The UN Cybercrime Convention: A Victory for State Sovereignty

On August 8, UN member states agreed to what was once considered unlikely: a universal cybercrime treaty. A Russian-led effort to challenge existing Eurocentric norms for law enforcement cooperation morphed into an agreement that instead preserves human rights protections and focuses on actual cybercrime.

But the new treaty, which still awaits approval by the UN General Assembly, may come at a price, as binding treaties and state sovereignty appear to be emerging as guiding principles for global cyber governance.

In December 2019, when the idea for “a comprehensive international treaty against the use of (information and communications technology) for criminal purposes” was presented to the General Assembly, the international community was deeply divided. Russia, China and most Southeast Asian countries were among those who cast 79 votes in favor, while 60 delegations (including Australia, most European states, Japan, the United Kingdom and the United States) voted against.

Australia and like-minded partners have always argued that a legal mechanism already existed: the Budapest Convention. Agreed in 2001 under the auspices of the Council of Europe, it facilitates cooperation between law enforcement agencies in the field of cybercrime for joint investigations, sharing and recognition of digital evidence, jurisdictions and extraditions. The Budapest Convention also contains an agreed set of core cybercrime and cybercrime issues. It includes safeguards for human rights and other fundamental freedoms and a review mechanism, and facilitates access to technical assistance.

All of this would now be duplicated or, worse, eroded in the process of creating a UN convention. In the process of negotiation, there were even attempts to broaden the scope of cybercrime. For example, China proposed criminalizing the “dissemination of false information … likely to lead to serious social disorder,” while India advocated criminalizing crimes related to “cyberterrorism.”

The problem with the Budapest Treaty is that it is a European treaty in name and spirit. Although non-members such as Australia, Brazil, Fiji, Nigeria, the Philippines and Tonga are among the 76 states that are parties to the treaty, it has been too easy to dismiss it as non-inclusive and unrepresentative. Russia, itself a former member of the Council of Europe, has never signed it. Moscow has cited a lack of respect for state sovereignty, saying it would allow cross-border law enforcement operations without the consent of that state. Other states, such as South Africa, have followed suit.

But while the new UN cybercrime treaty is not perfect, it is far from a conclusive victory for Russia and China. In fact, Russia, Iran and Egypt maintained strong objections until the very end. This is perhaps the strongest indicator of success in stopping attempts at further state repression in the digital domain.

In an early draft, Russia proposed several controversial points, such as an expanded list of crimes that would be punishable and an erosion of democratic and human rights guarantees. Although these crimes were considered during the negotiations, they did not make it into the final text.

Iran, with Russian support, called for seven rounds of voting to remove paragraphs containing human rights guarantees. For example, Iran wanted to remove an article that allows states to deny mutual legal assistance if they have reason to believe that the investigation would discriminate on the basis of a person’s sex, race, language, religion, nationality, ethnic origin or political opinion. The vote resulted in a resounding defeat: 102 against and only 23 in favor.

The strongest criticism of the UN treaty comes from civil society and the tech industry, which argues that the treaty is too broad and could be abused for surveillance and repression by authoritarian states seeking to prosecute alleged criminals residing in foreign jurisdictions. The industry fears that it could be forced to hand over data against the terms and laws of their home jurisdictions. Others point out that the treaty could allow states to prosecute whistleblowers and cybersecurity researchers.

Despite these shared concerns of industry and civil society, liberal democratic governments gave in in the interest of global consensus.

The cybercrime convention will be presented to the UN General Assembly this year and, once adopted, will be open to member states for signature and eventual ratification. At least 40 signatories are needed by 31 December 2026 to enter into force.

Whether that will be achieved in the time available remains to be seen. The US has made no such commitment, although it “welcomed the adoption of the treaty by the Committee.” Australia’s ambassador for cyber wrote that the treaty must first be adopted (by a majority) in the UN General Assembly “before Australia considers becoming a party to the treaty.” Iran said in its latest statement that it “maintained reservations and objections on certain terms and conditions.” Moscow only acknowledged the outcome, with Russia “as the inspirer and leader of the negotiations.” Beijing has yet to issue a statement.

For decades, it was thought that cyberspace was most effectively governed through collaborative, multi-stakeholder interactions, with governments, civil society, industry, and the technical community taking responsibility for their part of the domain. However, the experience of the UN Cybercrime Convention shows that state-led procedures take precedence, and that cyber sovereignty is the umbrella concept on which states find consensus.

In the long run, this could pave the way for other government-to-government treaties on issues such as critical infrastructure protection, peacetime state-to-state cyber operations, and AI ethical principles. While this would allow authoritarian states to tighten their control over the internet and related technologies, for liberal democracies, sovereignty becomes the strongest line of defense against cyber-enabled transnational repression and unwarranted foreign interference.