From 30 May to 10 June, the second UN Ad Hoc Committee (AHC) meeting to create a global treaty to counter the use of information and communications technologies (ICTs) for criminal purposes took place in Vienna. Although governments differed widely on what crimes to cover under the convention and how to define them, they were generally eager to include measures to address a wide array of crimes committed using computer systems.  

This was the first AHC meeting to delve into the substance of the potential treaty. The chair of the committee, the Algerian ambassador to the UN in Vienna, structured the negotiations around three pre-selected topics (criminalization, general provisions, and law enforcement and procedural measures) and submitted a list of questions for member states to respond to, informed by previous submissions from and consultations with member states. The questions ranged from the highly technical – such as what terminology should be used – to the more purpose-based, for example what would justify particular crimes being included in the treaty.

These questions were intended to help the committee provide a foundation for drafting the instrument and to collect inputs where positions were farthest apart. In contrast to the AHC’s first meeting, which was overshadowed by the Russian invasion of Ukraine, the session moved smoothly through the agenda with only intermittent political statements.

Member states appeared to be in relative agreement on the overall purpose of the treaty, which would have three main objectives: combating and preventing crimes committed using ICTs; promoting international cooperation; and technical assistance, following the broad structure and purposes of the UN Convention against Transnational Organized Crime and UN Convention Against Corruption. However, critical debates on key terminology persist, such as the term ‘computer data’ (used in the Budapest Convention) versus ‘digital information’, Russia’s preferred expression. These highly detailed questions relate to the issues of how broad the convention will be, what norms it will set for cyber issues and how much will be taken from existing agreements or redefined.

Is it cybercrime treaty or the use of ICTs for criminal purposes?

Disagreements are still substantial over how wide the scope of criminalization provisions should be. Western states, many Latin American and Caribbean states, as well as Japan, South Korea, Nigeria and South Africa are of the view that the treaty should not include cyber-enabled crimes (i.e. not dependent on computer systems to take place), with the notable exception of online child sexual exploitation. Other countries more closely aligned with the Russia–China draft treaty are interested in including a wide-ranging list of crimes such as terrorism, incitement to ‘subversive activity’, hate speech and drug trafficking.

The remaining states are either aligned with one of these groups but open to discussion or want to include a small set of cyber-enabled crimes but not the entire list proposed by Russia.

However, most states supported broad cooperation on law enforcement, procedural measures and electronic evidence. For example, on sharing electronic evidence, there was wide support that the treaty should cover most or all crimes committed using computer systems – which would include cyber-enabled crimes and possibly content crimes, which many are adamant should not be criminalized in the treaty.

For instance, some states who support a treaty focused on cyber-dependent crimes suggested this compromise – Caribbean states, Chile and the Philippines – but not others, such as the EU, Malaysia and France, who stated that electronic evidence should be limited to the crimes including in the treaty.

Considering the ongoing disagreements regarding criminalization (i.e. what types of crime to define and specifically make illegal under the treaty), the willingness of some governments to include such a broad scope of crime in other provisions – on cooperation and data sharing, for example – is surprising. Promoting a narrowly defined set of crimes covered under the convention’s criminalization provisions has been a central position of those countries pursuing a treaty with human rights and fundamental freedoms at its core. This could be at risk if the rest of the treaty has a wide scope of crimes.

What next?

How the risks for the potential misuse of the instrument would be reduced or safeguarded against are not yet clear. When discussing procedural measures, South Africa, Nigeria and the EU raised the importance of judicial oversight, a critical area for the protection of civil and political rights. More will become clear when states begin drafting the text on procedural measures and when the upcoming discussions on international cooperation and technical capacity building are held at the AHC’s next meeting in August.

This session steered member states away from politics and onto the technical issues that need to be addressed before drafting can begin. Although clarity on positions around criminalization and new areas of consensus are emerging (for example on online child sexual abuse and exploitation), discussions on issues such as electronic evidence, procedural measures and law enforcement have complicated understandings of what core positions member states hold and what they want this treaty to do.

As we look ahead to the first draft of the instrument later in the year, an essential issue of concern for all stakeholders will be how to ensure a balance between the need to enable cooperation, and the clarity and safeguards required to protect human rights and fundamental freedoms in a global response to cybercrime.

This article is supported by the Swiss Permanent Mission to the United Nations in Vienna. The views expressed do not necessarily reflect the views of the Swiss government.