Published
August 28, 2024
The United Nations is on the cusp of finalizing the UN Cybercrimes Convention. It is a first-of-its-kind treaty that establishes a global framework to combat cybercrimes, ranging from unauthorized access to information systems to online child exploitation and the distribution of non-consensual explicit content.
With its emphasis on international collaboration to address threats to vulnerable populations and curb the spread of malicious software, ransomware, and explicit content-related offenses, the UN’s goals are laudable, reflecting a genuine commitment to address some of the most pressing challenges in the digital age.
However, the UN’s approach and the draft text of the Cybercrime Convention are fundamentally flawed. Absent important changes, the U.S. Chamber recommends the U.S. abstain from the UN Cybercrimes Convention vote.
Flaws in the Treaty
First, we should all be concerned that the treaty has been “commandeered” by Russia, warranting skepticism among democratic countries and stakeholders alike.
Second, it does not adequately address data security issues, leaving significant gaps in the protection of personal and sensitive information.
Third, the agreement fails to provide the robust privacy safeguards needed to avoid government overreach, unchecked surveillance, and unauthorized access to sensitive data.
Finally, throughout the negotiation process, civil society groups have also raised concerns about government overreach and the balance between security and human rights. In a letter this past February to the Chair of the UN’s Ad Hoc Committee on Cybercrime, these organizations partnered with business groups to highlight their deep concern over “the adoption of such a flawed treaty without major changes.” The U.S. has experienced its own challenges in this space, reflected in Washington ultimately scaling back the extent of commitments agreed upon by some 60 countries when the U.S.-led Declaration for the Future of the Internet was launched in 2022.
Chamber at UNGA
Alternative Approaches
There are other options that don’t face the same challenges as the UN Cybercrimes Convention. The Budapest Convention offers a rights-respecting approach to international cooperation and capacity building to investigate and fight cybercrimes. It has been in effect for 20 years, 76 nations are party to it, and another 17 countries eligible to and interested in acceding.
Similarly, the OECD’s Declaration on Government Access to Personal Data Held by Private Sector Entities, adopted in December 2022, offers a more balanced and effective approach to addressing cybercrime. This agreement emphasizes robust data privacy and data protection safeguards, helping to ensure that government access to data is transparent and accountable. It promotes the use of mutual legal assistance treaties (MLATs) to facilitate cross-border data requests, thereby enhancing international cooperation without compromising individual rights. Finally, the OECD agreement encourages the adoption of best practices and standards for data security, providing a comprehensive framework that can be operationalized by countries worldwide.
Bottom Line
While the UN Cybercrimes Convention rightfully focuses on tackling global cybercrime, its shortcomings in data security, privacy and procedural safeguards, and the human rights concerns raised by civil society groups cannot be easily overlooked. The Chamber recommends the U.S. abstain from the UN Cybercrimes Convention vote and focus instead on addressing its flaws.
About the authors
Jordan G. Heiber
Jordan Heiber leads the Chamber’s international privacy and data flow policy portfolio and manages a team responsible for the full suite of digital policy issues, including cybersecurity, artificial intelligence, and more.