The Proposed UN Cybercrime Treaty

Five Reasons to Reconsider the Approach to Transnational Cybercrimes

Problems in elaborating a “Comprehensive International Convention on Countering the Use of Information and Communications Technologies for Criminal Purposes”

Jay Albanese, Ph.D.
Criminologists Without Borders
www.criminologistswithoutborders.org

January 2023

Member States of the United Nations have begun treaty negotiations that build on longstanding efforts to create the boundaries and procedures for defining, cooperating, and responding to cybersecurity issues and cybercrime which often occur transnationally. The proposed UN effort is significant because it would be a binding global instrument. There appear to be five reasons why the proposed UN Cybercrime Treaty requires additional careful thought in its negotiation. These are outlined briefly here.

1. The Title of the proposed convention is misleading
The title of the proposed Convention currently under negotiation by the United Nations is misleading (“Comprehensive International Convention on Countering the Use of Information and Communications Technologies for Criminal Purposes”), because every crime of fraud (cyber or not), for example, involves the misuse of information, and many crimes of all kinds involve the misuse of communications technologies for criminal purposes. If it is a cybercrime agreement, why not say so, rather than leaving the world to scratch its head about what it means, and why it should care? The proposed agreement title is at once both too narrow and too broad.

2. Why a Convention, instead of a Protocol to the UNTOC?
“Cybercrime” involves a specific category of offenses, similar to the existing UN protocols on trafficking in persons, smuggling of migrants, and illicit firearms manufacturing and trafficking. It is more appropriate to consider cybercrime as a new Protocol, rather than a new UN Convention, because it is unlike the very broad substantive areas of Transnational Organized Crime (UNTOC Convention, 2003) and Corruption (UNCAC Convention, 2005), which encompass much larger numbers of offenses (which are mostly not specified in the UNTOC and UNCAC).  Because there are only three existing protocols to the UNTOC in its first 20 years, and only wildlife crime is currently being considered as a possible fourth protocol, it cannot be said that there will be large numbers of new protocols unleashed by considering a new Protocol for cybercrime.

3. The Provisions of a new cybercrime convention would be essentially the same as prior conventions.

The current negotiations around a proposed cybercrime convention look nearly identical to the elements of the prior UNODC Conventions.

General provisions
Preventive measures
Criminalization and law enforcement
International cooperation
Asset recovery
Technical assistance and information exchange
Mechanisms for implementation

The content of these separate sections will likely be extremely similar to the earlier UNTOC and UNCAC conventions, separated only by the nature of the crime types considered. Why negotiate a separate convention which is so similar to prior efforts, when a Protocol to an existing Convention would suffice?

4. The Scope of Offenses may be too narrow?

The scope of a proposed cybercrime agreement is currently being considered, but the inclusion of largely “cyber-dependent” crimes would significantly narrow both the public and political urgency and utility of any proposed agreement. There are comparatively few crimes that are cyber-dependent (e.g., hacking, malware, spamming), but MANY crimes that can be “cyber-enabled” (e.g., phishing, fraud, counterfeiting, identity theft, money laundering, stalking, threats, child sexual abuse material).  The large category of cyber-enabled crimes requires new training about the new ways in which crimes are being committed, and new kinds of international cooperation/jurisdiction that may be needed in response. On the other hand, necessary new enforcement measures and prevention approaches would be omitted if cyber-enabled crimes (by far the largest category of cybercrimes) were overlooked. For example, multiple studies have found that the largest category of cybercrime is cyber fraud. It would not make sense to exclude the largest categories of cybercrimes from the agreement.

5. A New Separate Convention and Implementation Mechanism Means Delay for Years
After more than a decade of delays, the implementation review mechanisms for the UNCAC and UNTOC are now underway. These are parallel review mechanisms, they do not rely on or interact with one another, and they result in long, overlapping, multi-year processes. Treating cybercrime in the same way would create a third UNODC Convention, more years of delays in negotiations about its implementation review, and add to the compliance burden on UN Member States. If enacted instead as a Protocol to the UNTOC, cybercrime could immediately join the recently initiated UNTOC review mechanism, once Member States ratified it, and a third implementation review mechanism would be avoided.

In sum, there is no reason to believe that the same impediments to the sluggish implementation of the UNTOC and UNCAC would be avoided by a new Cybercrime Convention. Issues of reluctance to share data, cooperate internationally on investigations, collect relevant crime and justice system data, and avoid politically-motivated prosecutions all loom large.  On the other hand, a new Protocol that specified its unique purpose in promoting greater international consensus in the response to specific cyber-dependent and cyber-enabled crimes could be both useful and helpful to much of the world, relying on the criminalization, law enforcement, international cooperation, and prevention principles already negotiated in the UNTOC (Organized Crime) and UNCAC (Corruption) Conventions.

* * * * * * * * * *