The UN has finalized a treaty on cybercrime, after two years of negotiations. While the governments seemed to feel a sense of closure and accomplishment after years of negotiating this treaty, it did not put most stakeholders at ease with the final text, worrying that it will be misused as a tool by autocratic regimes to access data for political or social repression.

It was the second attempt to finalize the treaty by reaching agreement on the key sticking points that have divided states for over two years on the approach, content and wording of this legal instrument. In the end, Iran called for votes in an unsuccessful bid to have certain items that safeguard human rights removed. All were defeated, and the convention was adopted. The treaty now heads to the 2024 General Assembly for adoption, and can then be ratified by governments.

The ability to collect and share electronic evidence drove the negotiations and shaped core elements of the final treaty. This was the main objective of many countries, who got what they wanted: a wide scope for the collection of data. In the end, it was even written into the subtitle: ‘Draft United Nations convention against cybercrime: Strengthening international cooperation for combating certain crimes committed by means of information and communications technology systems and for the sharing of evidence in electronic form of serious crimes’.

Electronic evidence collection is allowable for serious crimes (i.e. those punishable by over four years’ imprisonment) or ‘other criminal offences committed by means of an information and communications technology system’ (for which no definition is given). This will allow law enforcement and other government agencies, including intelligence agencies, to trade very easily in electronic data and compel service providers and the UN to cooperate. The articles relating to mutual legal assistance and technical assistance are also focused primarily on collecting, sharing and using electronic evidence. So, while the treaty could be used to build up responses to crippling incidents, such as ransomware attacks, every indication so far is that the focus of implementation will be data collection. This will depend on which countries ratify, who is available to provide support on technical assistance and who drives the limited resources for treaty implementation while the UN is under austerity measures.

Although a cybercrime treaty for the UN is a timely and important undertaking, concerns over its true intent and purpose – as well as the divergent views of governments – hung over the process. And although there are positive aspects in the treaty, such as articles on human rights, data protection and a non-discrimination clause, there are also numerous risks. Like Sergio Leone’s classic movie, The Good, the Bad and the Ugly, the draft treaty is the culmination of an uneasy alliance among the member states negotiating it. This brief analyzes the positive and negative aspects of this treaty, the first cyber legal framework delivered by the UN, following the process from its onset and through the trajectory of the negotiations. While the treaty confers much cooperative enforcement powers to governments, including the legal right to access e-data, it is worryingly lacking in oversight detail and could present global surveillance threats – as many have warned.


Join the GI-TOC UN engagement mailing list that will be used to share updates, event information, analysis, and multimedia content.