UN: Cybercrime treaty must not put human rights at risk

UN: Cybercrime treaty must not put human rights at risk - Digital

Image by: Oguzhan Akdogan

As the 5th negotiating session of the UN Cybercrime Convention begins in Vienna today, ARTICLE 19 reiterates that the proposed cybercrime treaty is unnecessary and continues to call for limiting its scope and for the inclusion of strong human rights safeguards. The new treaty must not become a tool that states can use against journalists, activists and human rights defenders to stifle free expression. 

During the 5th Negotiating Session in Vienna, ARTICLE 19 and partners are organising a hybrid media briefing on Thursday 13 April, at 7pm CEST. Further details at the end of this statement. 

The negotiations on the new international treaty to tackle cybercrime are entering an important phase this week, with only two sessions left before the final text is presented to the UN General Assembly next year. Civil society has been sounding an alarm about how the highly complex and technical discussions, with potential grave implications for human rights protections, are being rushed through. 

The treaty could have serious consequences for human rights, in particular the rights to freedom of expression, privacy and data protection.

The 5th Session is key. Following its conclusion, the Chair of the Ad Hoc Committee will prepare a complete ‘zero draft’ of the Convention, which the states will negotiate during the two final sessions. This session focuses predominantly on international cooperation, technical assistance and information and data exchange. Those procedural considerations are concerning because they will be applied when investigating and prosecuting a long list of crimes, among others, a host of speech-related offences that the States are seeking to introduce – and which pose a real threat to free expression around the world. 


The scope of the treaty 

As ARTICLE 19 indicated in our previous analysis of the negotiating document, we are deeply concerned about the vast scope of the proposed treaty. The document includes 34 cybercrime offences, at least a dozen of which would criminalise broad forms of speech, likely to include expression protected under international human rights standards. In contrast, the Budapest Convention (the Council of Europe Convention on Cybercrime), the first international treaty seeking to address cybercrime, includes only nine offences – none of which are speech-related. 

Among the most concerning provisions are those seeking to criminalise dissemination of fake news, extremism, hate speech or incitement and terrorism. With no internationally agreed definitions and the highly contested nature of many of those concepts, such ‘crimes’ are ripe for abuse and, if introduced, could be used by states to target those critical of authorities. 

Additionally, it is concerning that the standards of serious harm and dishonest intent are not required in all the offences included in the negotiating document. The Convention should only be applicable to crimes where a person has a dishonest intent when committing a said crime and the ones that cause ‘serious harm’. Without these considerations, the application of the Convention might lead to prosecution of a person who unknowingly shared a fake news article online, or a security researcher who used hacking techniques to identify vulnerabilities in a software system. 

ARTICLE 19 urges the states to narrow the scope of the treaty so that it only relates to ‘cyber-dependent’ crimes (like distribution of malware or malicious infiltration of networks), rather than broad speech offences, many of which fail to comply with international freedom of expression standards. International human rights law already provides clear guidance on how to address terrorism and incitement-related issues. These offences do not belong in cybercrime legislation. 

Human rights safeguards 

The Convention will have huge implications on human rights around the world. As such, it must contain explicit and clear references to binding international legal instruments, including the International Covenant on Civil and Political Rights (ICCPR). It should also contain explicit procedural and human rights safeguards applicable to all sections of the treaty. 

ARTICLE 19 and partners have previously warned that without such safeguards, the provisions of the treaty can easily be abused to target and oppress dissenting voices. 

Given the focus on cross-border investigative powers, the lack of adequate safeguards might also lead to situations where law enforcement or prosecutors are able to access personal data without independent judicial oversight. As many countries participating in the drafting process do not have sufficiently robust privacy legislation and practices, the Convention must include robust  measures to effectively protect the right to privacy, anonymity and encryption. 

These safeguards are also relevant for the obligations requiring service providers to ‘assist’ or ‘enable’ investigations. These procedural provisions are profoundly concerning. The vagueness of terms like ‘assist’ is especially problematic, as it could mean anything from disclosure of records to bypassing court orders and forcing private companies to, effectively, become extensions of law enforcement. At the request of states, providers could be compelled to disclose all kinds of information, insert security backdoors into products, weaken encryption, and engage in active surveillance of users. 

Any request to assist and cooperate in criminal investigations should be subject to prior judicial authorisation independent from the government.   

Crime prevention

Some of the prevention provisions under negotiation make reference to ‘detection’ of cybercrime, and to developing policies and strategies to prevent and eradicate ‘hate crimes’ perpetrated by means of technology.

ARTICLE 19 warns that these provisions might be used by states to require digital companies to analyse individuals’ communication and online activity via a general monitoring obligation. Apart from interfering with users’ privacy rights, a general monitoring obligation would likely lead to companies detecting and removing vast amounts of legitimate content, as content-monitoring technologies such as hash-matching algorithms and natural language processing tools are currently not advanced enough to distinguish legal from illegal content in a reliable manner. 

The concept of ‘hate crimes’ is used for the first time in the Convention under the prevention measures section. The scope and regulation of these offences vary across countries. The term usually refers to the commission of a criminal offence where the perpetrator targeted the victim in whole or in part out of a ‘bias motivation’. However, too often, the term is conflated with ‘hate speech’. Hate speech is cause for concern, but will not always constitute a criminal offence, and therefore is not a ‘hate crime’. Therefore, the Convention should avoid introducing broad concepts that allow for broad interpretation, in violation of the requirement of legal certainty.   

Cybercrime laws around the world

Many aspects of the proposed Convention follow a growing trend of restrictive cybercrime laws around the world. ARTICLE 19 has analysed a number of such instruments, which are routinely subject to abuse, and used to attack freedom of expression, undermine privacy, and exert greater control over people’s legitimate online activities.

One example is Tunisia, where the recently adopted decree-law on cybercrime is already being used to prosecute media outlets, lawyers and students for criticising government officials and for other forms of protected speech. The law contains provisions such as the prohibition of dissemination of false news, and other speech offences that go against international human rights law and way beyond what could be considered ‘cyber-dependent’ crimes – in a very similar way to some of the offences included in the negotiating document.  

In Thailand, the Computer-related Crimes Act allows the government’s nearly unfettered authority to engage in surveillance and censorship, conduct warrantless searches, and undermine online anonymity. It establishes a number of vaguely defined crimes, capable of multiplying sentencing by up to 10 or 20 times. New provisions have been added subsequently to further expand jurisdiction over new categories of service providers, impose stricter localisation requirements, and greater identify verification demands. 

In Sudan, the Cybercrime Law punishes numerous content-based offences that have nothing to do with preventing cybercrime. These include provisions on provoking hatred against foreigners, defamation, insults and abuses that fail to comply with freedom of expression standards. The Cybercrime Law has been used in the past to suppress independent journalism and reporting during the Covid-19 pandemic. Several Sudanese journalists and activists were persecuted and threatened using the law over publications they posted on social media criticising the authorities.

As negotiations continue, states must not lose sight of the fact that the content offences included in the treaty, coupled with the lack of strong human rights and procedural safeguards, will enable the creation of a global restrictive regulatory system. It will effectively provide an international carte blanche for those who want to use it as a tool to attack free expression, infringe on privacy and data protection and endanger individuals and communities globally. 


During the 5th Negotiating Session in Vienna, ARTICLE 19 and partners are organising a hybrid media briefing on Thursday 13 April, at 7pm CEST. 

Speakers from ARTICLE 19, Access Now, Electronic Frontier Foundation, Epicenter.works and Global Partners Digital, all participants in the UN negotiations, will discuss the threats that the treaty poses to human rights and freedom of expression, and provide insight into its potential impacts on communities, internet users and tech companies globally. 

To find out more, please email Aga Maciejewska on [email protected] or [email protected]

Briefing link:

Webinar ID: 832 0117 2658
Passcode: 13042023