In early 2022, governments at the United Nations began negotiations to draft a global instrument to address cybercrime – or to ‘counter the use of information and communications technologies (ICTs) for criminal purposes’ – to use the official title of the process.

The process, initiated by Russia and rejected by Western states in 2019, has since seen all regional blocs come on board to try to shape a potential instrument. The first meeting in February and March 2022 was overshadowed by Russia’s invasion of Ukraine in February. It resulted in a roadmap for the process and a decision on the potential sections of a future document, but not an overwhelming sense of shared purpose among member states. The second meeting, held from 30 May to 10 June, turned to the actual substance of the treaty, where though geopolitical divisions – particularly between Western countries and Russia – remained high, states found more common ground than was expected.

This meeting, which pressed states to take positions on specific content for the first time, occurred following decades of inertia based on strong disagreements over the need for a UN treaty. Differences stem from a lack of common vision on the parameters of cybercrime, internet governance and digital sovereignty, as well as for regulation of online content and access to data. At their core, these concerns boil down to issues of state control – in terms of cooperation and data sharing with other states and in relation to countries’ control over their own citizens’ data.

So it may be surprising that governments across regional blocs may be opening themselves up to an instrument with a broad scope and wide parameters for cooperation on crimes committed using information and communications technology (ICT). This apparent shift occurred after governments first outlined strong, and divergent, positions on which crimes should be listed under this treaty – with the predictable blocs on the furthest ends of the spectrum, the European Union (EU) proposing a narrow convention focused on cyber-dependent crimes, and Russia and allies proposing a wide scope of crimes covered, including content-related crimes, cyber-enabled crimes and national security threats such as terrorism. However, when moving onto procedural measures, many states shared the position that procedural measures and collection of electronic evidence should apply to all crimes or all serious crimes committed using ICT. Only the EU (including France and Czechia speaking independently) and Malaysia stood out as rejecting this idea.

This position tracks more fundamentally with the wide scope proposed by Russia. It includes opening the door to cooperation on many crimes – which a number of countries had previously said they did not want covered in the treaty. Adopting a narrowly defined set of crimes to be covered under the convention’s criminalization provisions has been a central position for countries pursuing a treaty with human rights and fundamental freedoms at its core. This approach could well be at risk if the rest of the treaty incorporates a wide scope of crimes. Some questions that this raises are:

• If the sections following criminalization apply to a wider spectrum of crimes, what is it that a criminalization section will support or achieve?
• Can existing instruments be used to increase investigative and prosecutorial procedures, and international cooperation, for crimes committed using ICT. What, then, needs to be in a new instrument?
• How will duplication of UN agency responsibilities and siloed approaches be avoided when splitting cyber-enabled crimes between multiple regimes?
• Where would a line be drawn so this instrument does not become a tool used by some for cross-border cooperation on political repression and digital rights more broadly?