The United Nations Convention against Cybercrime (‘UNCC’ or the ‘Convention’) is the first UN treaty on the use and impact of technology on society, establishing a global criminal justice framework for the prevention and prosecution of cybercrime.
Despite emerging from nearly a decade of polarised negotiations, the Convention has managed to attract significant political backing, with more than 70 UN Member States from across the geopolitical spectrum signing it at the official ceremony in Hanoi in October 2025. This support has come despite, and in some respects risks obscuring, a wide range of concerns articulated by democratic countries, human rights and digital rights organisations, and tech companies throughout the negotiating process and in the lead-up to the signing.
The Convention must be understood in a global context in which cybercrime is prevalent, alongside the use of cybercrime-related laws to expand surveillance, restrict expression, and enable forms of digital transnational repression. Also relevant to this context is the increased geopolitical contestation around multilateral authority over digital spaces, often in tension with the multistakeholder approaches that have long underpinned internet governance. These dynamics are no longer abstract. They are now beginning to play out concretely as states move from negotiation to implementation, starting with the January 2026 Session of the UNCC Ad Hoc Committee (AHC) on the Rules of Procedure for the Conference of States Parties (CoSP).
It is notable, for instance, that the United States, which has become increasingly transactional in its approach to multilateralism and is home to many leading multinational tech companies that facilitate the storage and transfer of data, was not represented at senior levels at the signing ceremony and has not indicated that it will sign the Convention. How geopolitical divisions, domestic legal traditions, and competing visions of digital governance will shape the Convention’s operation is already being tested in early implementation discussions and will continue to unfold as the treaty architecture takes shape.
Hanoi and the Realities of State-Centric Cybercrime Governance
First proposed by Russia in 2017 as an alternative to the Council of Europe’s Budapest Convention on Cybercrime, the UNCC was conceived from the outset as a multilateral instrument that centred state security imperatives over human rights and fundamental freedoms, including protection against harms linked to security and law-enforcement measures. Throughout the negotiating process, there were tense deliberations around efforts to expand the scope of the Convention and add human rights safeguards. Key definitions were deliberately left open-ended, deferring many of the most consequential questions to the implementation phase or to a future Supplemental Protocol, which could further expand the range of offences brought within the Convention’s scope.
The signing ceremony in Hanoi, which was overwhelmingly state-centric, tightly choreographed, and largely detached from both the human rights impacts of cybercrime laws and their actual effectiveness in preventing or addressing cybercrime, may offer an early glimpse of how the Convention will be translated into practice. The atmosphere reinforced a troubling narrative in which freedom of expression and privacy are treated as isolated or negotiable, rather than as core protections that intersect with safety, national security, child protection, and meaningful civic participation. This imbalance was also visible in the event’s composition: government delegations, largely from interior ministries, dominated both formal proceedings and informal spaces, while civil society, academic experts, and private sector actors faced significant barriers to participation.
The choice of Hanoi as the host city further underscored these tensions. Vietnam’s own digital regulatory trajectory, marked by strict content regulations mandating proactive monitoring, data localisation requirements, criminal liability for non-compliance, and the absence of independent oversight, illustrates how international frameworks like the UNCC can converge with, and potentially reinforce, domestic approaches that prioritise state control over transparency and accountability.
Threats to Broader Multistakeholder Internet Governance
The UNCC also emerges at a moment when multistakeholder models of internet governance are increasingly under strain. Over the past decade, a number of states with centralised, state-centric approaches to digital regulation have actively sought to shift key processes related to the development of internet-related standards, protocols, and norms toward intergovernmental control. Experts have noted that these efforts are part of a broader geopolitical strategy to consolidate influence over cyberspace governance, emphasising state authority over content, data flows, and surveillance. These efforts have been evident in negotiations around the Global Digital Compact, the World Summit on the Information Society (WSIS) 20 year review, and the UN’s emerging approach to artificial intelligence, where attempts to assert state primacy have increasingly challenged inclusive, consensus-based, multistakeholder decision-making processes.
The implications for multistakeholder internet governance are therefore significant. By codifying a state-centric approach at the international level, the UNCC sets precedents that represent not only a milestone in cybercrime cooperation but also a critical inflection point for the future of multilateral discussions around topics as varied as platform regulation, cross-border data sharing, cybersecurity, and AI standards, raising questions about whether collaborative approaches to tech policy will continue to be viable in a landscape increasingly shaped by transactionalism and geopolitical priorities.
Ambiguous Cybercrime Provisions and Amplified Human Rights Risks
Definitional clarity in law is essential to the realisation of the principles of legality, necessity, and proportionality, yet the UNCC neither clearly articulates these principles nor defines the conduct it seeks to regulate. By leaving key terms such as “cybercrime” ambiguous, the Convention defers their interpretation to domestic legal frameworks, notwithstanding the well-documented human rights abuses enabled by many existing cybercrime laws. Moreover, the absence of dual-criminality provisions and the high threshold for state parties to refuse cooperation with an investigation under Article 40 undermine safeguards present under most existing mutual legal assistance treaties (MLATs), increasing the likelihood of abuse.
To illustrate this risk, it is worth considering the UNCC’s possible implications for the pervasive trend toward digital transnational repression. In Southeast Asia, state actors routinely target individuals, journalists, and human rights defenders, while sometimes supporting one another’s efforts to intimidate or extradite exiled dissidents. Although many attacks have occurred extralegally, emerging laws provide a formal framework that may destigmatise these practices. In Vietnam, Decree No. 147/2024/ND-CP (formerly Decree 72) imposes broad content restrictions, mandatory real identification of users, and proactive monitoring obligations for tech companies, which the Global Network Initiative (GNI) has highlighted as creating serious risks to freedom of expression and privacy by lowering the threshold for cross-border identification and targeting of critics. Similarly, in Malaysia, the Communications and Multimedia Act (CMA) and its related licensing requirements grant authorities sweeping powers to demand content removal and access private communications under vague prohibitions on ‘offensive content’ that risk being extended through cross-border cooperation to target journalists and human rights defenders. GNI has also been tracking the proposed ASEAN Guidelines on the Governance of Digital Platforms, which risk further enabling cross-border digital repression by codifying expansive definitions of illegal content and facilitating coordinated enforcement that could replicate the targeting of journalists, human rights defenders, and exiled dissidents across the region.
Similar patterns can be observed elsewhere: in Mexico and Zambia, domestic laws allow for disproportionate surveillance and enforcement; in Pakistan, broad cybercrime provisions such as expansive amendments to the Prevention of Electronic Crimes Act have been criticised for granting unchecked powers that can be used to silence dissent and compel intermediary service providers to comply with overbroad and rights-violating government demands. In Canada, proposed regulatory frameworks like the Online Harms Act have drawn concern from civil society and rights advocates about remote government access to data and stringent takedown obligations that risk overbroad content removal and privacy infringements.
GNI has repeatedly raised concerns about vague, expansive laws across multiple contexts, risks that the UNCC now amplifies. The Convention’s provisions create a permission structure for the extraterritorial surveillance and prosecution of human rights defenders, the pressure on tech company employees to act contrary to internationally recognised human rights obligations, and the compelled compromise of systems that protect the privacy and security of users around the world. Combined with ambiguous definitions, broad cooperation obligations, and limited procedural safeguards, these powers risk normalising practices already used to target individuals across borders, particularly in countries with weak rule of law, while undermining trust and creating structural vulnerabilities in digital ecosystems worldwide.
Next Steps
Human rights organisations have repeatedly warned against the UNCC due to its broad scope and weak safeguards. Several states that have signed the Convention have emphasised that their participation reflects a desire to influence its implementation rather than an endorsement of every provision. However, the first phase of implementation has already offered an early indication of the challenges ahead — particularly for meaningful multistakeholder participation in global cybercrime governance.
Between 26 and 30 January 2026, the UNCC AHC convened to negotiate the Rules of Procedure for the Conference of States Parties. While no consensus was reached, statements by Member States made clear that securing meaningful roles for civil society, the private sector, academia, and technical experts in operationalising the treaty will be difficult. The session concluded with a proposal from Mexico, which now serves as the basis for continued negotiations. While the proposal allows non-governmental stakeholders to participate in treaty discussions and subsidiary body meetings, it does so under conditions that are, in several respects, more restrictive than those governing stakeholder participation in the Conferences of the Parties under the United Nations Convention against Transnational Organized Crime (UNTOC) and the United Nations Convention against Corruption (UNCAC). This is particularly striking given that the UNCC is a far more technically complex treaty, where meaningful participation by civil society, technical experts, and the private sector is essential to informed deliberation and effective implementation.
Under the current draft, observership applications are valid for only a single subsequent session, opportunities for intervention are limited, and stakeholders face stringent restrictions on what they are permitted to say, including prohibitions on referencing country-specific situations under Rules 16 and 17. Given that law enforcement practices, procedural safeguards, and human rights impacts are inherently country-specific, these constraints severely limit the value of participation. For many civil society organisations and independent experts operating with limited resources, the administrative burden, uncertainty of access, and overbroad speech restrictions are likely to further deter engagement.
Yet meaningful non-governmental participation is essential to the legitimacy and effectiveness of the Convention. Civil society, technical experts, and the private sector play a critical role in building public trust, informing evidence-based policymaking, and supporting legislators tasked with translating the UNCC into domestic law. As cybercrime governance increasingly intersects with complex and rapidly evolving technologies — including artificial intelligence, encryption, and cross-border data flows — excluding these voices from technical and subsidiary body negotiations risks entrenching gaps between security objectives and fundamental rights protections.
For now, negotiations on the Rules of Procedure have been deferred to the January 2027 AHC session. The period between now and then represents a critical juncture. States must demonstrate that their commitment to multistakeholder engagement extends beyond procedural compliance by ensuring avenues for broad, predictable, and meaningful participation in the AHC and the CoSP. In the meantime, they should also demonstrate similar commitments to openness, transparency, and participation with respect to domestic implementation, ensuring that laws passed to implement the Convention do not undermine fundamental rights. The choices made during this phase will determine whether the Convention fosters responsible international cooperation or entrenches practices that weaken accountability and digital rights.
Attention will also increasingly turn to the Supplementary Protocol, which the AHC is mandated to take up two years after the Convention’s adoption. This protocol could further expand the Convention’s scope, extend its extraterritorial reach, and deepen the responsibilities placed on private sector actors. How it is negotiated, applied, and monitored through the Conference of States Parties will shape the global cybercrime landscape for years to come. Ensuring that multistakeholder input, particularly from civil society and technical experts, is substantive rather than symbolic will be essential to aligning operational guidance with principles of necessity, proportionality, and transparency.
For international cooperation on cybercrime to be legitimate and sustainable, it must be fit for purpose and rights-respecting. Strengthening technical capacity, improving coordination through bilateral and multilateral frameworks, and embedding human rights safeguards in both law and practice are essential. Without these measures, the UNCC risks creating a system in which compliance obligations clash with fundamental rights, ultimately weakening rather than securing the global digital ecosystem.
Monitoring ratification and implementation at national and regional levels will therefore be critical. Civil society organisations, particularly in the Global Majority, play a central role in analysing legislative reforms, tracking the expansion of procedural powers, and documenting real-world impacts. Through sustained technical expertise, access to multistakeholder networks, and coordinated advocacy, local insights can inform regional and international processes. Facilitating meaningful private sector participation in these efforts will likewise be crucial to ensuring that cybercrime responses remain proportionate, effective, and compatible with innovation, interoperability, and security.
