Update: This post has been updated to clarify the scope of the compelled assistance provisions and the broad nature of criminalization and electronic evidence gathering. The final version of the draft convention can still be used to expand the reach of repression under the pretext of combating cybercrime. By permitting broad international cooperation in surveillance for any crime deemed "serious" under national laws—defined as offenses punishable by at least four years of imprisonment—and without adequate robust safeguards, the draft convention risks being exploited by governments to suppress dissent and target marginalized communities. States should reject the convention in the upcoming UNGA meeting.

The proposed UN Cybercrime Convention is an extensive surveillance pact. It authorizes evidence gathering and sharing for any serious crime punishable by at least four years in prison under domestic law. However, it lacks the necessary checks and balances to prevent these powers from being abused. It requires states to aid each other in cybercrime investigations and prosecutions for crimes under this Convention, and allows the collection, preservation, and sharing of electronic evidence for any crime deemed serious by a country’s domestic law, with minimal and optional human rights safeguards. Negotiations for this draft treaty began in 2022, initiated by a controversial proposal from the Russian Federation. Millions of people, including human rights defenders, journalists, security researchers, and those speaking truth to power, will be affected. Without robust safeguards, the draft treaty risks becoming a tool for state abuse and transnational repression rather than fighting actual cybercrime. Below are our main concerns. For a comprehensive list, please refer to our appeal to EU Delegates. 

EFF’s Key Concerns  

The Title of the Draft Convention is Misleading and Problematic: Cybercrime is a real issue but equating it with any crime involving ICTs is conceptually and practically harmful. Recent efforts at the domestic level to broaden its definition have led to the criminalization of legitimate activities, such as online criticism, religious expression, or LGBTQ support. In the proposed treaty, it encourages expansive interpretations that could lead to human rights abuses and transnational repression. Recommendation: Restrict the definition to "core cybercrimes" like technical attacks on computers, devices, data, and communications systems. Exclude human rights-protected activities from the scope of the treaty to prevent misuse and ensure these rights are not unjustly targeted due to equating cybercrime with any crime using ICT. 
 
Expansive Scope and Over-Criminalization Risks: The draft Convention's criminalization chapter dangerously broadens its scope by including crimes like “grooming” and CSAM, not just cybercrimes. Article 4 transforms offenses that were designed for physical contexts and transposes them onto digital environment without any adjustment. It also fails to specify whether a qualifying treaty or protocol must be one adopted by the UN General Assembly, or simply one that has been registered with the UN through the auspices of Article 102 of the UN Charter such as any number of bilateral and multilateral instruments. Even worse, a proposed Protocol could add two more Ad Hoc sessions to discuss even more crimes, further expanding its broad scope. Recommendation: Criminalization must be limited to Articles 7 to 11. 

Broad Scope of Evidence Gathering Powers Beyond Cybercrime Risks Being Abused for Domestic and Cross-Border Spying on Acts of Expression: The broad scope of Chapter V risks undermining law enforcement cooperation on actual cybercrime offenses by diluting resources. It allows one state to help another in surveillance for any so-called serious crime.  Instead of merely facilitating cooperation on core cybercrime, this convention authorizes e-evidence gathering and sharing for any serious crime that a country chooses to punish with a sentence of at least four years or more, without meaningful limitations. Article 23(2)(c) also greenlights invasive measures on a wide range of crimes, which can be easily misused by governments to stifle dissent. Abuse of international cooperation mechanisms (e.g. Interpol red notice abuse) has been a persistent feature of the growing problem of transnational repression and this convention creates a powerful multi-lateral tool without concrete operational mechanisms to prevent abuse in practice. Recommendation: Limit Articles 23(2)(c) and 35(1)(c) to Articles 7 to 11 and delete Article 23(2)(b). Support OHCHR’s recommendation to revise the definition of serious crimes to mean only “those involving death, injury, or other grave harms,” as merely suggesting respect for human rights safeguards within such a broad scope is important but insufficient because it lacks detailed robust safeguards against misuse and abuse. Ensure cooperation is limited to situations where there is a reasonable suspicion that legal assistance will produce evidence of a criminal offense.  

Insufficient Human Rights Safeguards: Article 24(1), which addresses conditions and safeguards and includes the principle of proportionality, fails to explicitly include other crucial principles such as legality, necessity, and non-discrimination. Article 24.2 likewise adopts a number of safeguards including the need for judicial review and the need for grounds justifying the use of an investigative power, but leaves them as potentially discretionary and contingent on domestic law. Under international human rights law, the investigative measure must require prior authorization by a court and is subject to effective and independent oversight mechanisms, and that affected persons are notified of the surveillance and interception activities to which they are being subjected, where possible, and have access to effective remedies in cases of abuse. The State party should also ensure that all reports of abuse are thoroughly investigated and that such investigations lead to appropriate sanctions where warranted. It also lacks safeguards for confidentiality and privilege communications. These gaps raise concerns about the erosion of human rights: Instead of creating global investigative cooperation on the basis of robust human rights safeguards, the draft treaty seeks to accommodate the worst surveillance practices.  
 
Highly Intrusive Secret Spying Powers Without Robust Safeguards: The draft allows extensive secret surveillance with weak safeguards, posing significant risks both domestically and internationally. Article 47(2) authorizes direct police cooperation  without any MLAT request. The lack of an MLAT request as a basis for cooperation not only means that MLAT vetting authorities are not involved, but also that many of the international cooperation safeguards (those that are premised on the need for a 'request' such as Articles 40.21 and 40.22) do not apply. Article 41 on 24&7 network would require short notice cooperation through the 24*7 network, for example, for locating a suspect, again in relation to any serious crime, diverting vital and scarce MLAT processing resources away from assessing requests for human rights abuses and from collaboration on actual cybercrime. This lack of transparency and accountability is a recipe for unchecked abuses of power and undermines trust in digital services.

Compelled Technical Assistance: The draft requires countries to adopt laws enabling authorities to compel anyone with knowledge of a particular computer system to provide **necessary information** to facilitate access. Such provision could be easily abused to force employees in a tech company to reveal confidential information (for example, an engineer might be arbitrarily required to disclose an unfixed security flaw or provide signed encryption keys in the hands of the provider that protect data that could bypass security safeguards such as encryption). Recommendation: Delete Article 28(4).  

Lawless Law Enforcement Cooperation Risks Human Rights Erosion: The current wording of Article 47 risks supporting a broad law enforcement cooperation without detailing the necessary limitations and safeguards required under international human rights law. States should not use this Convention to authorize or require personal data sharing beyond the scope of existing mutual legal assistance treaties, the safeguards established under the MLA, and the MLA vetting mechanism. Removing these safeguards without providing comparable protections and limitations invites misuse of the mutual legal assistance framework for abuse and/or repression. Recommendation: Limit Article 47(1) to Articles 7-11, delete Articles 47(1)(b), (c), and (f), and reference Articles 24 and 36 in Article 47(2). 

Insufficient Protection for Security Researchers and Other Public Interest Work: The draft Convention fails to exempt security research, journalism, and whistleblowing from criminalization, posing significant risks to cybersecurity and press freedom globally. This includes those involved in authorized testing or protection of ICT systems. However, the draft's provisions on illegal access, interception, and interference lack mandatory requirements for malicious criminal intent and harm, threatening to penalize security research efforts. Full list of recommendations available here. 

Risks to LGBTQ and Gender Rights: The broad scope of the convention continues to pose significant risks to LGBTQ+ and gender rights. The domestic and international cooperation chapter could be exploited to target individuals based on their gender or sexual orientation, especially if domestic laws criminalize these expressions as serious crimes. This is particularly concerning given the history of cybercrime laws being misused to persecute marginalized groups. Recommendation: Restrict the scope of evidence gathering to core cybercrimes. Revise the definition of serious crime as per OHCHR’s recommendation.