Controversial UN cybercrime treaty clears final hurdle before full vote as US defends support

The United Nations Cybercrime Convention has cleared another hurdle as it heads to a vote in the General Assembly next month. 

The draft of the contentious resolution was approved during a meeting on Monday as both the United States and United Kingdom defended their support for the measure — which has faced backlash from tech companies, human rights defenders and even members of Congress.

In meetings with reporters on Sunday and in public comments on Monday, U.S. officials acknowledged that dozens of countries have worries about the potential for states to use the treaty to justify human rights violations, extraterritorial surveillance, the harassment of tech company employees, and the abuse of people’s privacy.

Jonathan Shrier, a U.S. representative to the UN, said they would demand accountability from any government that misused the treaty and urged signatories to pass domestic laws protecting human rights. 

Shrier also touted other technical mechanisms that will be used for “bringing to light and repudiating any abuses committed under the alleged auspices of the Convention and mobilizing to prevent future misuse.” Countries should also refuse information requests from nations that violate the human rights protections in the treaty.

He argued that despite “deep concerns,” the convention can serve as a “framework for cooperation that, when implemented in accordance with its provisions and coupled with robust domestic safeguards, holds the potential to improve the global community’s ability to combat pervasive and evolving cybercrime threats.”

“This includes combatting ransomware, widespread cyber-enabled fraud, and illegal intrusions into computers and networks,” he added. 

In a discussion with reporters on Sunday, White House officials said the U.S. felt the need to back the treaty in order to have a role in potentially updating it in the future and to shape the way it is implemented around the world. 

U.S. officials pledged to create a plan on how to check if countries are abusing the measure and said members of the Commerce Department will meet with tech companies and human rights groups on Wednesday to discuss the issue. 

They gave several other reasons the U.S. decided to back the Russia-introduced treaty after months of handwringing within the White House. Of principal concern to the Biden administration were worries that China, as well as authoritarian governments and even the U.S., would use it to surveil and punish opponents. 

Speaking anonymously, the U.S. officials told reporters the treaty would expand the number of countries that would respond to U.S. warrants for arrest involving cybercrimes. 

U.K. officials released a statement making similar arguments for their support of the treaty but acknowledged that several member states “have already tried to deny or dodge” the human rights obligations that are part of the convention. 

“To be clear – the UK will not cooperate with any country which does not comply with the safeguards required by this Convention,” said Liz Page, the U.K.’s first secretary of cyber, digital and technology. 

The treaty draft was initially prompted by a General Assembly vote in December 2019 to begin negotiating a cybersecurity accord after Russia took issue with the previous agreement — the Budapest Convention — and demanded a new framework to address cybercrime.

After seeing the first draft in August 2023, human rights groups and even tech industry giants like Microsoft warned that significant changes would need to be made to stop the treaty from being used by governments as a tool of repression. 

Few changes have been made since that draft, and the outcry has not stopped the Biden administration from pushing forward with the effort — even after six Democratic senators sent a letter to the White House last month expressing alarm over the finalized agreement’s treatment of privacy rights, freedom of expression, cybersecurity and artificial intelligence safety.

The Cybersecurity Tech Accord — a global industry group representing more than 157 large tech companies, including Microsoft, Meta, Oracle, Cisco, SalesForce, Dell, GitHub, HP and more — has repeatedly slammed the treaty out of fear it will be used against cybersecurity researchers. Several tech companies are also concerned about potentially thorny data requests that will be issued by governments through the treaty. 

Nick Ashton-Hart, the Tech Accord’s head of delegation to the negotiations, told Recorded Future News that they were disappointed to see the convention adopted by consensus on Monday. While they appreciated the U.S. statement, he noted that the “best statement would have been to, at least, abstain.” 

“Several states noted in the Third Committee debate that it was important that states implemented the existing human rights and other safeguards. Even if they do, that doesn’t solve all the problems in this convention,” he said. 

“Even adopted as written, it undermines global cybersecurity by allowing criminalization of security research – in the AI age this is a particularly glaring problem as AI system safety and resilience arguably relies even more on research work that could be criminalized by the Convention than is the case for non-AI services.” 

He specifically highlighted the mechanism allowing for the transfer of personal information between governments as an aspect of the treaty that “virtually guarantees the Convention’s provisions will be used abusively.” 

Human rights advocates like Access Now’s Raman Jit Singh Chima said UN member states seem “unwilling to recognize that they are advancing a bad treaty.” 

“They are choosing to believe that a bad treaty is better than no treaty. And in reality, the UN Cybercrime Convention would undermine cybersecurity, particularly by casting or creating a more uncertain legal framework for security research,” he said.

Singh Chima warned the treaty would enable authoritarian governments and others to defend their existing cybercrime laws that are used to target civil society and human rights defenders rather than combat cybercriminals.

He added that before the final vote next month it is critical that member states make it mandatory that any signatories respect due process and other basic human rights before implementing the treaty. 

“Western states have a last opportunity in December to establish a clear line saying, ‘If you do not choose to implement this treaty in this human rights respecting way, we will not be able to sign, we will not be able to ratify, and we will not be able to implement international cooperation under the treaty,’” he said. 

Human Rights Watch, along with several other groups contacted by Recorded Future News, also urged governments to reject signing or ratifying the treaty. 

Electronic Frontier Foundation’s Karen Gullo said they have urged states to vote against the convention because it “jeopardizes human rights by accommodating intrusive practices like blanket data retention and contains no safeguards or protections to prevent states from employing encryption-breaking powers they have under their domestic law, among other flaws.”

“It gives states a huge amount of leeway to decide whether or not to require human rights safeguards at all. Its underlying flaw is the assumption that, in accommodating all countries’ practices, states will act in good faith,” she said. 

“We know that is unlikely – the powerful global cooperation tools established by the convention will be abused.”