In the image
Security alert [Elchinator]
The United Nations Convention against Cybercrime, adopted in 2024, is the first global treaty aimed at addressing cybercrime. The Convention was born due to the necessity that this world is facing with the rise and transformation that the Information and Communication Technology (ICT) is imposing on us. Along with the benefits of a more interconnected world that transformed communication, economy and pivotal fields of our lives, new opportunities for criminals to exploit technology and sensitive data arose.
The fight against cybercrime is internationally addressed by the treaty adopted by the General Assembly of the United Nations in December 2024 (hereinafter, the Convention). The term cybercrime is used as a general umbrella to define two categories, cyber-enabled and cyber-dependent crimes. The first ones are those crimes that are enhanced using ICT (e.g. drug trafficking), the second ones are those crimes that can be committed only through the use of ICT (e.g. spreading a malware).
Cybercrime is inherently transnational and poses a global threat that requires cooperation from all affected countries. It suffices to recall that, for example, in the past five years it is estimated that romance scams costed individual victims at least 1.3 billion dollars. This shows the harsh reality of cybercrime, and one of the main difficulties that it imposes is its transnational nature, which makes it hard for States to be able to pursue it correctly. Operating anonymously through digital networks allows criminals to maintain their identity. And while they are hiding behind a screen, they are able to harm business, ICT systems, and financial assets. Therefore, the paradox is that if on one hand criminals are safeguarded by the transnationality of the systems, law enforcement must act following legal guidelines.
Another significant challenge that cybercrime imposes is the digital evidence problem. Evidence is collected electronically and distributed across every country’s jurisdiction. The problem that is caused by this is the fact that “national law enforcement has to confront borderless crime within territorial boundaries.” Furthermore, the legal gaps among the states affected are exploited by the criminals to create safe heavens. These safe heavens exist where the legal frameworks are non-existent or incorrectly applied among different states. The discrepancies that are created by the challenges imposed by cybercrime require effective responsiveness of strong international cooperation between states.
Aims of the Convention
The Convention against cybercrime was created specifically for the purpose of strengthening the collaboration among states. It provides states with measures that can be taken to prevent and act against cybercrime. It strengthens cooperation and increases the sharing of information of electronic evidence. The Convention contains 9 chapters providing an approach to prevent and combat cybercrime.
More specifically, the application of the Convention and its aims are two-pronged. The first concerns the offences defined within the Convention itself: Articles 7–17 establish a framework for criminalizing various forms of cybercrime, directly shaping how states classify and prosecute these offences. The second prong is represented by those provisions on electronic evidence sharing of Chapter IV of the Convention (“Procedural measures and law enforcement”), which establishes a set of procedural powers designed to enable national authorities to access electronic data in the context of criminal investigations. From Article 23 onwards, states are placed under an obligation to adopt legislative measures authorizing the use of these instruments, reflecting a clear intention to achieve functional harmonization across domestic legal systems. However, the most controversial aspect, as will be discussed below, lies in Article 23, paragraph 2, which extends the scope of application of these measures beyond the offences specifically defined in the Convention. These powers apply not only to cybercrime offences in the strict sense, but also to any offence committed through information and communication technologies, and even to any criminal offence for which the obtaining of electronic evidence is necessary.
Moreover, under Chapter V, State parties will cooperate in evidence sharing for both the offences typified in the Convention and other “serious crimes.” This approach will relieve the governments from the problems created by the differences in the electronic evidence of each jurisdiction.
The convention is built on several pillars. The first pillar is criminalization: it establishes the definitions of cybercrime, with the aim of homologizing how these offences are understood by different States and how they will be penalized. On the second argument, the Convention focuses on jurisdiction, where it is clarified when States have jurisdiction over these matters. It in fact says that a State has jurisdiction if the crime happens in its territory or on one of its ships or aircrafts. Moreover, the Convention focuses on international cooperation, founded on legal assistance and joint investigations through a 24/7 cooperation network.
Finally, it addresses the topics of prevention, technical assistance and the implementation in the countries. The Convention results effective because the mechanisms used address the critical problems of cybercrime, which are the transnationality of it and the discrepancies in the legal frameworks of varying countries.
Human rights concerns
Having said that, while the Convention is much needed to strengthen international cooperation over this difficult challenge, its enforcement may be restricted by concerns over the respect of human rights in authoritative states. In particular, a relevant question arises to whether the adoption of this Convention will endanger basic human rights.
Many of the problems connected to human rights arise from the creation of the treaty itself. The convention, in fact, was shaped by political disagreement and in order to put it into force all the discrepancies between countries had to be dealt with by compromise. This resulted in an inconsistent treaty, where some parts are unclear and contradictory. For example, the convention should apply to what is defined as “serious crime,” but the definition of it is very broad and different for every country. This creates ambiguity regarding the informality and definition of it across states.
The result that this ambiguity creates is putting at risks the human rights defenders and journalists. This danger is built on many assumptions. First, states are granted excessive powers, they are allowed access to personal data with no human rights safeguarded for them. They in fact make no reference to principles of proportionality, necessity and legality. This can lead to human rights violations for every citizen, but more so for the people working in the frontline of news as well as activists that are fighting for human rights.
Secondly, the main issue of the convention lies in the differences in the states that are part of it. Many states lack the adequate protection of human rights and by ratifying the convention they are not recognizing any of them. The main problem of this stems from the model put in place in all countries, the Mutually Legal Assistance Treaties (MLAT), which require the cooperation of the states in pursuing any “serious” crime. The concept of the agreement is fundamentally right and would work ideologically in a perfect world. But the risk that arises from this is that states could end up assisting the criminal investigation of other states for a crime that is wrongly prosecuted in another jurisdiction. The effect of this is enormously more negative in authoritative countries, where the investigation of an independent journalist or of someone who is trying to uphold fundamental rights is persecuted because it is against domestic law. Analyses from scholars, arguethat the convention's reliance on national legal systems for the implementation runs the risk of producing disjointed systems where the degree of protection varies greatly between nations.
A complex approach is required
In conclusion, cybercrime is a complex transnational issue that needs to be tackled by cooperation between the countries affected by it. The Convention on cybercrime is only the first attempt at addressing the problems that cybercrime imposes on our society, and it was successful in providing a framework for international cooperation and enabling States to work together on this issue for the first time.
However, concerns about human rights protection need to be addressed, as these protections are different in every country and it needs to be unified on all fronts to create an effective implementation and to safeguard the rights of every citizen.
Ultimately, the effectiveness of the Convention will rely on how the regulations are implemented in each individual State and its success will depend on the balance between fighting cybercrime and protecting human rights.