Open letter to the Chair of the Ad Hoc Committee on Cybercrime
February 8, 2024
Your Excellency,
Our organizations – spanning civil society, industry, and the technical community – wish to urgently draw
your attention to critical flaws in the latest draft of the UN cybercrime treaty. While we have diverse
perspectives and often do not agree on a range of other policy issues, we share profound concerns over
these critical shortcomings. As members of the multistakeholder community we could only support
developing a treaty that would effectively address cybercrime and foster international cooperation in
accordance with international human rights law and the rule of law in general. While we understand that
the text is an attempt to synthesize the views of negotiating states, the result is a draft treaty that would
make cyberspace less secure for everyone. The organizations signing this letter, who come from across
the multistakeholder community, are deeply concerned by the adoption of such a flawed treaty without
major changes.
Serious flaws of the latest draft include an unclear and overly broad scope, vague criminalization
provisions and definitions, lack of meaningful human rights safeguards and effective gender
mainstreaming, missing protections for good-faith cybersecurity researchers and others acting in the
public interest, and overly broad provisions for real-time interception of content and traffic data that go far
beyond what can reasonably be justified to fight cybercrime.
Particularly concerning is that the draft treaty authorizes states to conduct intrusive cross-border data
collection without prior judicial authorization, without oversight, and in secrecy. Service providers would be
unable to notify users or inform anyone about data collection being ordered. Civil society and individuals
would not know when their data is being accessed, making it impossible for them to challenge arbitrary
requests and protect their privacy. Given these flaws, this process is at real risk of producing an
instrument that can be used to conduct broad data collection on a global scale under the guise of fighting
cybercrime.
If adopted without major changes – changes we have consistently advocated for throughout the process –
the risks of this treaty far outweigh its potential benefits. Notably, some elements of the treaty do not
include any human rights safeguards at all, while other provisions would allow states considerable latitude
to implement these safeguards. Allowing individual states to arbitrarily define what activities fall under the
treaty’s scope would also inevitably lead to human rights violations and criminalize legitimate activity.
Individuals, including political dissidents, journalists, human rights defenders, and those at risk of
discrimination on the basis of their personal characteristics would face the risk of being subjected to
investigations leveraging the procedural measures of this proposed treaty without notice, potentially
resulting in extradition and prosecution for exercising fundamental human rights while using digital
technology. Such an outcome – facilitated by an instrument adopted by the UN General Assembly –
would damage UN credibility and legitimize state behavior that undermines the rule of law while eroding
respect for human rights
To make matters worse, the proposed treaty would weaken global cybersecurity and make both
individuals and institutions less safe and more vulnerable to cybercrime, thereby undermining its very
purpose. Expansive concepts of what activity may be subject to this treaty – and its significant procedural
powers – create an unpredictable legal environment that will discourage critical security research. It may