The proposed UN Cybercrime Convention, scheduled for a critical concluding session from 29 July to August 9th, poses a significant threat to global human rights unless major changes are made. Despite two and a half years of intense discussions and seven negotiation sessions, states remain deeply divided on fundamental aspects, leading to a deeply  flawed draft text and a problematic chair’s proposal from February 2024. They can’t even agree what to call the Convention, much less its scope—should it address only core cybercrime, or any crime committed using technology? 

The February 2024 language continues to risk criminalizing protected speech, granting broad surveillance powers without robust safeguards, and raising serious cybersecurity concerns. Despite continuous advocacy from civil society and industry, these key issues remain unaddressed. A new version of the Convention is expected soon, but without addressing these critical flaws, the risks to human rights remain.

Joint NGO Letter and EFF's Redlines

In a joint letter with over 100 NGOs, we state that the Cybercrime Convention must not advance without addressing critical flaws. The letter outlines clear requirements: the Convention must focus solely on cyber-dependent crimes, incorporate comprehensive human rights safeguards, and ensure robust protections for security researchers, whistleblowers, activists, and journalists. Absent these minimum requirements, we call on state delegations to reject the draft Convention and refuse to advance it to the UN General Assembly for adoption.

EFF echoes such requirements, among others:

  • First, the Convention must be narrowly focused on cyber-dependent crimes, excluding overly broad content-related crimes that contradict human rights law from the proposed Convention.
  • Second, it must include robust protections for security researchers, whistleblowers, activists, and journalists to ensure they are not unjustly criminalized for performing their essential work.
  • Third, it must incorporate comprehensive human rights safeguards, including the principles of legality, non-discrimination, legitimate purpose, necessity, proportionality, transparency, effective remedy, and prior judicial authorization applicable throughout the entire Convention.
  • Fourth, the scope of procedural measures and international cooperation must be limited to the defined cyber-dependent crimes, with explicit minimum robust safeguards against abuses of surveillance and data sharing, and adequate protection of personal data. 
  • Fifth, direct sharing of personal data must be limited to specific criminal investigation, and be subject to robust minimum safeguards mandated in the text itself to prevent misuse, such as the need to comply with the principles of legality, necessity, proportionality, transparency, user notification, and the need for prior judicial authorization.
  • Sixth, proactive sharing of personal data must be strictly limited and conditioned on compliance with minimum robust standards and international human rights law.

As is, the Convention will be a tool for states with repressive domestic laws to impose arbitrary and disproportionate restrictions on rights and freedoms. As the negotiations resume, it is crucial to address these issues and ensure the Convention aligns with international human rights standards to prevent disaster.

Many other NGOs and industry representatives have expressed similar concerns about the proposed UN Cybercrime Convention. You can read their detailed opinions here: Human Rights Watch and Article 19, Privacy International, Global Partners Digital, Derechos DigitalesMicrosoft, Cybersecurity Tech Accord, and a joint civil society and industry statement.

Origins and Development of the Convention 

The proposed UN Cybercrime Convention's journey began in October 2017 when Russia proposed a draft, aiming to tackle the “use of information and communication technology for criminal purposes.” This effort gained momentum in November 2019 when a UN Resolution, backed by a block of nations that included China, Iran, and Syria, was passed despite strong opposition from the US, EU and others.

By December 2019, the UN General Assembly adopted a Resolution to form an Ad Hoc Committee (AHC) to draft the Convention. The process faced delays due to COVID-19, with the first organizational meeting postponed to 2021. Despite initial resistance, the AHC's inaugural session in May 2021 saw participation from over 160 countries, outlining a plan for multiple negotiating sessions. The AHC mandate specifies that the Convention must “conclude its work in order to provide a draft Convention to the General Assembly at its seventy-eighth session in September 2024.”

EFF has been involved in the UN Cybercrime Convention process from the start, though we've always been skeptical about its necessity due to the significant risks it poses to human rights. Together with a coalition of 130 NGOs, we have consistently raised alarms about the potential misuse of cybercrime laws to target dissent, activists, advocates, security researchers, and journalists. Our concerns, shared with allies, date back way before the first substantive session began in 2022. In 2021, the UN General Assembly expressed grave concerns that cybercrime legislation was being misused to target human rights defenders, hinder their work, and endanger their safety in a manner contrary to international law.  

The UN Special Rapporteur on the rights to freedom of peaceful assembly and association has noted that the increasing number of laws and policies aimed at combating cybercrime have often been used as a means to punish and monitor activists and protesters globally. The Special Rapporteur highlighted that although technology can indeed be used “to promote terrorism, incite violence, and manipulate elections, these concerns are frequently exploited to justify crackdowns on digital civil society.” 

As is, the Convention will be a tool for states with repressive domestic laws to impose arbitrary and disproportionate restrictions on rights and freedoms.

This sentiment has been echoed by the the Office of the High Commissioner for Human Rights in 2022, highlighting that national cybercrime laws are often used to "restrict freedom of expression, target dissenting voices, justify internet shutdowns, interfere with privacy and anonymity of communications, and limit the rights to freedom of association and peaceful assembly." 

Analyzing the Convention’s Expansive Reach and Human Rights Concerns

Article 3: Scope of the Convention

Article 3 outlines the scope of the UN Cybercrime Convention, dividing it into two crucial parts. Article 3(a) limits the scope of application to crimes “established in accordance with the Convention,” covering their prevention, investigation, and prosecution. In contrast, Article 3(b) broadens the reach to include domestic (Article 23) and international cooperation (Article 35), including evidence-gathering for activities deemed serious by national law, expanding the Convention's application to a wide array of any serious offenses regardless of their connection to cybercrime. Understanding this difference is key to grasping the potential impact and reach of the Convention.

EFF has consistently argued that the Convention should be limited to core or cyber-dependent crimes—offenses in which computer systems are the direct objects and instruments, crimes which could not exist without information and communications technology (ICT) systems. By focusing exclusively on these core cybercrimes, the Convention would allow states to concentrate their resources, expertise, and capacity-building on these specific offenses. This approach would also prevent cross-border cooperation on a range of other offenses that are often antithetical to human rights. 

This limitation should apply to the criminalization chapter and the chapter on international cooperation (including spying assistance and data sharing powers), and even to the chapter on  domestic spying powers. Core cybercrimes include unauthorized access to ICT systems, illegal interception, damaging, deleting, deteriorating, altering, or suppressing electronic data, hindering the functioning of ICT systems, and misuse of devices.

Regrettably, the Convention is broader in scope than just core cybercrimes. It addresses cyber-enabled crimes, which are traditional crimes that may in certain instances be facilitated or amplified by the use of technology. These crimes leverage the reach, speed, and anonymity provided by the internet and other digital platforms to enhance their impact, such as ICT-related theft or fraud (Article 12), and solicitation or grooming for sexual offenses against children (Article 14).

It also includes overly broad and vague content-related offenses—crimes that involve the creation, distribution, or possession of material considered illegal or harmful, such as online child sexual abuse material (Article 13), non-consensual dissemination of intimate images (Article 15)—which can lead to the over-criminalization of protected speech.

Regrettably, the Convention is broader in scope than just core cybercrimes.

On tIIn the spying front, the proposed convention also allows for extensive data sharing and cross-border assistance to gather evidence for any crime a state deems serious in its national law. The Convention also deals with extradition and lacks clear limitations and minimum human rights safeguards explicitly embedded in the text itself, and thus risks becoming a tool for human rights abuses and transnational repression, undermining cybersecurity and the very principles it aims to protect.

Human Rights Safeguards

The proposed convention has two articles on human rights that could potentially limit its broad scope and intrusive surveillance powers: a general provision under Article 5, which applies to the entire draft convention, and Article 24, which describes the conditions and safeguards for new domestic surveillance powers.  However, both articles are insufficient and inadequate to provide meaningful protections in practice.

Article 5: General Human Rights Provisions 

First, it should mandate compliance with human rights obligations, not merely consistency. This less stringent wording would allow for broader interpretation by States, and potentially looser application, which could lead to inconsistent protection across different jurisdictions as states with weaker human rights records may interpret "consistent with" in a way that minimally satisfies their obligations without fully protecting individuals' rights.

Second, Article 5 fails to explicitly incorporate core tenets of human rights including the principles of legality, necessity, proportionality, and non-discrimination, and generally fails to impose explicit limitations. In practice, this means that many elements of the convention are likely to be implemented in ways that fall short of international human rights standards. Notably, some prospective signatories to this convention have refused to sign and ratify core human rights instruments such as the ICCPR, and in negotiations a number of states have explicitly rejected attempts to incorporate equality rights into Article 5, including the obligation to mainstream a gender perspective and to take into consideration, when implementing this convention, the circumstances of people who face marginalization in society. Uruguay, for example, has proposed that integrating language on gender, vulnerable groups, and rule of law safeguards.

One of the critical components of effective human rights safeguards is the inclusion of prior judicial authorization, transparency and user notification.

Article 24: Conditions and Safeguards for Domestic Surveillance Powers

Article 24 of the proposed UN Cybercrime Convention outlines how states should protect human rights when using domestic surveillance powers.  While Article 24 helpfully incorporates the principle of proportionality—a central human rights principle—it fails to explicitly include the principles of legality, necessity and non-discrimination. The principle of legality requires laws to be clear, publicized, and precise, ensuring individuals understand what is criminalized. The principle of necessity ensures any interference with human rights is proportionate to achieving a legitimate aim. The principle of non-discrimination requires that laws and policies be applied equally and fairly to all individuals, without any form of discrimination based on race, color, sex, language, religion, political or other opinion, national or social origin, property, birth, or other status. Without these principles, the safeguards are incomplete and inadequate, increasing the risk of misuse and abuse of surveillance powers.

One of the critical components of effective human rights safeguards is the inclusion of prior judicial authorization, transparency, user notification, and the right to an effective remedy. The Chair’s Proposal specifies in Article 24(2) that conditions and safeguards should "include, inter alia, judicial or other independent review, the right to an effective remedy, grounds justifying application, and limitation of the scope and duration of such power or procedure." However, making these safeguards contingent on domestic law can weaken their effectiveness, as national laws vary significantly and may not provide adequate protections. Moreover, while both versions of Article 24 incorporate the principle of proportionality, they fail to explicitly include the principles of legality and necessity. The principle of legality requires laws to be clear, publicized, and precise, ensuring individuals understand what is criminalized. The principle of necessity ensures any interference with human rights is proportionate to achieving a legitimate aim. By granting states broad discretion to decide what safeguard to apply in relation to which surveillance power, the convention fails to ensure the text will be implemented in a manner that is in accordance with human rights. 

To address these issues, the Special Rapporteur has already called on states to revise and amend (...)  surveillance (...) and bring them into compliance with international human rights norms and standards governing the right to privacy, the right to free expression, peaceful assembly, and freedom of association. This issue remains unresolved, and the current convention risks perpetuating these existing concerns.

Domestic Spying Powers and Domestic Safeguards

The Convention grants extensive domestic surveillance powers to gather evidence for any crime, accompanied by minimal and insufficient safeguards, many of which do not even apply to its chapter on cross-border surveillance (Chapter V).  Key measures include expedited preservation of electronic data (Article 25), production orders for specific data (Article 27), and real-time collection of traffic and content data (Articles 29 and 30). These provisions enable rapid and comprehensive data access, essential for investigating cybercrimes. One particularly troubling aspect is Article 28(4), which allows authorities to compel individuals with knowledge of ICT systems to provide necessary information for accessing data. We has consistently voiced concerns that this provision could lead to forced assistance without adequate protection for the rights of those compelled. This broad and potentially coercive power risks significant abuse, especially in jurisdictions lacking strong human rights safeguards.

The combination of intrusive domestic surveillance powers paired with insufficient safeguards heightens the risk of misuse, potentially leading to arbitrary and disproportionate restrictions on privacy and other human rights. To illustrate the potential risks of granting states broad discretion in applying safeguards, consider the following examples:

  1. Lack of legal protection of subscriber data: This threatens the anonymity of the LGBTQ+ community, making them vulnerable to identification and subsequent persecution. Without strong safeguards and a narrow scope, the mere act of engaging in virtual communities, sharing personal anecdotes, or openly expressing relationships could lead to their subscribers' identities being disclosed, putting them at significant risk. Offline, the implications intensify with amplified hesitancy to participate in public events, showcase LGBTQ+ symbols, or even undertake daily routines that risk revealing their identity. The draft convention's potential to bolster digital surveillance capabilities means that even private communications, like discussions about same-sex relationships or plans for LGBTQ+ gatherings, could be monitored, collected, intercepted and turned against them.
  2. Metadata Tracking: A country could classify metadata, such as location data, with less stringent protections compared to content data, leading to extensive tracking of individuals' movements without adequate oversight. 
  3. Weak Judicial Oversight: In a country with a weak judicial system, surveillance activities might not require judicial oversight or prior judicial authorization, allowing authorities to conduct intrusive surveillance without proper scrutiny. 
  4. Discriminatory Surveillance Practices: Broad discretion could enable discriminatory surveillance practices, disproportionately targeting certain ethnic or religious groups under the pretext of “protecting the children.”
  5. International Data Sharing: Without clear limitations, a country could share surveillance data internationally, risking the persecution of political dissidents or human rights activists in countries with poor human rights records.
  6. Lack of TransparencyA lack of transparency requirements for surveillance activities could prevent individuals from knowing whether they are being surveilled or challenging unlawful surveillance. 
  7. Weak Protections for Digital CommunicationsLastly, weak protections for digital communications such as emails and instant messages could allow authorities to intercept and read private communications without robust legal safeguards or oversight. 

For safeguards to be meaningful, the Convention should mandate prior approval by a judge for surveillance activities. As specified in the Necessary and Proportionate Principles, meaningful safeguards should also set strict time limits and establish transparency obligations, such as notifying individuals when their personal data has been accessed. While the Chair’s Proposal includes the right to an effective remedy, individuals cannot effectively exercise this right if they are unaware that their data was accessed, especially in cases where the investigation does not lead to legal proceedings. The authorities should also be required to explain the specific facts that justify surveilling particular individuals and publicly report the frequency of using these powers.

In conclusion, while the Chair’s  Proposal makes some improvements by explicitly including the right to an effective remedy and continuing to recognize the principle of proportionality, its reliance on domestic law for oversight significantly weakens the protection of human rights. The absence of the principles of legality and necessity, combined with the broad discretion given to States, heightens the risk of misuse and abuse of surveillance powers. To truly safeguard human rights, the Convention must mandate strict compliance with international human rights standards and ensure comprehensive and consistent application of safeguards across all states.

The Dangers of Cross-Border Surveillance and Data Sharing

Scope Creep in International Cooperation

One might assume a "cybercrime" convention would focus exclusively on cybercrimes. However, the principles of international cooperation in this convention exemplify significant and dangerous scope creep. And without mandated safeguards in the convention itself for this chapter, this opens the door wide for abuse and transnational repression.

The scope of the international cooperation chapter is still notably wide, and is one primary reason that we've repeatedly said that this convention is truly an all-purpose global surveillance instrument:

  • Article 35(1)(b) of the chair's proposal requires states to cooperate in the collection, obtaining, preservation, and sharing of electronic evidence for criminal investigations or proceedings of criminal offenses established in accordance with the Convention. Essentially, this means that states are obliged to assist each other in managing electronic evidence related to Articles 6-16, regardless of their severity;
  • Article 35(1)(c) of the chair's proposal significantly broadens the scope of international cooperation by including the collection, obtaining, preservation, and sharing of electronic evidence for any activity deemed serious by national law. The defining criteria for "serious" is a crime that carries a prison term of at least four years, as stated in Article 2(1)(h) of the convention. Importantly, the crime itself is defined by the national law of the state requesting cooperation. The only requirement set by the convention is the severity of the penalty (a prison term of at least four years). Therefore, as long as the national law includes a crime punishable by at least four years of imprisonment, it qualifies for international cooperation under this provision. This is applicable whether the alleged offense is cybercrime or not. This also includes serious offenses established in accordance with “other applicable United Nations conventions and protocols in force at the time of adoption” of the Convention.

 This broad scope could lead to abuses, particularly in countries with weaker human rights protections, where national laws might include offenses that do not align with international human rights standards.

Such a UN endorsement could establish a perilous precedent, authorizing surveillance measures that are in stark contradiction with international human rights law and UN values. Even more concerning, it might tempt certain countries to formulate or increase their restrictive criminal laws, eager to tap into the broader pool of cross-border surveillance cooperation that the proposed convention offers. In certain countries, many of these criminal laws might be based on subjective moral judgments that suppress what is considered protected speech under international human rights standards. 

As such, these provisions could result in heightened cross-border monitoring and potential repercussions for individuals, leading to torture or even the death penalty in countries like Iran. For example, activists urged the UN to relocate Cop27 from Egypt due to concerns over Egypt’s record of LGBTQ+ torture, woman slaughter, civil rights suppression, and limitations on the participation of diverse voices, including protesters and indigenous rights groups.

The Special Rapporteur on the rights to freedom of peaceful assembly and association has observed that states increasingly use technology to silence, surveil, and harass dissidents, political opposition, human rights defenders, activists, and protesters, as well as manipulate public opinion. This includes the use of digital surveillance (...) to suppress civil society activities.

Effectively, whenever countries deem any criminal act to be subject to a prison term of at least four years in their domestic law, they can use the Convention to ask other governments to assist in spying to collect evidence, even if they are speech offenses or otherwise criminalize human rights protected activities. All these illustrate how repressive regimes can exploit the broad scope of the Convention’s international cooperation regime—including cross-border spying assistance, and extradition—to gather evidence and target marginalized communities, posing significant human rights problems.

Even worse, the situation is exacerbated by the fact that cross-border data sharing and surveillance assistance between states are not subject to the safeguards in Article 24. Instead, the safeguards will be those of the requesting country, whatever that standard may be, further amplifying the risk of human rights abuses and transnational repression.

Transnational repression refers to actions by governments that reach beyond their borders to silence dissent among their nationals abroad through tactics like surveillance, harassment, and intimidation. For decades, Human Rights Watch has documented governments reaching outside their borders to silence or deter dissent by committing human rights abuses against their own nationals or former nationals. Governments have targeted human rights defenders, journalists, civil society activists, and political opponents, among others, deemed to be a security threat. Many are asylum seekers or recognized refugees in their place of exile. These governmental actions beyond borders leave individuals unable to find genuine safety for themselves and their families. See table of cases at the end.

According to research by Freedom House, the top five perpetrators of transnational repression are China, Turkey, Tajikistan, Egypt, and Russia. Followed by Turkmenistan, Uzbekistan, Iran, Belarus, and Rwanda, with the 10 nations collectively responsible for 80 percent of documented cases. China alone accounts for 30 percent of these cases.

It is a growing concern that poses significant challenges to international human rights norms and protections. Several other organizations have also been warning that existing international law enforcement cooperation mechanisms are being abused or twisted to allow political repression even beyond forceful data localization mandates that seek to bypass international cooperation rules. 

INTERPOL, for instance, is an intergovernmental organization of 193 countries that facilitates worldwide police cooperation. But Human Rights Watch has documented numerous allegations of how China, Bahrain, Turkey, and other countries have abused INTERPOL’s Red Notice system—a request to law enforcement worldwide to “locate and provisionally arrest a person pending extradition, surrender, or similar legal action”—to locate peaceful critics of government policies ostensibly for minor offenses but really, for political gain

While states continue to negotiate over whether some of the conventions’ specific cross-border surveillance powers will be limited in application to a subset of crimes, the overall impact of the convention is concerning. By obligating states to process cooperation requests in relation to any offense deemed serious as defined by national law, the convention’s broad scope threatens to overwhelm the ability of already overburdened legal assistance bodies to ensure they are processing requests in a way that is consistent with their own human rights obligations. It would also operate as an internationally authorized vehicle of cooperation between states where the rule of law has broken down and which have a track record of abusing international cooperation instruments for repression.

While some democratic countries may believe they can sidestep these pitfalls by not collaborating with countries that have controversial laws, this confidence may be misplaced. First, grounds for refusal are optional, not obligatory. The draft convention allows countries to refuse a request if the activity in question is not a crime in its domestic regime (the principle of "dual criminality"). However, given the current strain on the mutual legal assistance treaty (MLAT) system, there's an increasing likelihood that requests, even from countries with contentious laws, could slip through the cracks. This opens the door for nations to inadvertently assist in operations that might contradict global human rights norms. Second, where countries do share the same subjective values and problematically criminalize the same conduct, this draft convention seemingly provides a justification for their cooperation. And even governments that claim to uphold free expression and privacy domestically frequently abandon these principles in international cooperation, especially under the pretext of counterterrorism.

It's now less likely that governments will refuse mutual legal assistance requests on human rights grounds

Third, as we previously discussed with Deborah Brown, with the rise of cloud computing and companies storing data in various countries, including those with poor human rights records like Saudi Arabia, it's now less likely that governments will refuse mutual legal assistance requests on human rights grounds. In the past, most data was stored in only a handful of countries, making it easier to deny disproportionate requests. Today, with data scattered across multiple jurisdictions, enforcing human rights protections becomes more complicated and less consistent.

Article 40: Mutual Legal Assistance (MLA)

Article 40 outlines the principles and procedures for mutual legal assistance (MLA) between states. It mandates that states provide the broadest measure of MLA in investigations, prosecutions, and judicial proceedings related to offenses established "in accordance with the Convention," specifically those outlined in Articles 6 to 16, which cover various cybercrimes. The article sets the framework for cooperation in collecting electronic evidence and ensures that MLA is provided to the fullest extent possible under relevant laws and treaties. There is a bracket in Article 40(1) ["as well as of serious crimes"] indicating the text has received preliminary approval during informal discussions, but the bracket is still under negotiation and has not yet been finalized. The inclusion of "serious crimes" would broaden the scope of mutual legal assistance to include serious crimes beyond those specifically defined in the Convention, pending consensus among the negotiating states. 

Additionally, Article 40(8) of the Convention allows countries to refuse requests for help if: the request doesn’t follow the rules of the Convention; helping would harm the country’s sovereignty, security, or other important interests; the requested action would be illegal under the requested country’s own laws if it were applied to a similar crime within their jurisdiction; or granting the request would go against the requested country’s legal system. However, these grounds of refusal are not enough. The chair has proposed the addition of Article 40.20 (bis), allowing states to refuse mutual legal assistance if the request is believed to be made for political purposes or to prosecute someone based on their political opinions, sex, race, language, religion, nationality, or ethnic origin. However, the high evidentiary threshold may limit the practical effectiveness of this safeguard, making it difficult for states to justify refusals and potentially allowing such requests to proceed. 

Article 40.4: Proactive Information Sharing and Its Risks

Article 40.4 also allows authorities to share information about criminal matters with foreign counterparts proactively, without a formal request. While intended to facilitate international cooperation, this provision poses significant risks to privacy and data protection. Without stringent safeguards, sensitive personal data could be shared too freely, potentially leading to misuse, especially if the receiving country lacks strong data protection laws. Article 40.4 must be amended to ensure that personal data is only shared when absolutely necessary for specific criminal investigations, prosecutions, and judicial proceedings, and with robust data protections rules in place.

Article 47: Extensive Data Sharing for Investigative Purposes

Article 47 also presents significant and troubling legal challenges due to its expansive scope and the absence of essential safeguards. This new version continues to authorize extensive cooperation among States Parties, including the sharing of personal and sensitive data for analytical or investigative purposes, but now it has been limited to a set of crimes. However, it fails to incorporate critical protections found in Article 24, such as principles of legality, necessity, proportionality, transparency, prior judicial authorization, and robust data protection measures. This omission is alarming, as it could permit the unregulated exchange of  potentially biometric, traffic, and location data. The provision's lack of specificity and its disconnection from particular criminal investigations or proceedings exacerbate these concerns, potentially enabling large scale data-sharing and the targeting of vulnerable populations, including journalists, activists, and minority groups.

Moreover, the absence of oversight by central authorities and the lack of clear limitations or exclusions for sharing sensitive personal data further amplify the risk of human rights violations. It is imperative that this article be fundamentally revised to include robust human rights protections, ensuring that international cooperation does not come at the expense of civil liberties and data protection.

In conclusion, the breadth of the cross-border regime and the absence of adequate human rights safeguards will facilitate human rights abuses by allowing states to request assistance in national investigations. Disagreements—from the broad scope to the absence of robust minimum human rights safeguards—are deep and substantive, and continue to be on the negotiating table, albeit now in closed-door informal meetings. Yet despite these fundamental issues, negotiators continue to present compromises that sweep these problems under the rug as a manufactured potential consensus

The breadth of the cross-border regime and the absence of adequate human rights safeguards will facilitate human rights abuses

The next version of the Convention’s text, expected early June, must address these issues that were left unresolved in the chair’s compromise text published in February 2024. Critical unanswered questions remain. The text continues to reflect the deep divides among states. Minimal progress has been made in limiting the convention's scope of cross border spying assistance and data sharing or strengthening human rights safeguards, even less in ensuring these safeguards apply to the international cooperation chapter. Prioritizing consensus over human rights protections risks disproportionate surveillance abuses and significant erosion of privacy and freedom of expression. EFF and a coalition of NGOs have consistently warned about the dangers of such compromises, cautioning that "there is a real risk that, in an attempt to entice all States to sign a proposed UN cybercrime convention, bad human rights practices will be accommodated, resulting in a race to the bottom.”

Missed Opportunities: The Exclusion of Key Safeguards 

To mitigate the harm of the Convention’s broad scope and limited safeguards, during the January session Canada proposed an amendment to Article 3, to narrow the application of the Convention so it does not apply to acts of repression.

“Nothing in this Convention shall be interpreted as permitting or facilitating repression of expression, conscience, opinion, belief, peaceful assembly or association; or permitting or facilitating discrimination or persecution based on individual characteristics.”

 This proposal would, in principle, render some of the Convention’s more problematic features such as its cross-border cooperation regime inapplicable to acts of repression or discrimination.

The current chair's proposal would permit (but not require) states to refuse cross-border MLA requests that are politically motivated or discriminatory, provided there are substantial grounds for believing this to be the case. However, the requirement for substantial grounds sets a high evidentiary threshold that may limit the practical effectiveness of this safeguard, making it challenging for states to justify refusals and potentially allowing politically motivated or discriminatory requests to proceed.

Similarly, Article 59 (3) of the chair's proposal is intended to safeguard human rights by ensuring that the Convention cannot be used to justify unlawful restrictions on human rights and fundamental freedoms. However, its general language and lack of specific enforcement mechanisms render it weak. The provision relies on the interpretation and goodwill of states, which can vary significantly, particularly in jurisdictions with poor human rights records. 

Neither of these proposals, however, would solve all of the Convention’s ills. Rights-respecting states will be better equipped to refuse requests that conflict with their human rights obligations, but the Convention's broad scope will flood national MLAT units with requests from governments around the world in relation to all serious crimes. 

This will make it far more difficult for these already over-burdened MLAT units to identify human rights abuses when processing foreign requests. Canada’s proposal would also further permit impacted people to challenge government action directly on the basis that it falls outside the scope of the Convention, including action taken on the basis of its substantive criminal provisions and its domestic surveillance powers. However, the Convention includes a number of secrecy provisions and fails to include an individual notice obligation. As a result, individuals rarely will be aware that they are the object of a request and will have limited opportunities to challenge these on the basis that they fall outside the scope of the Convention.

Nonetheless, these proposals would have provided tools to mitigate some of the convention’s more problematic aspects, yet neither is included in the current text.

Broadening Criminalization: Risks of Overreach and Repression in the Convention

Since the start of the process, a number of states have pushed for including a much expanded list of criminal offenses in the convention, simply on the basis these offenses were committed using communications technologies. These include proposals for vaguely defined “terrorism” crimes and offenses that would criminalize “incitement to subversion”.  

The chair’s amendment Article 60bis (Article 17 in previous versions) ensures that offenses established under other applicable United Nations conventions and protocols are also considered criminal offenses under domestic law when committed through the use of information and communications technology systems. The provision is improved over past proposals which would have applied to all present and future conventions, but continues to be a source of concern in that it could require the creation of new offenses based on convention’s obligations that were not designed with ICT networks in mind.

Article 60bis is also an improvement over its predecessor in that it adds subsection (2), which clarifies that Article 60bis “shall not be interpreted as establishing offenses under this Convention.” As a number of the Convention’s provisions are carefully limited to offenses “established in accordance with the Convention,” including the convention’s extradition provision, this could have the impact of limiting those provisions so that they do not apply to Article 60bis offenses. However, as our ally ARTICLE 19 pointed out, subtle differences in language might mean that Article 60bis offenses might be considered as established “in accordance with the Convention” despite not being “established under this Convention”, resulting in a far greater scope of application.

One surprising element of the chair’s compromise was its inclusion of a proposal to extend the mandate of the Ad Hoc Committee to negotiate a future protocol supplementing the Convention immediately upon adoption of the Convention by the General Assembly. This could include another list of crimes for a subset of states, further expanding the Convention's reach and exacerbating the risk of human rights abuses.

Real-World Implications

The proposed UN Cybercrime Convention, with its broad cross-border assistance scope and lack of minimum robust safeguards, poses significant risks to human rights. The potential for misuse and abuse is not theoretical: It is a reality faced by individuals and communities around the world. The proposed convention amplifies the existing threats to the LGBTQ+ community, journalists, activists and minority religious groups among others. It endorses a framework where nations can surveil benign activities such as simply sharing LGBTQ+ content, potentially intensifying the already-precarious situation for this community in many regions.

The following examples illustrate how transnational repression is already being practiced by various governments, highlighting the urgent need for a narrow scope and robust safeguards in the Convention.

Examples of Transnational Repression Documented by Human Rights Watch's Report “We Will Find You” A Global Look at How Governments Repress Nationals Abroad:

Country

Description

China

The Chinese government has been implicated in targeting political dissidents abroad through online harassment and defamation campaigns. These tactics aim to silence criticism and control the narrative internationally.

Turkey

Documented instances of Turkey misusing INTERPOL’s Red Notice system to target political opponents abroad. This misuse extends to other multilateral tools, increasing the risk of transnational repression.

Rwanda

Authorities targeted thousands of activists, journalists, and politicians using NSO Group’s Pegasus spyware. This surveillance extends to those living abroad, creating a pervasive sense of fear and threat among the diaspora.

Saudi Arabia

Government agents infiltrated Twitter to spy on dissidents. Similarly, Saudi authorities have been known to use other platforms to gather information on critics, exacerbating the risks faced by activists both domestically and internationally.

Ethiopia

Surveillance follows political refugees abroad, with Ethiopian authorities using commercial spyware to target family members of dissidents living in the UK, thereby exerting pressure on the individuals in exile.

Examples of Arbitrary, Illegitimate and Disproportionate Laws that Could Trigger Surveillance and International Cooperation

Country

Description

Russia Following the 2023 Supreme Court decision designating the “international LGBT movement” as extremist, arbitrary prosecutions for activities such as displaying the rainbow flag or wearing rainbow-colored accessories have occurred, with penalties up to four years in prison for repeat offenses. Under Article 35’s provisions, Russia could request other countries to surveil and track LGBTQ+ individuals in real time, treating their expressions of identity as serious crimes.
Egypt In 2017, during a concert where attendees waved rainbow flags, numerous individuals were arrested, with some sentenced to six years in prison for "debauchery" and "inciting debauchery." Cybercrime Law No. 175/2018 contains broad provisions to silence dissent and target LGBTQ+ individuals. Articles 25 and 26 have been used to prosecute "violations of family values," and other forms of online expression.
Thailand It is a crime of lèse-majesté to defame, insult, or threaten members of the royal family, carrying a maximum penalty of 15 years in prison. This law has been used to target activists. Thailand could request assistance from its allies to track down and intercept communications of their nationals criticizing the monarch, even while traveling or living abroad.
Jordan The pre-existing cybercrime law has been used against LGBTQ+ people, and the new Cybercrime Law of 2023 expands its capacity to do so. With overly broad and vaguely defined terms, this law will severely restrict individual human rights and will become a tool for prosecuting innocent individuals for their online speech.
Saudi Arabia Between 2011 and 2015, at least 39 individuals were jailed under the pretense of counterterrorism for expressing themselves online. Authorities have used the 2007 Anti-Cyber Crime Law to criminalize online content and activity that is considered to impinge on “public order, religious values, public morals, and privacy.”
Tunisia Decree-Law No. 54 (2022) has been used to prosecute media and individuals for "false news," information that harms “public security,” and opposition to government policies, mandating a five-year prison sentence. The first criminal investigation saw the arrest of student Ahmed Hamada for reporting on law enforcement clashes. In the year since Decree-Law 54 was enacted, authorities in Tunisia have prosecuted media outlets.
United
Arab Emirates
Federal Decree Law No. 34 of 2021 replaces an older law used to stifle dissent, such as sentencing human rights defender Ahmed Mansoor to 10 years in prison. Article 22 mandates prison sentences for sharing unauthorized information online, further restricting the already heavily-monitored online space and making it harder for ordinary citizens, as well as journalists and activists, to share information.

The inclusion of these examples underscores the importance of ensuring that the UN Cybercrime Convention incorporates robust human rights safeguards to prevent its misuse as a tool for transnational repression. The international community must prioritize the protection of fundamental rights and freedoms in the drafting and implementation of this Convention.