Dozens of countries signed a United Nations anti-cybercrime agreement on Saturday, moving the accord forward despite concerns from U.S. businesses and human-rights groups about its unintended consequences.
Seventy-two nations signed the UN Convention against Cybercrime, the first global agreement that governs how countries exchange digital evidence to investigate cyberattacks. The convention is also the first to globally criminalize cyber-related offenses, including online fraud, child sexual abuse and non-consensual distribution of intimate imagery.
At a signing ceremony held in Hanoi, Vietnam, UN Secretary-General António Guterres called the document “a powerful, legally binding instrument to strengthen our collective defenses against cybercrime.”
The convention will create a global cooperation network to help countries request investigative support from other countries. It also encourages UN member states to expand their cyberattack investigation capacities.
The difficulty that countries have had exchanging evidence about cyberattacks “has long been a major obstacle to justice,” Guterres said, “with perpetrators in one country, victims in another, and data stored in a third.” He hailed the new agreement for creating “a clear pathway for investigators and prosecutors to finally overcome this barrier.”
Controversial history
Many Western countries are already members of a similar international agreement, the Budapest Convention on Cybercrime, but Russia and China objected to that partnership and pushed for a new one. Their pitch for a UN agreement drew support from Iran, Syria and Venezuela and opposition from the U.S. and the European Union. After years of discussion and drafting led to a final product in 2024, the U.S. decided to sign the document to maintain influence over its implementation.
Human-rights organizations have fiercely criticized the convention, saying authoritarian nations will weaponize its vague provisions to crack down on opposition.
“Many governments criminalize activities protected by international human rights law and impose sentences that would make them ‘serious offenses’ under this framework, such as criticism of the government, peaceful protest, same-sex relationships, investigative journalism, and whistleblowing,” more than a dozen human-rights groups said in a joint statement prior to the signing ceremony.
Some tech companies share those concerns. In comments submitted to the negotiating committee in 2024, Microsoft warned that the document as drafted would “weaken human rights online and will put individuals at greater risk of being prosecuted for exercising their digital rights.”
Cybersecurity experts have also raised concerns about the convention’s blanket prohibition on unauthorized access to computer systems, which could criminalize the kind of good-faith security research that is essential to revealing dangerous vulnerabilities. As six Senate Democrats noted in a letter to Biden administration officials last October, the Justice Department was so concerned about discouraging good-faith research activities that it adjusted its approach to interpreting a similar U.S. law.
Microsoft also objected to the language criminalizing unauthorized access, telling the drafting committee that the measure would “weaken global cybersecurity by compromising critical security measures and criminalizing practices that secure the digital ecosystem.”
In remarks to a UN committee last November, a Biden administration official acknowledged these and other concerns and said “implementation of Convention provisions, including those on procedural measures, must be paired with robust domestic safeguards, oversight, investments in capacity-building and strong rule-of-law institutions.”
Signatories to the convention must still ratify the agreement domestically before they are obliged to comply with its provisions. The convention will take effect after 40 countries ratify it.
