UN building showing cybercrime treaty

Five Years in the Making, New UN Cybercrime Treaty Signed by 65 Nations Amidst Criticism

A landmark UN cybercrime treaty is now in effect after having been signed by 65 nations, representing the first universal framework for legally addressing a broad range of internet-based offenses.

The signing ceremony took place in Hanoi on October 25, and the terms of the cybercrime treaty will go into force 90 days after at least 40 of the signatories formally ratify it. The groundbreaking treaty has had a tumultuous road in coming into existence, beginning with deliberation in 2019 and not having a final form adopted until December 2024. Some critics are still warning against it, calling it more of a boon to authoritarian governments and organized criminals than anything else.

First international cybercrime treaty likely to enter force in 2026

Among the instruments established by the cybercrime treaty are a 24/7 cooperation network among the member states, methods for sharing electronic evidence across borders, and the criminalization of numerous cyber-dependent and cyber-enabled offenses. Among these are the first recognition of sharing of non-consensual intimate images as a crime under an international treaty.

One main practical focus of the cybercrime treaty is the provision of training and real-time assistance to developing “Global South” members. Developing nations have substantial populations that are not yet even on the internet, but the regions are nevertheless heavily targeted due to both lack of capacity and tendency of governments to prioritize cybersecurity strategy and address corruption issues.

The cybercrime treaty is meeting with some pushback from both the tech industry and human rights activists, however. Privacy and human rights organizations, to include the UN’s own High Commissioner for Human Rights, have aired concerns that the treaty’s definitions of crimes are too vague and open to potential abuse. The tech industry’s resistance is summed up by the Cybersecurity Tech Accord, a lobbying group that includes industry heavyweights such as Microsoft and Meta, which has called the agreement a “surveillance treaty” and warns that it will facilitate sharing of personal data among repressive governments.

Security experts warn cybercrime treaty might penalize legitimate testing, indirectly aid criminals

Another line of concern comes from the cybersecurity world, where some of the loose definitions of criminal hacking have raised alarms that ethical probing for vulnerabilities may be chilled by threats of government retaliation. The U.N. Office on Drugs and Crime (UNODC) has responded to these concerns by saying that the cybercrime treaty “encourages” states to allow security research activities, but critics point out it also enables them to heavily penalize them should they desire.

The choice of Vietnam as the host for the cybercrime treaty’s formal signing has also seen some criticism. Vietnam’s communist government has long been criticized for its record on freedom of expression and forcible quashing of dissent, to include 40 arrests this year flagged by Human Rights Watch as being for online speech critical of the state. The US State Department has labeled internet censorship by the national government as “significant.”

It is not yet entirely clear who has and has not ratified the cybersecurity treaty as of yet. But one standout name that has not even put pen to paper yet is the United States, which said that the State Department continues to review its terms. The present administration has publicly shared some similar concerns about how the present terms might be misused by governments, though this has been directed at allies (such as the United Kingdom) as much as the less democratic governments that are the main point of concern.

Another point of concern shared by all critics is that the cybersecurity treaty is vague about the data protection requirements that will be in place when personal data is shared across borders. This includes the security of stored data, which the terms do seem to allow to be stored long-term. Supporters see the proposed new data regimes as an effective way to counter the problem of hackers hiding out in one country while raiding others (and often having the evidence stored in third countries), but the entire plan still hinges to a great degree on the willing cooperation of countries that have already proven very tolerant of their own domestic hackers.

In addition to Human Rights Watch, the Electronic Frontier Foundation and Privacy International have issued formal objections to the cybersecurity treaty. Among the countries that have confirmed that they have signed the treaty at this point are Australia, China, Peru, Spain, South Africa, and Iran. The treaty is meant to be an update to the existing Budapest Convention on Cybercrime, which has less comprehensive terms and serves more as a guideline. China and Russia have also long opposed that agreement and were driving forces in the creation of the new treaty.

Given only about 60 days left in the present year, the earliest the new agreement would likely go into effect would be February of next year. Joe Kaufmann, Global Head of Privacy & DPO at Jumio, advises potential impacted parties to begin reviewing its terms: “As 65 countries sign the UN’s Convention against Cybercrime, it is a step toward addressing the potential harms posed by advancing AI technologies. Countries are recognizing the importance of stronger international guardrails in place to protect people from digital crimes. However, the policy efforts must avoid preventative measures that contradict their intention. Over-prescriptive compliance requirements may thrust organizations into an unfamiliar position of responsibility for sensitive personal data. In this sense, the goal of consumer trust and safety is a two-way street. Any enterprise that finds itself conducting business contemplated by the UN’s Convention against Cybercrime should take the opportunity to align to the best practices and ethical frameworks. In doing so, they can strike a meaningful balance between consumer trust and safety.”

 

Senior Correspondent at CPO Magazine