Cybersecurity & Tech Foreign Relations & International Law

So Close, So Far: UN Committee Tasked With Cybercrime Convention Hits Snooze

Karine Bannelier, Eugenia Lostri
Tuesday, March 26, 2024, 12:00 PM

The committee will meet again to try to finalize the convention, but concerns remain about the scope of criminalization and human rights safeguards.

A wide view of the UN Office on Drugs and Crime (UNODC) (UN Photo/Devra Berkowitz,; CC BY-NC-ND 2.0 DEED,

Published by The Lawfare Institute
in Cooperation With

It was late on Feb. 9 by the time the members of the United Nations committee tasked with elaborating an international cybercrime convention finished reviewing the latest draft text of the convention. Despite two years of intensive negotiation, and substantial progress on many aspects, this review showed that so many points of divergence remain among the participating governments that it was impossible to adopt a convention at this stage. Indeed, even the title of the convention remains undefined.

Despite these fundamental differences, the committee chair continues to assert that the delegations only need more time to reach consensus. The delegations agreed. And so, the UN Ad Hoc Committee to Elaborate a Comprehensive International Convention on Countering the Use of Information and Communications Technologies for Criminal Purposes shall meet at a subsequent date to attempt, again, to refine the text and finalize those outstanding provisions in a way that is agreeable to all. 

The problem is that the “outstanding provisions” include core topics, such as the convention’s scope of criminalization, obligations for international cooperation, and the types of safeguards against political abuse and human rights protections that should be included. These disagreements were not new to the concluding session but, rather, have been present throughout the negotiations. 

A consolidated draft text presented in November 2023 raised alarms from international experts, rule-of-law governments, and human rights organizations. An overbroad scope and lack of sufficient safeguards could make this a very dangerous instrument, they warned. Without a thorough revision, they argued, the world would be better served by rejecting the convention.

At the core of the disagreements lies a question of balance: How can the UN convention achieve robust international cooperation in the fight against cybercrime while offering strong protection of fundamental freedoms? What is already a delicate balance for democratic states becomes a challenge at the global level when dealing with states that do not share the same level of human rights protection. The interest blocs during the negotiations were fairly straightforward: China and Russia, and a small constellation of states around them, would prefer broad criminalization that captures a wide range of cyber activity. At the other end, states more closely aligned with the Budapest Convention saw Russia’s position as a thinly veiled attempt to use the UN convention to weaken fundamental principles of human rights. In between these blocs stands a group of countries, including Caribbean states and South Africa, that “want to ensure that the treaty provides them with access to wide-ranging opportunities for cooperation, capacity building and technical assistance.”

Attempts at consensus were met with firm resistance by both democratic and authoritarian camps, with particularly strong positions defended by Russia, Pakistan, and Iran. The depth of these disagreements calls into question the point of further efforts to work out a UN cybercrime convention. If the delegations disagree in such extreme forms with each other, what is the advantage of the middle ground?

Endless Divergences on What Crimes Should Be Included in the Convention

The number and nature of crimes that would fall within the scope of the convention was up for discussion every step of the way.

The interest blocs did not see eye to eye when it came to determining what should be considered a cybercrime under the convention. Should the scope of the convention focus only on cyber-dependent offenses—crimes carried out against computer systems or data. Or should the scope include cyber-enabled offenses—crimes carried out thanks to the use of a computer system—an expansion that could place content-related crimes under the convention’s jurisdiction? 

The question of how broad or how narrow the scope of the treaty should be caused much back and forth during the multiyear process. A consolidated negotiating document from November 2022 counted nearly 30 crimes, many of which were dropped in the zero draft of May 2023 (which included only a dozen). This did not concern some delegates, who tried to include them again in September.

From the beginning of the negotiations (as one of us described for Lawfare), Russia advocated for a broad approach to criminalization. To defend this approach, its delegate presented several arguments during the concluding session.

A first argument was based on the mandate given by Resolution 74/247 of the UN General Assembly to the ad hoc committee, which was to elaborate a “comprehensive” international convention on countering the use of information and communications technologies for criminal purposes. According to Russia, “comprehensive” means that the mandate is to include all or many crimes using information and communications technologies (ICTs). In support of this assertion, Russia didn’t hesitate to submit to the UN ad doc committee definitions of “comprehensive” given by English-speaking dictionaries such as the Oxford Dictionary or the Collins Dictionary.

A second argument focused on convincing fellow delegations that a broad approach to criminalization was the only solution to effectively combat cybercrime. For example, Russia consistently advocated for the inclusion of provisions on countering the use of ICTs for terrorist and extremist purposes. According to Russia, this was because current national and international legislation is insufficient to effectively combat terrorist groups using the internet.

The opposing bloc has argued that a narrow approach to criminalization centered on well-defined and consensus-based cybercrimes was the only way to develop effective international cooperation. These crimes would be limited to core cyber-dependent offenses and a few consensus-based cyber-enabled offenses, all of which were already set out in draft Articles 6 to 16 and should be sufficient to cover all modern cybercrimes. According to these states, the introduction of “broad catch-all provisions generally increase ambiguity as to the scope and application of the treaty” and will undermine trust and efficiency in international cooperation.

To show its willingness to compromise, Russia in early February proposed to replace some of the controversial articles on criminalization with a single article, effectively a blanket provision:

Article X. Other crimes committed using information and communication technologies 

Each State Party shall take, in accordance with the fundamental principles of its domestic law, such legislative and other measures as may be necessary to criminalize terrorism, trafficking in persons, incitement to subversive or armed activities, extremism, including racism and xenophobia, rehabilitation of Nazism, justification of genocide, crimes against peace and humanity, illicit trafficking in narcotic drugs and psychotropic substances, weapons, counterfeit medicines and medical devices, inciting to suicide or leading to its commission, involving minors in committing illegal actions dangerous to their life and health, committed using information and communication technologies. 

2. This Convention is not an obstacle to the recognition by a State Party as a crime of any other unlawful act committed intentionally using ICT and resulting in significant” damage”.

Aware that such a proposal could not reach a consensus, the committee chair then proposed that the committee should continue its work after the conclusion of the convention by elaborating a new protocol that could include new crimes. This proposal was not welcomed by either side: While Western states strongly disagreed with the proposal, Russia found it lacking and asked for guarantees about the future negotiations of this protocol.

Even if the convention were to stick to core cyber-dependent offenses and a few consensus-based cyber-enabled offenses, it could introduce new risks for legitimate security researchers, whose activities could be misconstrued as criminal. Indeed, a number of submissions focused on this issue and recommended that the delegations include specific language focusing on standards of criminal intent and harm to avoid criminalizing legitimate security work.

Sharing Evidence: A Dangerous and Indefinite Scope of International Cooperation?

Without consensus on clearly defined cybercrimes, international cooperation will fall short. But even if there is agreement on the list of cybercrimes included in the convention, another hurdle for agreement concerns whether the international cooperation provided for by this convention could also extend to other criminal offenses beyond those provided for by the convention. 

In an attempt to find a consensus on Article 35 (General Principles of International Cooperation), the committee chair proposed that states parties shall cooperate with each other for the purpose of “the collecting, obtaining, preserving and sharing of evidence in electronic form” not only for criminal offenses established in accordance with the convention but also for “any serious crime, including serious crimes established in accordance with other applicable United Nations conventions and protocols in force at the time of adoption of this Convention.” 

If the concern of law enforcement institutions to obtain electronic evidence for any criminal offenses using ICTs is understandable, such extension of international cooperation also raises many risks. As the written submission of Canada (on behalf of a group of 63 states and the European Union) underlined, “This is a concerning potential outcome and we can find no other UN criminal law treaty with such broad and ambiguous parameters.”

Minimalists Human Rights and Safeguards

Many controversies crystallized around the protection of human rights under the convention. A number of states and many human rights experts consider that, given the considerable powers and intrusive measures granted to law enforcement authorities, the convention should include robust human rights limitations and safeguards. However, several states, starting with Russia, have objected that the purpose of the convention is not the protection of human rights and that it should therefore not include provisions on human rights. 

The chair proposed to refer in very broad terms to the protection of human rights in several articles, such as Articles 5, 24, and 59.3, but does not seem to have convinced either side. 

Canada’s submission featured a new Article 3.3: 

Nothing in this Convention shall be interpreted as permitting or facilitating repression of expression, conscience, opinion, belief, peaceful assembly or association; or permitting or facilitating discrimination or persecution based on individual characteristics. 

According to this proposal, the idea is not to introduce “human rights provisions” or to “dictate what states can or cannot do under their domestic criminal law” but, rather, to stipulate “that a narrow category of conduct is excluded from the Convention.” The idea is original. It could perhaps lead to agreement between opposing points of view, but it seems difficult.

Protection of Personal Data: Not an Issue Anymore?

There is one area where there seems to be consensus: the protection of personal data. References to the protection of personal data were the subject of significant controversy in previous sessions. The debate then centered around the introduction of an Article 42.1 that provided for “conditions and safeguards” in Chapter III dedicated to “Procedural Measures and Law Enforcement” powers of states. According to this article, states will provide for the adequate protection of human rights and liberties, which will incorporate, among other things, the protection of personal data.

Some countries—such as Malaysia, Singapore, Pakistan, Russia, and others—proposed to remove this article in its entirety. Others were of the opinion that Article 42 should be maintained but suggested that references to some protections, including the one on personal data, should be removed. 

This caused a divide among the coalition of Western states. On the one hand, the European Union and its member states favored extensive protection of personal data under the UN convention, considering that they could never engage in international cooperation without strong guarantees in this regard. On the other hand, the United States took the position that protection of personal data was not a right recognized as such at the universal level. This opposition to the inclusion of a reference to the protection of personal data was surprising since, as a submission to the UN ad hoc committee showed, the protection of personal data is included in many international instruments and in all continents.

Without going into details about what substantial protection of personal data entails, the compromise text (Article 36 in the latest numbering) recognizes that a state that transfers personal data will do so only in accordance with its domestic law or its international law obligations. Article 36 also encourages states to establish bilateral or multilateral arrangements to facilitate the transfer of personal data. This consensus is good news for Western states that could not afford to be divided on this issue. In this regard, it is interesting to note that a few days before the opening of the concluding session at the UN, the U.S. and the EU were nearing a transatlantic agreement on law enforcement access to data held by tech companies. 

This compromise is also undoubtedly good news for the UN convention, which would not have a future without this provision. However, the absence of any substantial data protection measures in such an article could also open the way to many abuses in the name of the fight against cybercrime by countries with low standards regarding personal data.

The Fate of the UN Cybercrime Convention Is Still Uncertain

These are not the only concerns arising from the draft convention. A review of comments submitted to the committee shows that concerns remain over issues such as the effectiveness of gender mainstreaming throughout the text, the ways in which jurisdiction could be established, and the vagueness of terms and definitions used.

Given the range of disagreement, it is maybe surprising that the chair has proposed to suspend the session and resume it for 10 days at a later date to finalize the text of the convention. What sort of consensus the delegations are ready to negotiate is still uncertain, given that the disagreements stem from core beliefs about the purpose of the treaty that are at odds with each other. Moreover, after two years of negotiations, seven sessions lasting two weeks each (with sometimes more than 14 hours of negotiations per day), five intersessional consultations, and countless side and unofficial meetings, delegates are exhausted and the budget has reached its limit.

But the convention is not doomed just yet. Russia, which seemed so intransigent during the concluding session on the countless list of crimes to be included and even on the title of the convention, has no interest in failure. Let us not forget that it was at Russia’s behest that the ad hoc committee was set up. It therefore has every interest in this convention being a success. There’s also diplomatic politicking to consider: The failure of this convention could also sound the death knell for another draft convention on cybersecurity stubbornly pushed by Russia before the First Committee of the UN General Assembly. China also has great interest in it, as evidenced by its numerous declarations in favor of a compromise. These expressions may open the door to interesting compromises we have not seen yet.

However, compromise for the sake of compromise or political success could lead to underwhelming results. A year ago, one of us warned that the UN cybercrime convention could become an important tool for international cooperation in the fight against cybercrime, but this requires not only a defined scope of criminalization but also the presence of robust human rights safeguards, to limit the risks of abuse and to create trust among states. Unfortunately, rounds of negotiations have not addressed the concerns raised back then. As we look forward to the newly added concluding session, it would be unfortunate if the delegations were to prioritize claiming a political victory at the UN and agree to a text ripe for abuse.

Karine Bannelier is Associate Professor of International Law at the University Grenoble Alps (France) and Director of the Grenoble-Alps Cybersecurity Institute. She is also Deputy Director of the Chair on the Legal and Regulatory Implications of Artificial Intelligence at the Multidisciplinary Institute for AI (Grenoble). She has published extensively on cybersecurity issues and participated as an observer to the UN Cybercrime Negotiations.
Eugenia Lostri is Lawfare's Fellow in Technology Policy and Law. Prior to joining Lawfare, she was an Associate Fellow at the Center for Strategic and International Studies (CSIS). She also worked for the Argentinian Secretariat for Strategic Affairs, and the City of Buenos Aires’ Undersecretary for International and Institutional Relations. She holds a law degree from the Universidad Católica Argentina, and an LLM in International Law from The Fletcher School of Law and Diplomacy.

Subscribe to Lawfare