► The pervasive use of emerging technologies, including the internet and ICT, has led to a rise in cybercrimes, shifting focus from individuals to government agencies, critical infrastructure, and corporations, with implications for human life and national security.

► While discussions for an Additional Protocol are ongoing, the UN passed a resolution in December 2019 to create a committee for developing a comprehensive international convention on countering the use of ICTs for criminal purposes, despite opposition.

► The drafted UN Cybercrime Convention, while sharing similarities with the Budapest Convention, differs in its emphasis on social stability, national security, and sovereignty, as opposed to seeking swift mutual legal assistance. 

► Negotiations for the UN Cybercrime Convention, started in early 2022, have covered various aspects, including criminalization and international cooperation. Still, it faced challenges such as concerns over human rights violations, disputes on scope and capacity, and the impact of the Russo-Ukraine war. 

► Concluding next year, states aim to reconcile these issues and align the treaty with international human rights obligations. 

The utilization of emerging technologies has spread to all aspects of society, opening a new space for daily life. As it has become a crucial part of modern society, the use of the Internet and information and communication technology (ICT) has become indispensable more than ever. Not only has society enjoyed the fruits of emerging technologies, but also criminals have adapted to the advanced ICT for their illicit activities. This is represented by the current statistics on cybercrimes. Not only has the number of cybercrimes increased, but the targets of the crimes have also been expanding rapidly. It is noted that the focus of cybercrime is shifting. Individuals and criminal organizations committing cybercrimes have turned their eyes from individuals and small and medium-sized businesses to government agencies, national critical infrastructure, and corporations. In addition, the damage from cybercrimes does not end with individuals’ financial damages. Rather, it has been reported to increase the number of cases where it is linked to human life and national security.

Background of International Convention on Cybercrimes

Compared to traditional and conventional crimes, transnationality features primarily in cybercrimes. It is possible for criminals to commit crimes from overseas with just a few clicks, making cybercrimes trans-border in essence. The fact that most cybercrimes are committed overseas indicates the evidence for investigation and prosecution will be located overseas as well. Sometimes it may change its locations to avoid detection or trace from the authorities. For instance, cloud computing is one of the typical methods to be exploited in cybercrimes. For these reasons, it is crucial to cooperate with foreign countries in investigating and prosecuting cybercrimes beyond the geographical jurisdiction.

From the global statistics, it is known that nearly 85% of criminal cases require digital evidence, and nearly 57% of cases require digital information to be provided by an Internet service provider located in another country. Therefore, it is assumed that more than half of criminal cases cannot be resolved through domestic investigations alone. With an emphasis on the increasing importance of ICT in daily life, the demand for international cooperation in criminal investigations is more likely to grow in the future. Convention on Cybercrime led by the Council of Europe in 2001, which is known as Budapest Convention, was concluded in this regard and adopted in 67 member States as of 2020. The Convention is an international treaty to provide a reference point for each country's legal system in response to cybercrimes and to ensure swift and smooth cooperation in the investigation of cybercrimes between countries. 20 years have passed since the Convention was signed. The Council of Europe has begun working on adopting an Additional Protocol to the Convention to reflect the societal changes. At the same time, another discussion on the adoption of a new international treaty to combat cybercrimes began at the United Nations in December 2019, led by Russia. Russia, China, North Korea, and other countries argued that a new international treaty reflecting not only the positions of the Western countries but also those of countries from the other sides is needed. It was, of course, expected that countries that adopted the Budapest Convention would not agree with this new international cybercrime treaty. However, the United Nations General Assembly passed a resolution to establish an open-ended ad hoc (AHC) committee of experts to develop a ‘comprehensive international convention on countering the use of ICTs for criminal purposes’ on December 27, 2019. This resolution was passed amid strong opposition with 79 votes in favor of the resolution to 60 votes against the resolution.

Differences in the Drafted UN Cybercrime Convention

Much of the drafted UN Cybercrime Convention contains the same contents as the Budapest Convention, including expedited preservation of stored computer data, production data, the establishment of the 24/7 network, and so forth. However, there are at least four differences compared to the Budapest Convention. First, the purpose of the Convention is different. The draft version of the UN Cybercrime Convention emphasizes the social stability, national security, and sovereignty of each member State, differing from the Budapest Convention with the purpose of seeking swift and efficient mutual legal assistance (MLA) in the investigation of cybercrimes. The statements from the Preamble and Article 3 of the draft emphasize the position that the act of cybercrimes shall be punished severely, however, the MLA for the investigation of cybercrime should not be used as a tool for intervention in the domestic affairs of other States.

Second, there is a difference in whether access to data from the computer(s) located in other states through voluntary consent is permitted. Russia has condemned Article 32 Section B in the Budapest Convention for intervention in other states’ domestic affairs. Thus, this provision is not included in the drafted UN Cybercrime Convention submitted by Russia.

Third, there is another difference in the refusal of MLA in relation to the political offense. Article 41, Paragraph 4 of the draft states that the requested State shall not refuse mutual legal assistance on the ground of political offense in case mutual legal assistance or extradition is requested for the act of crimes defined in the UN Cybercrime Convention. This provision is opposed to that of the Budapest Convention, posing potential risks of facilitating the investigation with political purposes even if the case is regarded as political oppression.

Last, the UN Cybercrime Convention has been criticized for vague terms and abstract contents of the convention. Article 9 of the drafted United Nations Cyber Crime Convention stipulates as a crime any act committed for the purpose of causing disruption to information and communication technology (ICT) activities, but the term, 'information and communication technology’, itself has a broad meaning and, what is more, it is not clear what implies in disruption to such activities. Article 16 of the drafted UN Cybercrime Convention stipulates the punishment for the act of publication of data which includes the State’s secret of other State(s) through ICTs. It is quite unique in that this provision criminalizes the act of disclosing 'state secrets of other member countries' by the Internet rather than punishing the leaking of one's own state (domestic) secrets through the Internet. In addition, it is stipulated that other countries' national secrets must have ‘an appropriate mark’ to indicate that they are information protected by the domestic laws of other States. However, it is ambiguous to provide precise criteria for the definitions. Relevant questions have been raised as follows: What kind of information is regarded as the State’s secret? What is the definition of ‘information protected by the domestic laws of other State(s)? What is an appropriate mark to prohibit disclosure?

What’s Next?

Negotiations on the draft of the UN Cybercrime Convention started in early 2022. The treaty roadmap has six negotiating sessions and each meeting has addressed different parts of the treaty. So far, chapters on criminalization, procedural measures, the role of law enforcement, international cooperation, technical assistance, preventive measures, and implementation have been discussed and addressed in the negotiations. It is expected that States would negotiate each provision by consensus. In case the negotiation could not be reached, two-thirds of majority voting rules would be applied. Informal working groups were established for States to discuss confronting issues from the sessions. Last August, States discussed the zero draft of the UN Cybercrime Convention in New York. However, civil society and private sectors have continuously been concerned about the potential violation of human rights in the zero draft of the Convention. Other areas of disagreement in the negotiations cover the scope of the treaty, instruments to address gaps in capacity in each Member State, gendered perspectives to the treaty, and harmonization with other international instruments. Moreover, the Russo-Ukraine war was another drawback in the negotiation. Many representatives in the negotiation expressed concern about whether they could negotiate with Russia in earnest. Two weeks of negotiation in New York only reaffirmed the polarized positions toward the treaty and, thus, ended without reaching a consensus on fundamental issues. Safeguarding human rights is still subject to raise questions in the treaty, with other terminological issues and fundamental purposes. As the negotiations for the treaty are scheduled to conclude next year, States face challenges that they should work to ensure this treaty is in accordance with their international human rights obligation in the limited time.