Amend or reject: Joint statement on the UN Cybercrime Treaty

We, the undersigned organizations and individual experts call on the state delegations participating in the concluding session of the United Nations (UN) Ad Hoc Committee to ensure that the proposed Cybercrime Convention (the Convention) is narrowly focused on tackling cybercrime, and not used as a tool to undermine human rights. Absent meaningful changes to address these shortcomings, the Convention should be rejected.

Civil society groups have contributed time and expertise to improve the draft and fully align it with existing human rights law and standards, the principles of the UN Charter and the rule of law, as well as best practices to provide legal certainty in efforts to improve cybersecurity. Our concerns about the proposed text of the Convention are informed by our experience and human rights advocacy around the world. National and regional cybercrime laws are regrettably far too often misused to unjustly target journalists and security researchers, suppress dissent and whistleblowers, endanger human rights defenders, limit free expression, and justify unnecessary and disproportionate state surveillance measures.

Throughout the negotiations over the last two years, civil society groups and other stakeholders have consistently emphasized that the fight against cybercrime must not come at the expense of human rights, gender equality, and the dignity of the people whose lives will be affected by this Convention. It should not result in impeding security research and making us all less secure. Robust and meaningful safeguards and limitations are essential to avoid the possibility of abuse of relevant provisions of the Convention that could arise under the guise of combating cybercrime. Regrettably, the latest draft of the proposed Convention, which is due to be finalized by February 2024, fails to address many of our significant concerns. We believe that if the text of the Convention is approved in its current form, the risk of abuses and human rights violations will increase exponentially and leave us with a less secure internet.

We are particularly concerned that the latest draft of the Convention:

  • Remains over-broad in the scope of the range of the activities it requires states to criminalize. It includes cyber-enabled offenses and other content-related crimes and creates legal uncertainty through an open-ended reference to crimes under other “applicable international conventions and protocols.” This overbroad scope gives rise to the danger that the Convention will be used to criminalize legitimate online expression, which is likely to create discriminatory impacts and deepen gender inequality;
  • Fails to incorporate language sufficient to protect security researchers, whistleblowers, activists, and journalists from excessive criminalization;
  • Contains insufficient references to states’ obligations under international human rights law, includes weak domestic human rights safeguards in its criminal procedural chapter, and fails to explicitly incorporate robust safeguards applicable to the whole treaty to ensure that cybercrime efforts provide adequate protection for human rights and are in accordance with the principles of legality, non-discrimination, legitimate purpose, necessity, and proportionality;
  • Lacks effective gender mainstreaming which is critical to ensure the Convention is not used to undermine people’s human rights on the basis of gender;
  • Proposes to create legal regimes to monitor, store, and allow cross-border sharing of information in a manner that would undermine trust in secure communications and infringe on international human rights standards, including the requirements for prior judicial authorization and the principles of legality, non discrimination, legitimate purpose, necessity, and proportionality;
  • Permits excessive information sharing for law enforcement cooperation, beyond the scope of specific criminal investigations and without specific, explicit data protection and human rights safeguards.

The Convention should only move forward if it pursues a specific goal of combating cybercrime without endangering the human rights and fundamental freedoms of those it seeks to protect nor undermining efforts to improve cybersecurity for an open internet. The present draft text falls far short of this goal and these basic minimum requirements, and must be comprehensively revised, amended, or rejected.

Therefore, we call on all state delegations to:

  • Narrow the scope of the whole Convention to cyber-dependent crimes specifically defined and included in its text;
  • Make certain the Convention includes provisions to ensure that security researchers, whistleblowers, journalists, and human rights defenders are not prosecuted for their legitimate activities and that other public interest activities are protected;
  • Guarantee that explicit data protection and human rights standards – including the principles of non-discrimination, legality, legitimate purpose, necessity and proportionality – are applicable to the whole Convention. Specific, explicit safeguards, such as the principle of prior judicial authorization, must be put in place for accessing or sharing data, as well as for conducting cross-border investigations and cooperation in accordance with the rule of law;
  • Mainstream gender across the Convention as a whole and throughout each article in efforts to prevent and combat cybercrime;
  • Limit the scope of application of procedural measures and international cooperation to the cyber-dependent crimes established in the criminalization chapter of the Convention;
  •  Avoid endorsing any surveillance provision that can be abused to undermine cybersecurity and encryption.

As the UN Ad Hoc Committee convenes its concluding session, we call on state delegations to redouble their efforts to address these critical gaps in the current draft. The final outcome of the treaty negotiation process should only be deemed acceptable if it effectively incorporates strong and meaningful safeguards to protect human rights, ensures legal clarity for fairness and due process, and fosters international cooperation under the rule of law. The proposed Convention must not serve as a validation of intrusion and surveillance practices harmful to human rights. 

Absent these minimum requirements, we call on state delegations to reject the draft treaty and not advance it to the UN General Assembly for adoption.

Signatories

NGOs participating under operative paragraphs 8 or 9

  • Access Now 
  • Association for Progressive Communications (APC)
  • ARTICLE 19
  • Center for Democracy and Technology
  • CyberPeace Institute
  • Data Privacy Brasil
  • Derechos Digitales
  • Electronic Frontier Foundation
  • Freedom House
  • Global Partners Digital
  • Hiperderecho
  • Human Rights Watch
  • Instituto Panamericano de Derecho y Tecnologia (IPANDETEC)
  • International Commission of Jurists (ICJ)
  • Jokkolabs Banjul
  • Jonction – Senegal
  • Kenya ICT Action Network (KICTANet)
  • Privacy International
  • R3D: Red en Defensa de los Derechos Digitales
  • Temple University, Institute for Law, Innovation & Technology (iLIT)

Additional signatories supporting the statement

  • 7amleh – The Arab Center for the Advancement of Social Media
  • ActiveWatch
  • Advocacy for Principled Action in Government
  • Afghanistan Journalists Center (AFJC)
  • Africa Freedom of Information Centre (AFIC)
  • AfroLeadership
  • Albanian Media Institute
  • Alliance of Independent Journalists Indonesia (AJI)
  • Alternatif Bilisim (AiA-Alternative Informatics Association)
  • Alternative ASEAN Network on Burma (ALTSEAN)
  • Bahrain Center for Human Rights
  • Bangladesh NGOs Network for Radio & Communication (BNNRC) 
  • BC Civil Liberties Association (BCCLA)
  • Bytes for All
  • Cambodian Center for Human Rights (CCHR)
  • Cambodian Center for Independent Media (CCIM)
  • Cartoonists Rights Network International
  • Center for Media Freedom and Responsibility
  • Centre for Feminist Foreign Policy (CFFP)
  • Centre for Free Expression (CFE)
  • Centre for Information Technology and Development (CITAD)
  • Centre for Independent Journalism (Malaysia)
  • Chaos Computer Club (CCC)
  • Committee to Protect Journalists
  • Douwe Korff, Emeritus Professor of International Law, London Metropolitan University
  • Digital Empowerment Foundation 
  • DigitalReach
  • Digital Rights Foundation
  • Digital Rights Ireland
  • Digitale Gesellschaft
  • Electronic Privacy Information Center (EPIC)
  • Epicenter.works – for digital rights
  • European Center for Not-for-Profit Law (ECNL)
  • European Digital Rights (EDRi)
  • European Summer School in Internet Governance (EURO-SSIG)
  • Federation of Nepali Journalists
  • Foundation for Media Alternatives
  • Fundación Karisma
  • Fundación Internet Bolivia
  • Foundation for Information Policy Research
  • Freedom Forum, Nepal
  • Free Media Movement – Sri Lanka
  • Globe International Center
  • Government Information Watch
  • Gulf Center for Human Rights (GCHR)
  • Human Rights Network for Journalists-Uganda (HRNJ-U)
  • IFoX (Initiative for Freedom of Expression–Turkey)
  • Independent Journalism Center Moldova
  • International Civil Liberties Monitoring Group (ICLMG)
  • International Federation of Human Rights (FIDH)
  • International Press Institute (IPI)
  • International Press Centre (IPC) Lagos-Nigeria
  • Institute for Research on Internet and Society (IRIS)
  • Instituto de Pesquisa em Direito e Tecnologia do Recife – IP.rec
  • Instituto Nupef
  • IT-Pol Denmark
  • Japan Comuter Access Network (JCA-NET)
  • Korean Progressive Network Center – Jinbonet
  • Laboratory of Public Policy and Internet – LAPIN
  • LaLibre.net Tecnologías Comunitarias
  • Ligue des droits de l’Homme (LDH)
  • Maharat Foundation
  • Media Foundation for West Africa (MFWA)
  • Media Rights Agenda (MRA)
  • Media Institute of Southern Africa (MISA)
  • Media Policy Institute
  • Media Watch
  • Metamorphosis Foundation
  • Mizzima
  • OpenMedia
  • Pakistan Press Foundation
  • Palestinian Center for Development & Media Freedoms (MADA)
  • Paradigm Initiative (PIN)
  • PEN International
  • Restore the Fourth
  • Social Media Exchange (SMEX)
  • SocialTIC
  • South East Europe Media Organisation (SEEMO)
  • South East European Network for Professionalization of Media (SEENPM)
  • Southeast Asia Freedom of Expression Network (SAFEnet)
  • Statewatch
  • Surveillance Resistance Lab
  • Surveillance Technology Oversight Project (STOP)
  • Syrian Center for Media and Freedom of Expression
  • TEDIC
  • The Tor Project
  • Unwanted Witness
  • Valerie Steeves, Full Professor, Department of Criminology, University of Ottawa
  • Vigilance for Democracy and the Civic State
  • Wolfgang Kleinwaechter, Professor Emeritus, University of Aarhus, former ICANN Board Member