in which a state can exercise jurisdiction over its own nationals, regardless of their location. Perhaps more surprisingly, the UN Convention’s PPJ approach also is more expansive than the PPJ approaches contained in other international transnational crime treaties, which encompass only certain criminal conduct related to organized crime or official bribery.  

Another significant procedural difference is the level of detail in the UN Convention with respect to mutual legal assistance. The Budapest Convention offers less than the UN Convention by way of formal procedures for cooperation on cybercrime, instead allowing “the law of the requested Party or by applicable mutual assistance treaties” to set the agenda. The Budapest Convention provides a few baseline rules for mutual assistance in the absence of an MLAT, but they are not particularly broad or robust. This reliance on externally negotiated MLATs meant that, for many states, signing the Budapest Convention was insufficient to launch effective cybercrime cooperation; negotiating an additional MLAT—especially with the United States, whose companies control massive amounts of digital evidence—would be required. The United States, in turn, has been relatively stingy with its willingness to negotiate MLATs. 

The UN Convention, in contrast, bakes in mutual legal assistance for covered crimes. Importantly, these procedures are available not just for the acts designated as cybercrime under the convention. Rather, these assistance procedures extend to the collection of digital evidence for, in some cases, any crime, and in others, for any crime subject to four years of imprisonment or more. The procedures states are required to develop include expedited preservation of stored electronic data, search and seizure of said data, real-time collection of traffic data, interception of content data, and more.

A Global MLAT

These procedural differences may make all the difference with respect to which countries decide to sign the convention. On the surface, a signature may seem like an endorsement of an existing approach to cybercrime. But the procedural differences essentially make the UN Cybercrime Convention a global MLAT.

States—the U.S. in particular—may balk at accepting this mechanism, even if they are content with the substantive approach. Thought of as a global MLAT, the UN Convention carries stakes for signing that are much higher than mere cooperation on cybercrime. The stakes become setting foundational rules for cooperating on all crime—indeed, changing those foundational rules—a significantly more expansive remit. 

Despite substantial debate about the convention, this narrative has not yet made its way into the headlines. Instead, other narratives dominate. Europe has signaled its support for the UN Convention, framing it as a simple matter of tackling cybercrime and celebrating the “continued relevance” of the Budapest Convention, given the similarities between the two. Civil society has generally warned against the convention, warning of human rights and governance dangers of bending to the increasing influence of China and Russia on global governance. These framings treat the debate as about the substance of cybercrime or about its power politics. Both framings miss the more fundamental question of whether the international community is ready for a global MLAT that reshapes criminal cooperation writ large. That question has yet to surface in these debates, but it may ultimately determine which states sign.