30 Jul 2024

Crunch time for the rights-threatening UN Cybercrime Convention

States are on the brink of adopting the UN Cybercrime Convention, which would pose fundamental risks to human rights, as well as undermining cybersecurity. Negotiations commenced yesterday (29 July) amid a chorus of dissent from civil society and other stakeholders, and are scheduled to conclude on 9 August. 

As presently drafted, the convention is likely to facilitate unprecedented surveillance powers related to an overly vague scope of offences, which risks criminalising online expression and impeding the vital work of cybersecurity researchers, journalists and others. It proposes to introduce broad new “cyber-related” offences, despite repeated warnings that these would endanger freedom of expression and disproportionately impact the rights of women, LGBTQ+, young people, and dissenting voices.

Civil society, alongside actors from industry and the technical community, have long been raising the alarm. And last week, the OHCHR itself highlighted significant shortcomings which must be addressed in order for the Convention to be adopted.

Earlier this month, GPD joined 20+ civil society groups in an open letter to the EU Commission and Member States, urging them not to adopt the Convention in its current form if its fundamental flaws cannot be fixed. And last week, experts from Access Now, Human Rights Watch, EFF, the International Press Institute and Derechos Digitales held a press briefing on what’s at stake for human rights.

At the time of writing, states remain divided in their approach. While one key bloc is pushing for a punitive instrument with unprecedented scope, others remain aware of the risks but are cautious of divesting from the process. The reasons for this are complex, and include a desire for a harmonised framework for cooperation, as well as the risks of withdrawing from a process increasingly seen as synonymous with the success of multilateralism itself, as well as the ability of states to operate within the UN system. 

These concerns are valid. At the same time, widely felt concerns that the Convention as drafted would, per OHCHR’s analysis “undercut efforts to address cybercrime, undermine trust and facilitate human rights violations and abuses” cannot be ignored. We also dispute the idea that refusing to adopt this flawed instrument would undermine the UN system, or amount to a waste of time. While the process of the negotiations has generated tensions, it has also offered a valuable window into states’ needs, and has—importantly—identified areas of convergence, as well as those where further research or dialogue is needed (for example, the need for further consultation and deliberation on what a rights-respecting and effective approach to CSAM would entail). These negotiations have also pointed to the value of refocusing attention on the Budapest Convention as the only existing global instrument for combating cybercrime, as well as driving efforts towards its further improvement to ensure compliance with international human rights standards. If states want to, these negotiations do not have to be an empty exercise: they could be generative of future directions.

There is a wealth of work already out there to show what alternative, rights-respecting approaches to combating cybercrime might look like. The time to discuss these ideas has come. Not adopting this convention as it’s drafted presents us with an opportunity, and we should not squander it.

We call on states concerned with the continuance of the international rules-based order to urgently heed the concerns of stakeholders, and to decline adoption of this deeply flawed instrument, which risks undermining both human rights and our collective security.  

Should the Convention pass in its current form, it’s critical that civil society and other interested actors hit the ground running, and use insights from the negotiations to monitor, build awareness of, and head off potential impacts from its implementation.