The United Nations (UN) General Assembly has adopted a new Convention against Cybercrime on December 24th 2024. The multiple years of negotiation between UN member states concluded in a treaty aiming to prevent and combat cybercrime more effectively. The Convention was praised by UN officials as a major victory for multilateralism, and institutions like INTERPOL welcomed it as an important step against cyber crime. However, Civil rights and Digital liberty organizations criticized the treaty in a statement released at the end of October, urging European Union (EU) member states to vote against it. They argue that the convention is lacking in important areas of data protection, which would permit intrusive surveillance practices and might ultimately make the world more unsafe. 

International law enforcement agency INTERPOL, released a statement welcoming the adoption of the treaty. It welcomed a potentially legally binding international treaty on the topic, citing “a sharp escalation in the scale and complexity of cyber attacks, which increased by a record 75 per cent year-on-year in the third quarter of 2024.” International data collection and evidence sharing would make prosecution of cyber crimes around the world easier. 

The treaty works by providing legal ground for countries to cooperate in prevention, investigation, and prosecution of cybercrime. Law enforcement agencies can request assistance in the context of cybercrime, from other countries in the form of data gathering and sharing of digital evidance. What is considered a criminal offence is left up to domestic laws of the respective countries. A country might request assistance for an action that constitutes a criminal offense in that country. If that action does not constitute a criminal offense in the country from which assistance is requested, it is not obliged to answer. 

According to the Electronic Frontier Foundation (EFF), the convention does not include adequate measures to ensure human rights, and instead “authorizes open-ended evidence gathering and sharing for any serious crime that a country chooses to punish with a sentence of at least four years or more, without meaningful limitations”. With this, the foundation sees the treaty at odds with existing human rights law in several cases. This includes the legal protection of the use of data encryption warranted by the High Commissioner of Human Rights. Ultimately, the convention might present a legal basis for repressive regimes to seek assistance in the prosecution of “good faith security research, whistleblowers, and journalistic activities,” according to the EFF. This is because it allows for prosecution under domestic law, without regards for international Human Rights.  While countries do not have to comply with requests for assistance based on their domestic law, assistance would be possible even in cases where domestic law violates international human rights law. Negotiations are also continuing regarding a supplementary protocol that could give nations even more grounds for international surveillance by expanding the scope of the treaty beyond cybercrimes, according to the EFF. 

Criticism also came from the Chaos Computer Club (CCC), Europe's biggest ethical hacker association. At its annual conference, Constanze Kurz, author and a spokeswoman of the association, reiterated that the treaty would call for massive surveillance regimes and would undermine existing human rights protections. Specifically, the treaty would make it more difficult for security researchers to investigate and responsibly disclose information, such as data leaks or ways to bypass digital security systems. Instead of being able to investigate digital systems and their security, and flagging problems via responsible disclosure, security researchers and journalists might face fines or jail time for uncovering and helping to combat vulnerabilities that leave users at risk. In responsible disclosure, people who find security problems are encouraged to notify the owner of a digital product and inform them of the leak in their system, giving them the opportunity to take action to prevent actual harm. This is widely regarded as a digital security best practice and being used by companies like Google and institutions like the European Central Bank. Impending legal problems for people who are reporting security problems, could ultimately lead to a decrease in the overall security of digital systems, as vulnerabilities are left undisclosed, open to be discovered, and exploitable by malicious actors. 

This kind of ethical hacking has been happening in legal grey areas, and is part of the issues that the convention aimed to address. The recent case of Lilith Wittmann highlighted the potential difficulty and conflict of interest that such technologies might bring. The German security researcher Lilith Wittmann had discovered a security flaw in a software by the German Christian Democratic party (CDU) that she responsibly disclosed. The CDU reacted by pressing charges against ms. Wittman, which led to the CCC announcing it would no longer disclose any security vulnerabilities their members find to the CDU. The CDU later backtracked, but an investigation by law enforcement was launched nonetheless. It found out that Ms. Wittmann had not in fact broken any digital security, as the personal data of the almost 20000 party volunteers and supporters were not protected by any measures. Digital rights organizations have long pushed for legislation to protect security researchers, but the UN new convention seems to instead increase the danger that researchers face when responsibly disclosing them. 

The contentious treaty joins the ranks of legislation that ignores voices of reason in favour of surveillance and prosecution, according to the CCC. Many legislative processes invite representatives of civil society and field experts to make sure all voices get heard and are able to influence the legislation in a fair way. According to Elina “khaleesi” Eickstädt, another spokeswoman of the association however, statements by civil society and industry experts are more a box to be checked than an actual part of the legislative process. Factual arguments and criticism brought up by these actors are increasingly being ignored instead of being factored into the legislation. The EU’s High-Level Working Group on access to data for effective law enforcement had previously released a controversial document calling for extensive data collection abilities for law enforcement, that would undermine end-to-end encryption amongst other things.

What the effects of the new treaty will be remains to be seen. For now however, it passed without a vote in the General Assemblies 79th session and will open for ratification in 2025. To be legally binding, 40 UN member states have to ratify the convention, a threshold that is expected to be reached easily. 90 day after the 40th state ratifies the convention, the treaty will be enforceable.