NEW YORK CITY —The United Nations approved its first international cybercrime treaty yesterday. The effort succeeded despite opposition from tech companies and human rights groups, who warn that the agreement will permit countries to expand invasive electronic surveillance in the name of criminal investigations. Experts from these organizations say that the treaty undermines the global human rights of freedom of speech and expression because it contains clauses that countries could interpret to internationally prosecute any perceived crime that takes place on a computer system.
The U.N. committee room erupted in applause after the convention’s adoption, as many members and delegates celebrated the finale of three years of difficult discussions. In commending the adoption, delegates such as South Africa’s cited the treaty’s support for countries with relatively smaller cyber infrastructure.
But among the watchdog groups that monitored the meeting closely, the tone was funereal. “The U.N. cybercrime convention is a blank check for surveillance abuses,” says Katitza Rodriguez, the Electronic Frontier Foundation’s (EFF’s) policy director for global privacy. “It can and will be wielded as a tool for systemic rights violations.”
On supporting science journalism
If you're enjoying this article, consider supporting our award-winning journalism by subscribing. By purchasing a subscription you are helping to ensure the future of impactful stories about the discoveries and ideas shaping our world today.
In the coming weeks, the treaty will head to a vote among the General Assembly’s 193 member states. If it’s accepted by a majority there, the treaty will move to the ratification process, in which individual country governments must sign on.
The treaty, called the Comprehensive International Convention on Countering the Use of Information and Communications Technologies for Criminal Purposes, was first devised in 2019, with debates to determine its substance beginning in 2021. It is intended to provide a global legal framework to prevent and respond to cybercrimes. In a July statement before the treaty’s adoption, the U.S. and fellow members of the Freedom Online Coalition described it as an opportunity “to enhance cooperation on combatting and preventing cybercrime and collecting and sharing electronic evidence for serious crimes" but noted that the agreement could be misused as a tool for human rights violations and called for its scope to be more precisely defined. (The U.S. Department of State did not immediately respond to a request for comment from Scientific American.)
The agreement is a reaction to major technological developments in the past few decades that allowed cyber threats to evolve at a rapid rate. In 2023 alone, more than 340 million people worldwide were affected by cybercrime, according to data from the Identity Theft Resource Center.
The years of deliberation over the long and complex treaty culminated in this week’s closing session of negotiations. Critics such as EFF and Human Rights Watch (HRW) argue the text’s scope is too broad, allowing countries to apply it to offenses beyond what were typically considered cybercrimes in the past. The Budapest Convention on Cybercrime, which went into effect in 2004, is the only other major international treaty to address cybercrime. It sought to criminalize a range of offences, including cyber-enabled crimes (such as online bank scams or identity theft) and cyber-dependent ones (such as hacking and malware), while still aiming to accommodate human rights and liberties.
But experts have expressed that the newly adopted treaty lacks such safeguards for a free Internet. A major concern is that the treaty could be applied to all crimes as long as they involve information and communication technology (ICT) systems. HRW has documented the prosecution of LGBTQ+ people and others who expressed themselves online. This treaty could require countries’ governments to cooperate with other nations that have outlawed LGBTQ+ conduct or digital forms of political protest, for instance.
“This expansive definition effectively means that when governments pass domestic laws that criminalize a broad range of conducts, if it’s committed through an ICT system, they can point to this treaty to justify the enforcement of repressive laws,” said HRW executive director Tirana Hassan in a news briefing late last month.
This treaty opens the door to violations of human rights and freedoms of speech, Hassan added. The adopted text defers to domestic law for human rights safeguards, “which means that people are subject to the whims of the laws of individual countries,” she said. Countries with poor records of those safeguards—who were also strong supporters of the treaty—include Belarus, China, Nicaragua, Cuba and Russia (an especially loud proponent).
The agreement could also potentially create transnational danger. “The treaty allows for cross-border surveillance and cooperation to gather evidence for serious crimes, effectively transforming it into a global surveillance network,” Rodriguez says. “This poses a significant risk of cross-border human rights abuses and transnational repression.”
Industry representatives from the Cybersecurity Tech Accord—a coalition that includes Microsoft, Meta and more than 150 other global technology firms—were concerned about the private sector’s ability to comply with the treaty. In January the coalition warned the agreement could compel Internet service providers to share data across jurisdictions, potentially in conflict with local laws. Nick Ashton-Hart, head of the Cybersecurity Tech Accord’s delegation to the treaty’s negotiations, says that it was regrettable the U.N. committee had adopted it despite its major flaws. “If it is implemented, the convention will be harmful to the digital environment generally and human rights in particular,” Ashton-Hart says. The treaty “will make the online world less secure and more vulnerable to cybercrime by undermining cybersecurity.”