UN General Assembly approves cybercrime treaty despite industry backlash

Updated 12/27 at 12:40pm with additional comments from a State Department spokesperson.

The United Nations General Assembly adopted a landmark cybercrime convention on Tuesday, paving the way for significant changes to how governments police the internet. 

The Convention against Cybercrime was adopted without a vote and by consensus after a five-year negotiation. A formal signing ceremony will be held in Hanoi in 2025 and the convention will take force 90 days after being ratified.  

The agreement provides a framework for how law enforcement agencies in different countries coordinate on cybercrime investigations and is being touted as a way to reduce the number of safe havens for cybercriminals as well as help developing nations better protect their citizens from digital crimes.

Human rights activists, cybersecurity experts and some of the largest tech firms in the world have come out against the convention, warning that it will likely be misused by dictatorships and may enable a slew of privacy violations. Efforts to add human rights and privacy language into the treaty failed during negotiations over the summer. 

“We live in a digital world, one where information and communications technologies have enormous potential for the development of societies, but also increases the potential threat of cybercrime,” President of the UN General Assembly Philémon Yang said. 

“With the adoption of this Convention, Member States have at hand the tools and means to strengthen international cooperation in preventing and combating cybercrime, protecting people and their rights online.”

UN Office on Drugs and Crime (UNODC) Executive Director Ghada Waly noted that this is the first international anti-crime treaty in 20 years and would be pivotal in efforts to “address crimes like online child sexual abuse, sophisticated online scams and money laundering.”

Waly said cybercrime is draining “trillions” from economies around the world each year and UNODC is eager to help the 193 member states ratify and implement the treaty “with the tools, assistance and capacity-building support they need to protect their economies and safeguard the digital sphere from cybercrime.”

The convention cleared its final hurdle in November after both the U.S. and U.K. decided to support the Russia-introduced measure. 

U.S. officials acknowledged that dozens of countries have worries about the potential for states to use the treaty to justify human rights violations, extraterritorial surveillance, the harassment of tech company employees and the abuse of people’s privacy.

Accountability will be demanded of any government that misuses the treaty, one U.S. spokesperson said last month, urging signatories to pass their own domestic laws that would protect human rights and privacy locally. 

Countries are allowed to refuse information requests issued by other countries and the U.S. said there are other technical mechanisms to spotlight abuse and prevent it from continuing. 

Lingering concerns

The convention was initially prompted by a General Assembly vote in December 2019 to begin negotiating a cybersecurity accord after Russia took issue with the previous agreement — the Budapest Convention — and demanded a new framework to address cybercrime.

After seeing the first draft in August 2023, human rights groups and even tech industry giants like Microsoft warned that significant changes would need to be made to stop the treaty from being used by governments as a tool of repression. 

Few changes were made since that draft, and the outcry did not stop the Biden administration from pushing forward with the effort — even after six Democratic senators sent a letter to the White House last month expressing alarm over the finalized agreement’s treatment of privacy rights, freedom of expression, cybersecurity and artificial intelligence safety.

The Cybersecurity Tech Accord — a global industry group representing more than 157 large tech companies, including Microsoft, Meta, Oracle, Cisco, SalesForce, Dell, GitHub, HP and more — has repeatedly slammed the treaty out of fear it will be used against cybersecurity researchers. Several tech companies are also concerned about potentially thorny data requests that will be issued by governments through the treaty. 

“They are choosing to believe that a bad treaty is better than no treaty,” Access Now’s Raman Jit Singh Chima told Recorded Future News last month. 

“And in reality, the UN Cybercrime Convention would undermine cybersecurity, particularly by casting or creating a more uncertain legal framework for security research.”

White House officials told reporters in November that the U.S. felt the need to back the treaty in order to have a role in potentially updating it in the future and to shape the way it is implemented around the world. 

U.S. officials said the convention will expand the number of countries that would respond to U.S. warrants for arrest involving cybercrimes. U.S. officials pledged to create a plan on how to check if countries are abusing the measure.

The State Department did not respond to requests for an update about how those accountability measures are being formalized.  

Stéphanie Tremblay, associate spokesperson for Secretary-General António Guterres, said the convention “reflects the collective will of Member States to promote international cooperation to prevent and combat cybercrime.” 

“The convention creates an unprecedented platform for collaboration in the exchange of electronic evidence, protection for victims, and prevention, while ensuring human rights are protected online,” Tremblay said. 

“The Secretary-General trusts that the new treaty will promote a safe cyberspace and calls on all States to join the Convention and to implement it in cooperation with relevant stakeholders.”

Following the publication of this story, a State Department spokesperson admitted that the U.S. shares the concerns raised about the potential misuse of the convention but argued that it bars signatories from using the rules to violate human rights, freedom of expression, peaceful assembly and religious liberty. 

The spokesperson did not explain in detail how the U.S. would make sure that signatories pass corresponding human rights safeguards locally or punish governments that abuse the new rules.