US absence from UN Cybercrime Treaty praised by groups over privacy abuse

The United States was absent from the more than 70 signers of the UN Convention against Cybercrime in Hanoi, Vietnam, last weekend, which was billed as a treaty that will foster international cooperation on cybercrime issues.

All the United States said on the matter officially was the following short statement from the State Department: “The United States continues to review the treaty.”

While it might appear that the U.S. lacks transparency and has isolated itself on issues such as climate change and Israel, security industry criticism came from both digital privacy advocates like the Electronic Frontier Foundation (EFF) and more mainstream security industry players.

"The EFF has long sounded the alarm about this flawed convention,” said Katitza Rodriguez, policy director for global privacy at the EFF. “We’ve urged governments not to sign the UN Cybercrime Convention. While framed as a cybercrime instrument, it creates expansive cross-border surveillance and data sharing channels without enforceable human-rights safeguards and applies far beyond cybercrime.”

Rodriguez pointed out that the convention included any offense carrying a four-year penalty, crimes that in many jurisdictions include peaceful speech, protest, journalism, or LGBTQ+ free expression. The convention also makes cooperation with all “states parties” the default, even where courts lack independence or where cybercrime laws are used to target dissent, Rodriguez noted.

“That combination risks enabling cooperation for abusive purposes and turning protected expression or association into the basis for international data handovers,” said Rodriguez.

Michael Bell, chief executive officer at Suzu Labs, said the United States has been placed in an impossible position. While the treaty attempts to solve actual problems and offer avenues for cross border evidence-sharing for ransomware and human trafficking, it also establishes a legal route for authoritarian regimes to demand data from sources they wouldn’t have otherwise, Bell said.

“All under the guise of catching criminals, but there are serious concerns about the collection of this data, and I argue that the U.S. should stay out until there are enforcement mechanisms to protect human rights and to shield legitimate security researchers,” said Bell. “Otherwise, we are legitimizing the same surveillance tactics we condemn China and Russia for using while compounding those issues by sharing that data with the international community. The real risk isn’t isolation, it’s that more than 70 countries now have a framework to compel data handovers that would bypass our constitutional protections.”

According to Lawfare, if passed by the UN General Assembly, the treaty would replace the existing international framework on cybercrime: the Budapest Convention. Adopted in 2001, the Budapest Convention has 68 signatories, including the United States and nearly all Western democracies. It’s considered pro-Western versus this new UN effort, which was first proposed by Russia in 2019 with support from Belarus, China, Iran, Syria, and Venezuela.

While more than 70 countries have signed the treaty, ratification requires 40 members nations to ratify the treaty based on their own processes.

John Bambenek, president at Bambenek Consulting, pointed out that our participation in the ceremony over the weekend in Vietnam — yet not signing — was a way to walk a middle ground.

“Unlike climate change, this treaty has broad criticism in the free world,” said Bambenek. “The UK was dragging its feet on it, too. Strictly speaking, we haven’t said ‘no,’ just ‘not at this time,’ so the door has been left open. With the growing chorus of human rights groups and technology companies that operate in the free world lining up in opposition, I’m not sure that the United States will truly be isolated if we ultimately choose not to be a signatory.”