Part 1: Strengths and weaknesses of the new UN cybercrime convention

On 8 August 2024, the draft text of the UN Convention Against Cybercrime was finalised. This has real implications for cybersecurity standards and resilience around the world – so we asked Betania Allo (Founder and Principal Consultant, BA Cyber Law & Policy) to tell us more about it. 

Betania Allo (Founder and Principal Consultant, BA Cyber Law & Policy) is globally recognised as a policy leader and expert in cyber law. She offers strategic counsel to clients around the world, guiding them on complex cybersecurity challenges and helping them understand the latest policy developments. 

And she’s had this UN convention on her radar for a while now. 

“After completing my law degree and gaining significant work experience in government in Argentina, I decided to move to the United States to further my education in International Relations,” Betania said. 

“I enrolled at Harvard, where the limitless opportunities and inspiring connections allowed me to explore various intersections of law, policy, and technology. This environment sparked my interest in adopting a more hands-on approach to technology, particularly in how it could be integrated into my legal and policy career.” 

“My journey then led me to Syracuse University, where I pursued a Master of Laws with a focus on cybersecurity.” 

It was during that time, in 2019, when she first heard about the beginnings of a UN convention against cybercrime. 

Why did it interest you so much?  

“In the fall of 2019, the UN General Assembly passed Resolution 74/247 which laid the groundwork for an international convention to combat cybercrime. 

“While the US, EU, and some human rights organisations supported the general goal of addressing cybercrime, they expressed concerns that the new convention could undermine the Budapest Convention, which had already established a comprehensive international framework for cybercrime cooperation. 

“Shortly after, an Ad Hoc Committee was established to draft a Comprehensive International Convention on Countering the Use of Information and Communications Technologies (ICT) for Criminal Purposes. 

“My interest in this convention was fueled by a deep passion both inside and outside the classroom. I vividly recall travelling to New York City for the day to network and engage with key stakeholders, demonstrating my commitment to contributing to the global cybersecurity landscape. 

“Although I was not directly involved in the convention's drafting, I secured a position at the UN working on ICT and Counter-Terrorism, which allowed me to remain closely connected to the developments in this field. I followed as many drafting sessions as I could virtually and believe me, I made efforts to engage with organisations I later became affiliated with, all in hopes of securing a role as a stakeholder in this groundbreaking initiative. I think my experience underscores my passion for shaping the future of international cybersecurity law and policy.” 

What sets this new UN Convention apart from existing cybersecurity standards and agreements?  

“The new UN Cybercrime Convention stands apart from previous agreements, such as the Budapest Convention on Cybercrime, by addressing significant gaps in global cybercrime cooperation. 

“While the Budapest Convention (adopted by the Council of Europe in 2001) was a pioneering treaty tackling internet and computer-related crimes, its limitations have become evident over time. The Budapest Convention’s European focus and lack of universal adoption left substantial gaps, particularly as cyber threats evolved dramatically. Also, the Budapest Convention faced criticism for being Eurocentric and not inclusive in its drafting process, particularly from countries in the Global South. 

“I often emphasise that if a voice isn't present at the table, their interests will inevitably be overlooked. The new UN Convention seeks to remedy these shortcomings by providing a more inclusive and globally representative framework, better suited to today’s cybersecurity challenges. 

“It also sets itself apart by being more comprehensive and adaptable than previous agreements, with a strong focus on international cooperation and human rights (despite the criticism). I think it represents a significant step forward in the global effort to combat cybercrime in a rapidly changing digital world.”

Do you think it has any key weak points that need to be addressed to make it a truly valuable document for the progression of cybersecurity and international collaboration?  

“Balancing the imperative to combat cybercrime with the protection of fundamental human rights presents a complex challenge. A primary concern is the potential for authoritarian regimes to leverage the convention’s provisions to suppress dissent and infringe upon civil liberties. 

“The inclusion of broad surveillance powers, such as those outlined in Articles 28 to 30, without stringent safeguards, raises the issue of mass surveillance and the erosion of privacy rights. Moreover, the lack of transparency and accountability in the handling of electronic evidence could facilitate the misuse of personal data. 

“Of particular concern are the clauses permitting states to compel service providers to maintain secrecy regarding surveillance activities. This could embolden repressive governments to target journalists, activists, and political opponents without fear of public scrutiny. The convention's overall weakening of human rights protections, particularly in the criminalisation articles, further exacerbates these concerns. 

“To realise its full potential, the convention must undergo substantial revisions. This will likely include discussions around explicit protections for freedom of expression, privacy, and dissent. Implementing robust oversight mechanisms for surveillance activities, such as mandatory judicial approval and transparency requirements, is essential to prevent abuse. 

“Additionally, safeguarding the rights of journalists, whistleblowers, and security researchers through specific protections is crucial to preserving a free and open internet. 

“States, however, have a critical opportunity during the ratification process to implement necessary safeguards. They can incorporate explicit human rights protections into their national laws as they ratify the Convention. In addition, states can introduce independent review bodies to monitor the implementation of the Convention at the national level. These bodies would oversee the legality and necessity of surveillance activities, ensuring compliance with both domestic laws and international human rights standards. 

“At the international level, the United Nations could establish new offices or agencies to facilitate implementation and provide technical guidance to Member States. In my view, broadening the mandate to a more focused role of already existing offices or programmes is a more practical and efficient approach to help ensure that the Convention is not used to violate human rights. 

“The ratification process also provides an opportunity for states to engage civil society and stakeholders actively. By involving these groups in the implementation process and maintaining ongoing dialogue, states can ensure that the voices of those most at risk are heard and that any potential issues are addressed early. 

“Fostering international cooperation while ensuring equitable participation from all nations, particularly developing countries, is another critical step. Providing technical assistance and capacity building can help bridge the digital divide and prevent the convention from being used as a tool for digital imperialism. Finally, clarifying and standardising definitions of cybercrime is essential to prevent the arbitrary application of laws and to protect innocent individuals from prosecution. While the convention makes significant strides, it does not entirely resolve the complexities associated with this challenge.”

Do you think that UN Member States will embrace this convention – and if you do, why?  

“I really hope so! It would be a significant milestone. For the non-legal readers, it’s worth noting that the ratification by UN Member States is not automatic. The convention must first be submitted to the General Assembly to be made official (the text circulating is the draft from the Ad Hoc Committee, A/AC.291/L.15), after which each state will individually decide whether to ratify it based on their unique legal and political landscapes. 

“The ratification process usually involves approval by national legislators or executives, and only after this can the convention’s provisions become legally binding within a state’s jurisdiction. In my opinion, non-compliance would hardly cause direct sanctions, yet, it could lead to diplomatic pressures. Here, the involvement of civil society organisations, the private sector, and other stakeholders will be vital in advocating for ratification, shaping national implementations, and monitoring compliance to ensure adherence to the convention's principles. 

“When a large number of states ratify the Convention and harmonise their laws with its provisions, it creates a more consistent and unified legal framework across borders. This uniformity is essential for addressing the transnational nature of cybercrime, as it facilitates smoother collaboration in investigations, evidence sharing, and prosecution between countries. 

“And on top of that, it reduces the legal and procedural discrepancies that cybercriminals could exploit to evade justice. So the more Member States that ratify it and adapt their local legislation accordingly, the more significant the milestone for the Convention.” 

Read Part 2 to find out how this new convention aligns with existing cybersecurity agreements, and how we can measure the success of the convention when Member States must develop their own local regulations. 

Thanks to Betania Allo at BA Cyber Law & Policy. Join us at Black Hat MEA 2024 to discover the latest developments in international cybersecurity standards.