At a global conference in Hanoi on 25 and 26 October, the United Nations Convention on Cybercrime (UNCC) was formally opened for signature. The aim is for all countries around the world to commit to the latest UN treaty text and to ratify it as soon as possible according to their national prcedures, making it binding under international law and, subsequently, part of their national legal systems.

We have been speaking out against the UNCC for several years, have been actively involved in the negotiation process and have now co-signed a joint statement by civil society in the run-up to the conference in Vietnam. In it, we urge the international community to refrain from signing and ratifying the UNCC and to emphasise the importance of respecting human rights in the implementation of this convention.

Why We Oppose the Convention

Shouldn't we support global cooperation in the fight against cybercrime? What may seem surprising at first glance can be easily explained:

To begin with, we are convinced that this treaty is not necessary at all. Since 2001, there has already been an agreement that serves exactly the same purpose: the Budapest Convention. It was created under the umbrella of the Council of Europe. And alltough we are not particularly happy with this one either, many consider the Budapest Convention the standard in the fight against cybercrime. What makes this convention special is that it is embedded in the much larger system of the Council of Europe: the organisation that created the European Court of Human Rights in Strasbourg (along with the associated European Convention on Human Rights) – elements at the very heart of our liberal democracies.

In addition to the 46 members of the Council of Europe (including all 27 EU Member States), the Budapest Convention is also open to accession by states from other parts of the world – and this has been widely utilised: currently, 35 states from Latin America, Africa and Asia have officially adopted the Convention and thus committed themselves to implementing it.

The Role of Russia

The Russian Federation – a former member of the Council of Europe, but excluded since its illegal act of aggression against Ukraine – had always had reservations about the Budapest Convention, citing alleged ‘interference in state sovereignty’. It therefore pushed ahead with efforts at UN level to create another agreement to combat cybercrime, according to its own ideas. What was initially largely rejected, gradually gained momentum. And together with its allies (Belarus, North Korea, Iran, Syria, Venezuela, Nicaragua, and others), the Putin regime not only succeeded in making the start of negotiations on the UN Cybercrime Convention (UNCC) a reality, but also in bringing them to a successful conclusion. On 24 December 2024, the UNCC was eventually adopted by the UN General Assembly as an official United Nations treaty.

The Real Cost of this Treaty

First of all, it should be noted that the final text of the agreement does not correspond exactly to the draft initially proposed by Russia. Many of the provisions that were considered most dangerous from a human rights perspective (such as comprehensive data retention and vaguely worded provisions for punishing ‘extremism’ or ‘subversion’ or acts ‚related to terrorism‘) were negotiated out of the agreement.

But there is still plenty to be concerned about:

• First of all, the UNCC goes far beyond combating cybercrime – i.e. malicious attacks on computer networks, systems and data. It in fact obliges states to establish comprehensive electronic surveillance powers in order to investigate a wide range of criminal offences and to cooperate in their prosecution. These include offences that are not even related to information and communication systems, and do so without adequate safeguards for our human rights.
• The convention obliges governments to collect electronic evidence and pass it on to foreign authorities in cases of ‘serious crimes’ (those punishable by at least four years' imprisonment under domestic law). The problem with this is that many governments criminalise activities that are protected by international human rights laws. For example, criticism of the government, peaceful protests, same-sex relationships, investigative journalism and whistleblowing could meet the criteria and be classified as ‘serious crimes’ under the UNCC.
• The convention also lacks sufficient provisions to protect security researchers (‘ethicalhackers’), whistleblowers, activists and journalists from excessive criminalisation. It can therefore easily be used to target activities that promote human rights and ensure the safety of everyone on the internet.
• The UNCC creates legislation on the monitoring, storage and cross-border transfer of information in a manner that undermines the trust in safe communication and violates human rights.
• The Convention also permits the excessive transfer of sensitive personal data for law enforcement cooperation that goes beyond the scope of specific criminal investigations, without specific data protection and adequate human rights safeguards.
• The shortcomings of the Convention cannot be easily remedied, as it does not provide for a mechanism to exclude states that systematically violate human rights or the rule of law.
• The UNCC could even endanger some of the people it is supposed to protect: for example, it could be misused to criminalise consensual behaviour between young people of similar ages in consensual relationships. On top of that, gender equality has not been enshrined in the agreement. This means there is also a risk that the convention could contribute to violations of the rights of women and LGBT people.

What needs to happen now

Unfortunately, 720 countries decided to sign the agreement in Hanoi, including the EU and half of its member states. Austria is among them. The US, on the other hand, did not take this step: For once, a positive move by the current administration (which, however, has to be seen against the backdrop of a seemingly increased pull-out from multilateralism altogether rather than in a human rights-friendly context). The prospect of easier access to data stored on US servers was, of course, a major incentive for many countries to agree to this agreement in the first place. This prospect is now (at least for the time being) coming to nothing – but unfortunately, this does not change the dangers that this agreement poses once it comes into force.

Together with our partner organisations, we therefore call on the signatory states to refuse to ratify the agreement. But if they do so, they must make sure they take real steps to protect human rights and follow the agreement's rules while fully respecting human rights.

States that are still undecided, that respect human rights and that are considering signing in the future despite the significant threat that the UNCC poses to human rights, should withhold their support until they can guarantee that certain conditions are met: namely, that they and other signatory states implement the treaty with effective safeguards and other legal protections that prevent human rights violations in practice. You can read about what these might look like in detail in our joint statement.

However, once 40 states have ratified the agreement and it actually comes into force, much will depend on how the provisions are applied and interpreted. As is customary with other international treaties, the UNCC will also hold a so-called ‘Conference of the States Parties’ (COSP) at regular intervals to monitor the implementation of the treaty. In view of the problems mentioned above, there is still a lot at stake here! Whether and to what extent civil society should be involved and what powers we will have is currently the subject of negotiations at the UN in Vienna. However, despite the support of some states, there is also a fair amount of opposition – and you don't need a crystal bowl to guess who the main opponents are...