The UN Convention Against Cybercrime
An Explainer
Hi! I’m Marshall Green, an incoming third-year student at the University of Southern California and a former research intern at the Centre for Diplomacy and Strategy (CSDS), where I assisted research on the geopolitics of the semiconductor industry. With experience across both policy and technical domains, I’m broadly interested in the intersection of AI, cybersecurity, and digital governance. This is my take on a significant global development: the UN Convention against Cybercrime. Enjoy the read!
Last December, the United Nations General Assembly adopted a long-debated United Nations (UN) Convention against Cybercrime. This agreement, charged with substantial historical significance, is the first global agreement on digital offences. The treaty comes at a critical time, as the importance of cybercrime is rapidly growing, as evidenced by projections of over $1.2 trillion USD in annual global losses.
Adoption of this treaty could be praised as a sign of the resiliency of multilateral cooperation in the wake of global fragmentation. However, its vague content and language constitute risks of legal uncertainty, undermining its capacity to adequately respond to cyber threats.
Global support for the treaty is dismal. Over 150 civil society, political, and tech companies, including the Electronic Frontier Foundation (EFF), United States Senators, and Microsoft, have warned that the text’s vague wording could “potentially criminalise common security practices because of ambiguity in the text.” Ambiguity creates liability.
The UN Cybercrime Convention aims to promote international cooperation and strengthen measures to prevent cybercrime. It outlines the processes for states to exchange data and exercise enforcement powers, affecting both the private and public cyber sectors globally. While the treaty aims to harmonise cooperation, the text defers most safeguards to national laws, increasing the chances of international inconsistencies.
Two Articles, Little Clarity
Articles 27 and 11 of the UN treaty stand out because they grant governments strong enforcement powers, while providing vague language and few safeguards against overcriminalization.
First, Article 27 allows states to compel individuals or service providers within their jurisdiction to produce “electronic data” without requiring any uniform standard of oversight or qualification for criminal matters. As a result, states with weak legal safeguards could potentially weaponise the vague language to acquire confidential information without proper oversight or judicial authorisation.
The text’s expansive definition of “electronic data,” which includes “any representation of facts, information, or concepts” that a computer processes, heightens the risk of government overreach because the definition does not require the data to be communicated. Governments can access confidential information, such as recorded conversations or health data, privately stored on devices.
For example, a government could mandate that a local journalist disclose private data, such as unpublished reporting, interviews, or source information. Additionally, without the requirement of proper judicial review, oppressive regimes could intimidate journalists and discover whistleblowers under the false pretence of a lawful investigation.
Second, Article 11, which focuses on the misuse of devices, appears narrow on face value, but a few broad, undefined terms allow for aggressive applications.
The clause “adapted primarily” in the sentence “A device, including a program, designed or adapted primarily for the purpose of committing any of the offences established in accordance with articles 7 to 10 of this Convention,” lacks clarification. With this wording, basic cybersecurity platforms such as Metasploit or Network Mapper (Nmap) could be criminalised because their exploits could be “adapted” nefariously. Paragraph 2 exempts “authorised testing or protection,” but does not define the authorities that grant and verify authorisation. With its lack of a clear uniform standard, ethical hackers and security researchers are at risk of prosecution, thereby eroding key aspects of a robust cyber defence.
Additionally, the third paragraph of Article 11 allows states to reserve the right not to apply certain device crimes. This flexibility introduces regulatory inconsistency because of the lack of a global norm-setting. Thus, one signatory could prosecute the use of Nmap, an open-sourced cybersecurity tool used to scan and access computer networks, while another could use its right to decline criminalisation. This asymmetry fosters considerable disunity instead of achieving a unified regulatory regime.
Flaws in Flexibility
The text’s “technology-neutral” language aims to provide flexibility in managing a rapidly changing technological landscape. This approach criminalises actions instead of specific technologies, aiming to keep the treaty adaptable to global developments.
But ambiguous language can be used to bypass the treaty’s objectives. The fact that terms essential for digital crime prosecution like “cybercrime,” “unauthorised access,” and “electronic data” have unclear meanings opens a Pandora’s Box of legal interpretations.
For instance, one occasion of dangerous ambiguity occurred in 2007, when Germany passed a legislation that attempted to limit cybercrime, but its vague language against “hacker tools” made security researchers and ethical hackers liable to prosecution for using standard security tools.
Moreover, national courts could have conflicting interpretations over which actions constitute digital crime, creating more international uncertainty than cooperation. For instance, the Netherlands and Russia are expected to agree on what actions constitute a “cybercrime” while their criminal justice systems are fundamentally different. This diplomatic divide has already been proven by the US and Europe disagreeing with Russia, Belarus, and China on the scope of the treaty.
In addition to that, the unclear treaty provisions introduce a litany of economic threats. Global service providers now must navigate a myriad of conflicting national laws to avoid the repercussions of non-compliance. Oftentimes, firms choose the most restrictive interpretations to avoid liability. Accordingly, firms will err on the side of over-compliance, resulting in the delay of private sector cybersecurity innovations and the sharing of threat intelligence internationally. Firms will prioritise regulation over innovation, chilling economic growth.
Additionally, weakened dual-criminality measures pose significant geopolitical risks. Article 35(3) allows the test to be “deemed fulfilled” if the underlying conduct is a crime in both states, even if each labels it differently. Additionally, Article 40(8) allows the requested country to voluntarily honour a cooperation request even when the conduct is not criminal in their jurisdiction, limiting its grounds for refusal. Revisionist powers like Russia and China could thus seek data or assistance for offences framed broadly in their legislation, leaving the requested country little flexibility in refusing. In doing so, the treaty may not reduce cybercrime but instead internationalise national agendas, damaging trust and cooperation between competing legal systems.
Finally, the UN treaty has no centralised institutional mechanism to resolve disputes or clarify terms. The only instrument for correction, the Conference of States Parties, will not be convened until five years after ratification. Due to the constantly changing nature of the cyber domain, a delay in updates could be catastrophic. Absent proper oversight, states will enforce the treaty according to their own strategy, further increasing the global divide on cyber norms.
The Budapest Convention: An Effective Status Quo Solution
Nevertheless, solutions exist. Ambiguity is an easily preventable problem, proven by international precedents. To remain adaptable, ambiguous language must be anchored in established legal precedent and norms. Canada’s 1985 revision to its Criminal Code highlights the benefits of tech-neutral language grounded in precedent. It duplicates the four mischief elements (destruction, rendering useless, obstruction, and interference) of property destruction to computer data, giving digital offences the same legal backing as property crimes.
Canada’s domestic achievement reflects what the Budapest Convention accomplishes globally with its precise, precedent-based tech-neutral wording. Ratified by the U.S., Japan, and most European States, the Convention provides clear offence definitions, dual-criminality rules, and limits cross-border data acquisition, measures essential to balancing digital sovereignty with multinational cooperation. Articles 2-11 of the Budapest Convention outline clear criteria for cybercrimes.
Furthermore, Budapest’s Article 32 clearly details the only two circumstances under which investigators can access foreign data without consent. First, when the material is publicly available open source, or second, when investigators get the lawful consent of the data owner. Alternatively, the UN treaty lacks a clearly defined scope, opening the floodgates to a digital Wild West.
The Risks of the Status Quo
To conclude: advocates suggest that the symbolic weight of a global treaty is invaluable. But as this article argues, unless its provisions and operational vision are clearly defined, the treaty risks doing more harm than good.
Solid article, am looking forward to additional contributions from this ambitious & insightful young writer.
Excellent analysis Marshall! I learned a lot about this topic from your article.