CIVICUS discusses the United Nations (UN) Convention against Cybercrime with Pavlina Pavlova, Cybercrime Working Group Lead at the Alliance of NGOs on Crime Prevention and Criminal Justice. The Alliance seeks to ensure effective civil society participation in multilateral discussions on crime and justice issues.

The Convention, adopted in December 2024, will open for signature at a ceremony in Hanoi, Vietnam on 25 October. It seeks to strengthen international cooperation against cybercrime, but its origins, in a 2019 Russian resolution that faced significant opposition from democratic states, are contentious. Civil society has raised serious concerns about its broad scope and lack of adequate human rights protections, and is now advocating for inclusive oversight mechanisms that can prevent misuse of its far-reaching powers.

What’s the UN Convention against Cybercrime trying to achieve, and how did it come about?

The Convention aims to improve international cooperation on the exchange of electronic evidence concerning transnational cybercrime. Its origins, however, reveal deep divisions in the international community.

Negotiations began with a Russian resolution passed in 2019. Western states, already parties to the Council of Europe’s Budapest Convention on Cybercrime, opposed the initiative and argued that existing frameworks were adequate and sufficient. The Intergovernmental Expert Group on Cybercrime met seven times between 2011 and 2021 without reaching an agreement on the need and feasibility of a UN treaty on cybercrime. This reluctance prompted Russia to bring the issue before the UN General Assembly, where it secured a majority vote in favour of a resolution on treaty negotiations.

The process began inauspiciously: the first session took place at the start of Russia’s full-scale invasion of Ukraine. Nevertheless, most states actively engaged in constructive negotiations. The backbone of the outcome document copies the Budapest Convention and also draws from the UN Convention against Transnational Crime and the UN Convention against Corruption.

The UN General Assembly adopted the text on 24 December last year, and the treaty has already attracted significant support. Over 30 countries have signalled their intention to sign the Convention in Hanoi and start the ratification process. Several rationales explain this shift: the Convention’s proximity to existing frameworks, the potential to improve cooperation with states that have remained outside this cooperation and the influence states that have ratified the Convention can exert on implementation and potential future protocols from within, particularly regarding the human rights standards that must be ensured when this criminal justice mechanism is implemented in practice.

How did civil society engage with the process, and what impact did it have?

Civil society was actively engaged in the Ad Hoc Committee tasked with elaborating the draft Convention. The committee had what we now refer to as a ‘gold standard’ for stakeholder participation rules, which allowed external voices to participate without any single state having veto power over the participation of individual organisations. Around 200 organisations from civil society and academia and the private sector were accredited to join the process.

However, stakeholder engagement still had significant limitations, particularly toward the end of negotiations, when speaking time was strictly limited. The most critical and divisive issues were addressed in closed informal meetings stakeholders could not observe.

Despite these constraints, stakeholder input proved valuable. The final document greatly benefited from the rich feedback, and there was clear consensus across civil society organisations and technology companies on identifying the most harmful provisions.

The private sector is the custodian of data and builds and operates the digital infrastructure: companies are trying to protect their customers. Civil society organisations help victims, work with communities and observe how legislation is applied in practice. The negotiations came at a time when cybercrime law is increasingly being used to target human rights defenders, media workers, political opponents and vulnerable people in several countries.

Even if a state negotiates in good faith, it may not be aware of all the consequences of this legislation across diverse jurisdictions or how provisions can be misused. This is the fundamental challenge with a global convention: once it is translated into national codes of law, it can be used in various ways, particularly because the agreed text is vague. This is why impact will depend on how states adopt the text into their systems, the capacity of law enforcement and legal systems to keep up with cybercriminals, the support victims of cybercrime receive and who can review the implementation process and to what outcome.

What’s your assessment of the final text?

As argued in unison by the stakeholder community, the Convention is extremely broad and gives states expansive powers. Its effect will depend on which, with what capacity and toward what goals states choose to use this treaty. The Convention’s global reach makes a strong oversight mechanism critical.

The text includes only the bare minimum of human rights standards necessary for countries already part of the Budapest Convention to sign and ratify it. It falls short of providing sufficient safeguards and lacks what civil society and stakeholders at large were arguing for, which was to mainstream human rights safeguards across the document, ensure these provide guardrails to the application of different provisions and tie them directly to agreed-upon international human rights frameworks.

There are some positive elements. The Convention includes non-consensual dissemination of intimate images in its list of criminalised offences. This crime is alarmingly common and growing, particularly among young adults. Surveys over the years show that on average one in 10 adults have reported being threatened with exposure of intimate images. In around 90 to 95 per cent of reported cases of non-consensual sharing of intimate images the targets are female. The abuse is exacerbated by the use of AI image generators. Studies show that 99 per cent of deepfake pornography content targets women and girls. In many countries, specific laws to target publication of this content and tools to bring justice to victims are inadequate or completely missing. A global framework that recognises the need to investigate and prosecute such deeply personal crimes can help some of the most vulnerable victims.

What are the next steps?

The Convention will certainly reach the 40 signatures needed to become a UN instrument. Among others, the European Union has already published its decision to sign the treaty in Hanoi. The overall impact across the world will then depend on which states implement the treaty and how. States can put forward reservations and excuse themselves from particular treaty obligations. It will be up to their national approval mechanisms, parliaments and authorities to agree with the individual provisions and up to their criminal justice systems to interpret and apply them.

Beyond ratification, capacity remains crucial. Cybercrime in its many forms – including online child pornography, ransomware and sextortion – is more frequent and more aggressive year by year. How the Convention will look in practice will also depend on the forensic capacity and resources of countries to investigate and prosecute cybercrimes.

The immediate focus for civil society is on the rules of procedure for the Conference of States Parties, the body that will review treaty implementation and agree any additional protocols. These rules are currently being negotiated in several informal rounds in Vienna, closed to stakeholder participation. The Ad Hoc Committee will reconvene in January for a session tasked with preparing the draft text.

This negotiation matters because it will determine how civil society, as well as academic institutions, the private sector and other experts that gather evidence and provide capacity in cybercrime investigations, can access the Convention’s conference and its subsidiary bodies. The Alliance’s working group on cybercrime has intensively focused on securing inclusive rules of procedure, working across UN bodies, member states and stakeholder groups to ensure  the Ad Hoc Committee model that has served the negations so far is continued.