The UN Cybercrime Treaty: A Pandora’s Box for Human Rights?

Author: Sarisha Harikrishna

March 6, 2025

Background

The birth and consequent flourishing of the digital age have ushered in an era of efficiency, connectivity, and innovation. However, the rapid advancement of technology has brought about a wave of cybercrime that now threatens state actors, such as government and law enforcement agencies, and non-state actors, including private corporations, NGOs, and international organisations. Cyber-attacks' impact on different actors is as intricate as it is complex, with malicious incentives from autonomous individuals or groups stemming from five themes: physical, economic, psychological, reputational, and societal. Perpetrators of cybercrime pose a particular kind of threat by manoeuvring across national borders undetected, which presents immeasurable dangers to human rights.

Cybercrime's broad and unquantifiable nature can severely impact human safety, violating the fundamental right to life and security due to the lack of precise enforcement mechanisms under state and international law. For example, in 2017, the WannaCry ransomware attack spread to over 150 countries, with victims that included the National Health Service (NHS) in the United Kingdom, which led to approximately 6,900 cancelled appointments. The consequences of the WannaCry attack included the disruption of critical healthcare services provided by the NHS, resulting in hospitals turning away emergency patients, and approximately £92 million in costs.

Cybercrime can also have devastating economic consequences due to phishing scams, ransomware, and theft, which can, amongst other things, rob individuals of their retirement savings. Additionally, victims of cyber harassment, cyberstalking, and hate speech are unfortunately burdened with lasting effects that can result in ongoing mental health issues, including anxiety, panic disorders, and isolation. 

The reputational harm caused by cybercrime can also lead groups to lose funding and stakeholder trust due to data breaches, while regular civilians may suffer identity theft, financial fraud, and public exposure of sensitive information. For example, A 2019 data leak in Germany impacted or threatened the European Parliament, journalists, artists, and governments, including around 100 politicians. Cybercrime can destabilise societies and jeopardise democratic rights with disinformation campaigns or those looking to advance their political agenda. In our modern world, social and mainstream media manipulate populations and individuals seeking refuge in like-minded groups. 

Multiple groups and individuals are now more vulnerable than ever to being the victims of attacks online. A study from Malwarebytes, a leader in cyber protection, showed that people from lower socio-economic statuses are more vulnerable and have fewer resources available to them to recognise cybercrimes and respond effectively after the fact. Additionally, 79% of women tended to be the target of attacks compared to men and reported that they continually felt unsafe online. Statistics have also showcased a trend where the Black, Indigenous, and People of Colour (BIPOC) community were 45% more likely to be victims of calculated spiteful rhetoric. Attacks on the aforementioned communities have created a generation of movements to address the downside of the information era, one of which is the idea behind the UN Cybercrime Treaty. 

The UN Cybercrime Treaty has been criticised as a Pandora's Box, opening a gateway to unforeseen consequences that threaten human rights. For example, the implementation of the treaty has been feared to be a tool to justify censorship, arrest journalists, and monitor activists under the pretext of national security, specifically in nations like Russia and China. Unfortunately, the undefined terms within the treaty allow governments to criminalise online activities. Articles 7, 8, and 10 outlaws unauthorised access to systems and data, which governments can use to punish journalists and whistleblowers. As an example, Hong Kong's cyber laws have been used to arrest pro-democracy figures and silence dissidents, profoundly impacting civil liberties in the region. With digital freedoms hanging on a thin thread, the world must ask: Is the UN Cybercrime Treaty an effective shield against injustice or a poorly worded agreement that erodes human rights?

Human Rights Concerns

On August 9, 2024, Executive Director Ghada Waly stated in a  United Nations Office on Drugs and Crime (UNODC) press release, "The finalisation of this Convention is a landmark step as the first multilateral anti-crime treaty in over 20 years and the first UN Convention against Cybercrime at a time when threats in cyberspace are growing rapidly." However, on one side, the UN Cybercrime Treaty has been hailed as a landmark step, and on the other, widely criticised for its multiple legal inadequacies. The main concern is with Article 6(2) of the treaty, which fails to provide adequate safeguards to ensure complete protection of global human rights. Article 6(2) states, "Nothing in this Convention shall be interpreted as permitting the suppression of human rights or fundamental freedoms." The article's two main failures are its broad generalisation and lack of recognition of key human liberties, including equality and non-discrimination, alongside applicable oversight mechanisms.

Despite equality and non-discrimination being fundamental human rights, its omission from the list of protected liberties enshrined under this article paints a bleak reality of the UN Cybercrime Treaty being a trustworthy tool to combat worldwide criminal cyber activity. There are currently no regulatory mechanisms in place to prevent human rights abuses or state overreach in the treaty. Cybercrime can include a wide range of offences, from the micro level, such as cyberstalking, to the macro level, such as state-sponsored cyber espionage, crime, terrorism, or warfare. 

Article 6(1) of the Treaty is also drafted in a hazardous manner, as it allows states that have not ratified other human rights conventions—but are part of the Cybercrime Convention—to act in accordance with the convention without being obligated by international human rights laws. Therefore, countries can justify overriding human rights in response to national security while enforcing censorship and arrests under the treaty.

Another human rights issue is the treaty's ability to provide loopholes for cybercrime activities to go unchecked. For example, the document's ambiguous definitions of cyber offences enable authoritarian regimes to institute laws and facilitate mass surveillance without accountability. Additionally, inadequate cross-border cooperation mechanisms could allow cybercriminals to exploit jurisdictional gaps to help evade criminal proceedings. These jurisdictional gaps include differing cybercrime laws, limited extradition agreements, data protection conflicts, and slow Mutual Legal Assistance Treaties (MLATs). The poor drafting of the UN Cybercrime Treaty demonstrates that a minimum threshold for activities constituting a cybercrime has not been established, illustrating a problematic line that Member States need to walk in upholding national and international justice. 

Moreover, arbitrarily drafted treaties, like the UN Cybercrime legislation, pose a significant risk to protecting freedom of expression. For example, a broad interpretation of laws that criminalise the spreading of "false information" can be used to target legitimate free speech. The right to freedom of expression is enshrined in Article 19 of the Universal Declaration of Human Rights (UDHR). However, in recent years, political attacks have become widespread in countries that undermine citizens' right to freedom of expression. Therefore, human rights organisations have stated that the same violation of liberties may occur with ratifying the recent UN Cybercrime Treaty. Comments or critiques about a head of state or government may be penalised under the broad provisions of the treaty. The ratification of this document would inevitably lead to a new era of international legal uncertainty.

Chapter IV, Article 24 of the UN Cybercrime Convention weakens the safeguards within the Chapter on Procedural Measures and Law Enforcement by failing to establish critical international standards, instead allowing governments broad discretion in how they implement the treaty. Therefore, this will prove a significant problem as it offers a broad margin of appreciation to Member States to determine the relevant strategies of safety in cases of cybercrime activities. Offering a significantly large margin for states is highly problematic, as the courts of law may not be able to properly appreciate the different nuances in such cases and come to a just decision. Additionally, Article 24 is flawed as it only mentions proportionality as a safeguard and disregards the important principles of legality and necessity. Legality and necessity are internationally mandated thresholds in order to restrict a right—these measures are in place to ensure that restriction is proportional and does not undermine freedoms.

States Pushback Against Treaty Provisions

In recent discussions on the different aspects of the Cybercrime Treaty, various countries have disapproved of certain provisions, including the United States and the European Union, as they felt that the Budapest Convention was sufficient in addressing cybercrime. Russia and China have also had concerns over state sovereignty. Iran proposed to remove Article 6(2) of the Treaty, the clause explicitly stating that nothing in the convention shall be construed as condoning the suppression of human rights. Removing this provision would ensure that states would have the right to weaponise the treaty to advance their agendas and allow governments to justify repressive laws without being accountable to the international community.  

The appalling facet of this proposal to remove the provision is the fact that 23 other countries, including Jordan, India, and Sudan, supported Iran, while countries such as China and Turkey abstained from casting their vote. This disagreement around the provisions of the treaty shows the deep divide between countries in upholding the law. The implications of the divide indicate a lack of state collaboration regarding cybercrime, which, in turn, leads to the undermining of global cooperation. The disparity between nations could lead to inequitable enforcement, with states exploiting loopholes. An increased risk of overreach could also lead to the severe suppression or punishment of freedom of expression. 

Suggested Reforms

After reviewing the issues of the Cybercrime Treaty, it is essential to ensure safeguards such as compulsory judicial reviews, explicit protection for encryption use, and an express exemption clause outlining the non-applicability of measures under the convention to journalists and dissidents in order to protect human rights. 

The ambiguity of Articles 6(1), 6(2), and 24 of the treaty must be clarified in order to provide proper guidelines for Member States. For example, stronger human rights protections that clearly outline narrower and more precise definitions of cybercrime and prevention against mass surveillance while ensuring transparency and inclusive negotiations would be very beneficial.

Concerning due process guarantees, Member States should ensure that legal action taken under this treaty also yields the right to legal representation, fair trial, and protection against wrongful detention. The controversial provision on proportionality enshrined under this treaty needs to be refined further to ensure that minor infractions are prevented from resulting in disproportionate treatment or punishment. 

The treaty should also contain provisions that include journalistic clauses that place a burden of proof on governments to safeguard free press and whistleblower protections, preventing cases of state-led abuse against dissidents. Establishing international cooperation protocols and multi-agency coordination should be implemented to avoid politically motivated extraditions that go against global human rights laws. The International Telecommunication Union (ITU) should also standardise digital evidence verification protocols to prevent false evidence from being put forward to justify extradition.

The International Criminal Police Organization (INTERPOL) should establish an independent process of appeals for individuals seeking to challenge politically motivated actions. The European Union Agency for Law Enforcement Cooperation (EUROPOL) 's Joint Cybercrime Action Taskforce (J-CAT) must also be involved in verifying the legitimacy of cross-border cases. Additionally, the North Atlantic Treaty Organization (NATO) should agree not to extradite individuals where cybercrime accusations have a political incentive behind them. Article 19 of the International Covenant on Civil and Political Rights (ICCPR), which guarantees the right to freedom of expression, would prove invaluable in ensuring a comprehensive and balanced interpretation of the treaty. 

Legal frameworks must ensure proportional justice and adequately distinguish between the gravity of different cybercrimes to avoid over or under-criminalisation.  At an individual level, there is also the question of whether hateful comments against someone warrant the same punishment as a cyberstalking offence, as they do not involve sustained harassment or cause a more significant degree of harm. Freedom of speech and the legal framework to protect individuals from online dangers should be considered when applying this treaty. Its future remains uncertain; however, if the UN Cybercrime Treaty goes unchecked, it might not just hunt cyber criminals—it could trap us all.

Glossary

• Ambiguity: A situation or statement that is unclear because it can be understood in more than one way

• Cybercrime Convention: The first comprehensive global treaty which provides States with a range of measures to be undertaken to prevent and combat cybercrime. It also aims to strengthen international cooperation in sharing electronic evidence for serious crimes. 

• Cyber espionage: A cyberattack that attempts to access sensitive data for economic gain, competitive advantage or political reasons

• Cyber harassment: Used to describe various forms of harassment, intimidation, abuse, or otherwise unconsented conduct that repeatedly occurs through digital means with the intent of causing someone harm or severe distress

• Cyberstalking: Using the Internet and other technologies to harass or stalk another person online

• Due process: A citizen’s fair treatment within the rules of a government’s legal system

• Extradition: The act of making someone return for trial to another country or state where they have been accused of doing something illegal

• Flourishing: Growing or developing successfully

• Intricate: With many complicated details that make something difficult to understand

• Malicious: Intended to harm or upset other people

• Margin of appreciation: An analytical tool utilized in an assessment of provisions that require balancing with other rights or need to be weighed up against other aspects of the public interest

• Member States: A country that belongs to a political, economic, or trade organization such as the European Union

• Mutual Legal Assistance Treaties (MLATs): A method of cooperation between States for obtaining assistance in the investigation or prosecution of criminal offences. 

• Phishing: A cybercrime in which a target or targets are contacted by email, telephone or text message by someone posing as a legitimate institution to lure individuals into providing sensitive data such as personally identifiable information, banking and credit card details, and passwords

• Proportionality: The idea that a punishment for a particular crime must relate to how serious the crime is

• Ransomware: A type of malware that holds a victim’s sensitive data or device hostage, threatening to keep it locked, or worse, unless the victim pays a ransom to the attacker

• Rhetoric: Speech or writing intended to be effective and influence people

• Unfettered: Not limited by rules or any other controlling influence