23 January, 2024
We, the undersigned organizations and individual experts call on the state delegations participating in the concluding session of the United Nations (UN) Ad Hoc Committee to ensure that the proposed Cybercrime Convention (the Convention) is narrowly focused on tackling cybercrime, and not used as a tool to undermine human rights. Absent meaningful changes to address these shortcomings, the Convention should be rejected.
Civil society groups have contributed time and expertise to improve the draft and fully align it with existing human rights law and standards, the principles of the UN Charter and the rule of law, as well as best practices to provide legal certainty in efforts to improve cybersecurity. Our concerns about the proposed text of the Convention are informed by our experience and human rights advocacy around the world. National and regional cybercrime laws are regrettably far too often misused to unjustly target journalists and security researchers, suppress dissent and whistleblowers, endanger human rights defenders, limit free expression, and justify unnecessary and disproportionate state surveillance measures.
Throughout the negotiations over the last two years, civil society groups and other stakeholders have consistently emphasized that the fight against cybercrime must not come at the expense of human rights, gender equality, and the dignity of the people whose lives will be affected by this Convention. It should not result in impeding security research and making us all less secure. Robust and meaningful safeguards and limitations are essential to avoid the possibility of abuse of relevant provisions of the Convention that could arise under the guise of combating cybercrime. Regrettably, the latest draft of the proposed Convention, which is due to be finalized by February 2024, fails to address many of our significant concerns. We believe that if the text of the Convention is approved in its current form, the risk of abuses and human rights violations will increase exponentially and leave us with a less secure internet.
We are particularly concerned that the latest draft of the Convention:
- Remains over-broad in the scope of the range of the activities it requires states to criminalize. It includes cyber-enabled offenses and other content-related crimes and creates legal uncertainty through an open-ended reference to crimes under other “applicable international conventions and protocols.” This overbroad scope gives rise to the danger that the Convention will be used to criminalize legitimate online expression, which is likely to create discriminatory impacts and deepen gender inequality;
- Fails to incorporate language sufficient to protect security researchers, whistleblowers, activists, and journalists from excessive criminalization;
- Contains insufficient references to states’ obligations under international human rights law, includes weak domestic human rights safeguards in its criminal procedural chapter, and fails to explicitly incorporate robust safeguards applicable to the whole treaty to ensure that cybercrime efforts provide adequate protection for human rights and are in accordance with the principles of legality, non-discrimination, legitimate purpose, necessity, and proportionality;
- Lacks effective gender mainstreaming which is critical to ensure the Convention is not used to undermine people's human rights on the basis of gender;
- Proposes to create legal regimes to monitor, store, and allow cross-border sharing of information in a manner that would undermine trust in secure communications and infringe on international human rights standards, including the requirements for prior judicial authorization and the principles of legality, non discrimination, legitimate purpose, necessity, and proportionality;
- Permits excessive information sharing for law enforcement cooperation, beyond the scope of specific criminal investigations and without specific, explicit data protection and human rights safeguards.
The Convention should only move forward if it pursues a specific goal of combating cybercrime without endangering the human rights and fundamental freedoms of those it seeks to protect nor undermining efforts to improve cybersecurity for an open internet. The present draft text falls far short of this goal and these basic minimum requirements, and must be comprehensively revised, amended, or rejected.
Therefore, we call on all state delegations to:
- Narrow the scope of the whole Convention to cyber-dependent crimes specifically defined and included in its text;
- Make certain the Convention includes provisions to ensure that security researchers, whistleblowers, journalists, and human rights defenders are not prosecuted for their legitimate activities and that other public interest activities are protected;
- Guarantee that explicit data protection and human rights standards - including the principles of non-discrimination, legality, legitimate purpose, necessity and proportionality - are applicable to the whole Convention. Specific, explicit safeguards, such as the principle of prior judicial authorization, must be put in place for accessing or sharing data, as well as for conducting cross-border investigations and cooperation in accordance with the rule of law;
- Mainstream gender across the Convention as a whole and throughout each article in efforts to prevent and combat cybercrime;
- Limit the scope of application of procedural measures and international cooperation to the cyber-dependent crimes established in the criminalization chapter of the Convention;
- Avoid endorsing any surveillance provision that can be abused to undermine cybersecurity and encryption.
As the UN Ad Hoc Committee convenes its concluding session, we call on state delegations to redouble their efforts to address these critical gaps in the current draft. The final outcome of the treaty negotiation process should only be deemed acceptable if it effectively incorporates strong and meaningful safeguards to protect human rights, ensures legal clarity for fairness and due process, and fosters international cooperation under the rule of law. The proposed Convention must not serve as a validation of intrusion and surveillance practices harmful to human rights.
Absent these minimum requirements, we call on state delegations to reject the draft treaty and not advance it to the UN General Assembly for adoption.
Submitted by NGOS participating under operative paragraphs 8 or 9
Access Now
Association for Progressive Communications (APC)
ARTICLE 19
Center for Democracy and Technology
CyberPeace Institute
Data Privacy Brasil
Derechos Digitales
Electronic Frontier Foundation
Freedom House
Global Partners – Digital
Hiperderecho
Human Rights Watch
Instituto Panamericano de Derecho y Tecnologia (IPANDETEC)
International Commission of Jurists (ICJ)
Jokkolabs Banjul
Jonction – Senegal
Kenya ICT Action Network (KICTANet)
Privacy International
R3D: Red en Defensa de los Derechos Digitales
Temple University, Institute for Law, Innovation & Technology (iLIT)
Signatories supporting the statement
7amleh - The Arab Center for the Advancement of Social Media
ActiveWatch
Advocacy for Principled Action in Government
Afghanistan Journalists Center (AFJC)
Africa Freedom of Information Centre (AFIC)
AfroLeadership
Albanian Media Institute
Alliance of Independent Journalists Indonesia (AJI)
Alternatif Bilisim (AiA-Alternative Informatics Association)
Alternative ASEAN Network on Burma (ALTSEAN)
Bahrain Center for Human Rights
Bangladesh NGOs Network for Radio & Communication (BNNRC)
BC Civil Liberties Association (BCCLA)
Bytes for All
Cambodian Center for Human Rights (CCHR)
Cambodian Center for Independent Media (CCIM)
Cartoonists Rights Network International
Center for Media Freedom and Responsibility
Centre for Feminist Foreign Policy (CFFP)
Centre for Free Expression (CFE)
Centre for Information Technology and Development (CITAD)
Centre for Independent Journalism (Malaysia)
Chaos Computer Club (CCC)
Committee to Protect Journalists
Douwe Korff, Emeritus Professor of International Law, London Metropolitan University
Digital Empowerment Foundation
DigitalReach
Digital Rights Foundation
Digital Rights Ireland
Digitale Gesellschaft
Electronic Privacy Information Center (EPIC)
Epicenter.works - for digital rights
European Center for Not-for-Profit Law (ECNL)
European Digital Rights (EDRi)
European Summer School in Internet Governance (EURO-SSIG)
Federation of Nepali Journalists
Foundation for Media Alternatives
Fundación Karisma
Fundación Internet Bolivia
Foundation for Information Policy Research
Freedom Forum, Nepal
Free Media Movement – Sri Lanka
Globe International Center
Government Information Watch
Gulf Center for Human Rights (GCHR)
Human Rights Network for Journalists-Uganda (HRNJ-U)
IFoX (Initiative for Freedom of Expression–Turkey)
Independent Journalism Center Moldova
International Civil Liberties Monitoring Group (ICLMG)
International Federation of Human Rights (FIDH)
International Press Institute (IPI)
International Press Centre (IPC) Lagos-Nigeria
Institute for Research on Internet and Society (IRIS)
Instituto de Pesquisa em Direito e Tecnologia do Recife – IP.rec
Instituto Nupef
IT-Pol Denmark
Japan Comuter Access Network (JCA-NET)
Korean Progressive Network Center – Jinbonet
Laboratory of Public Policy and Internet - LAPIN
LaLibre.net Tecnologías Comunitarias
Ligue des droits de l’Homme (LDH)
Maharat Foundation
Media Foundation for West Africa (MFWA)
Media Rights Agenda (MRA)
Media Institute of Southern Africa (MISA)
Media Policy Institute
Media Watch
Metamorphosis Foundation
Mizzima
OpenMedia
Pakistan Press Foundation
Palestinian Center for Development & Media Freedoms (MADA)
Paradigm Initiative (PIN)
PEN International
Restore the Fourth
Social Media Exchange (SMEX)
SocialTIC
South East Europe Media Organisation (SEEMO)
South East European Network for Professionalization of Media (SEENPM)
Southeast Asia Freedom of Expression Network (SAFEnet)
Statewatch
Surveillance Resistance Lab
Surveillance Technology Oversight Project (STOP)
Syrian Center for Media and Freedom of Expression
TEDIC
The Tor Project
Unwanted Witness
Valerie Steeves, Full Professor, Department of Criminology, University of Ottawa
Vigilance for Democracy and the Civic State
Wolfgang Kleinwaechter, Professor Emeritus, University of Aarhus, former ICANN Board Member