On 8 August, UN member states agreed to what was once deemed implausible: a universal cybercrime convention. A Russia-led effort to challenge existing Euro-centric standards for law enforcement cooperation turned into an agreement that preserves human rights protections instead and focuses on actual cybercrimes.
But the new convention, which still awaits adoption by the UN General Assembly, may come at a price, as binding treaties and state sovereignty appear to surface as the guiding principles of global cyber governance.
In December 2019, when the idea for ‘a comprehensive international convention on countering the use of [information and communication technology] for criminal purposes’ was presented to the General Assembly, the international community was sharply divided. Russia, China and most Southeast Asian countries were among those that cast the 79 votes in favour, while 60 delegations (including Australia, most European states, Japan, Britain and United States) voted against.
Australia and likeminded partners have always argued there was already a legal mechanism in place: the Budapest Convention. Agreed under the purview of the Council of Europe in 2001, it facilitates cooperation between law enforcement agencies on cybercrime issues for joint investigations, sharing and recognition of digital evidence, jurisdictions and extraditions. The Budapest Convention also contains an agreed set of core cybercrimes and cyber-enabled crimes. It includes safeguards for human rights and other fundamental freedoms and a review mechanism and facilitates access to technical assistance.
This was now all going to be duplicated or, worse, hollowed out in the process of creating a UN convention. Indeed, throughout its negotiation process, attempts were made to broaden the remit of cybercrime. For example, China proposed criminalising the ‘dissemination of false information … that could result in serious social disorder’, while India advocated for criminalising offences related to ‘cyber terrorism’.
The problem with the Budapest Convention is that it’s in name and spirit a European convention. While non-members such as Australia, Brazil, Fiji, Nigeria, Philippines and Tonga are among the 76 states that are party to the treaty, it was too easy to dismiss as non-inclusive and non-representative. Russia, itself a former member of the Council of Europe, never signed it. Moscow cited a lack of respect for state sovereignty, because it would allow for cross-border law enforcement operations without the consent of that state. Other states, such as South Africa, followed this narrative.
But while the new UN cybercrime treaty isn’t perfect, it’s far from a slam-dunk victory for Russia and China. In fact, Russia, Iran, and Egypt continued to hold strong objections until the very last moment. Perhaps this is the strongest indicator of success in holding back attempts of further state repression in the digital realm.
In an early draft, Russia proposed various controversial points, such as an expanded list of crimes that would be criminalised and an erosion of democratic and human rights safeguards. While considered during negotiations, these offences did not make it into the final text.
Iran, with backing from Russia, called for seven rounds of voting to remove paragraphs that contained human rights safeguards. For instance, Iran sought the removal of an article allowing states to deny mutual legal assistance if they have reason to believe the investigation is discriminatory on the basis of a person’s sex, race, language, religion, nationality, ethnic origin or political opinion. The vote resulted in a resounding defeat: 102 against and only 23 in favour.
The strongest critique to the UN convention comes from civil society organisations and the tech industry. They believe that the convention is too broad in scope and could be misused for surveillance and repression by authoritarian states seeking prosecution of alleged criminals residing in foreign jurisdictions. Industry fears it could be compelled to hand over data against terms and conditions and the laws of their home jurisdictions. Others point out that the convention could allow states to prosecute whistleblowers and cybersecurity researchers.
Despite these shared concerns by industry and civil society, liberal-democratic governments conceded for the sake of global consensus.
The cybercrime convention will be presented to the UN General Assembly this year and, upon endorsement, will be opened to member countries for signature and eventual ratification. To come into force, it requires at least 40 signatories by 31 December 2026.
It remains to be seen whether that will be achieved in the time available. The US has made no such commitment, although it ‘welcomed the Committee’s adoption of the convention.’ Australia’s ambassador for cyber wrote that the convention first needs to be adopted (by a majority) in the UN General Assembly ‘before Australia will consider becoming a party to the Convention.’ Iran, in its final statement, said to ‘maintain reservations and objections on certain provisions and terms.’ Moscow only acknowledged the outcome, with Russia ‘as the inspirer and leader of the negotiations.’ Beijing has not issued a statement yet.
For decades, cyberspace was thought to be most effectively governed through collaborative multistakeholder interactions, in which governments, civil society, industry and the technical community would take responsibility for their share of the domain. The experience of the UN cybercrime convention, however, shows government-led proceedings take precedence and that cyber sovereignty is the rallying concept around which states find consensus.
In the long run, this may pave the way for other government-to-government treaties on issues such as critical infrastructure protection, state-on-state cyber operations during peacetime and ethical principles of AI. While this would provide authoritarian states with opportunity to strengthen control over the internet and related technologies, for liberal democracies sovereignty becomes the strongest line of defence against cyber-enabled transnational repression and undue foreign interference.