This is the second post in a series highlighting the problems and flaws in the proposed UN Cybercrime Convention. Check out our detailed analysis on the criminalization of security research activities under the proposed convention.

The United Nations Ad Hoc Committee is just weeks away from finalizing a too-broad Cybercrime Draft Convention. This draft would normalize unchecked domestic surveillance and rampant government overreach, allowing serious human rights abuses around the world.

The latest draft of the convention—originally spearheaded by Russia but since then the subject of two and a half years of negotiations—still authorizes broad surveillance powers without robust safeguards and fails to spell out data protection principles essential to prevent government abuse of power.

As the August 9 finalization date approaches, Member States have a last chance to address the convention’s lack of safeguards: prior judicial authorization, transparency, user notification, independent oversight, and data protection principles such as transparency, minimization, notification to users, and purpose limitation. If left as is, it can and will be wielded as a tool for systemic rights violations.

Countries committed to human rights and the rule of law must unite to demand stronger data protection and human rights safeguards or reject the treaty altogether. These domestic surveillance powers are critical as they underpin international surveillance cooperation.

EFF’s Advocacy for Human Rights Safeguards

EFF has consistently advocated for human rights safeguards to be a baseline for both the criminal procedural measures and international cooperation chapters. The collection and use of digital evidence can implicate human rights, including privacy, free expression, fair trial, and data protection. Strong safeguards are essential to prevent government abuse.

Regrettably, many states already fall short in these regards. In some cases, surveillance laws have been used to justify overly broad practices that disproportionately target individuals or groups based on their political views—particularly ethnic and religious groups. This leads to the suppression of free expression and association, the silencing of dissenting voices, and discriminatory practices. Examples of these abuses include covert surveillance of internet activity without a warrant, using technology to track individuals in public, and monitoring private communications without legal authorization, oversight, or safeguards.

The Special Rapporteur on the rights to freedom of peaceful assembly and of association has already sounded the alarm about the dangers of current surveillance laws, urging states to revise and amend these laws to comply with international human rights norms and standards governing the rights to privacy, free expression, peaceful assembly, and freedom of association. The UN Cybercrime Convention must be radically amended to avoid entrenching and expanding these existing abuses globally. If not amended, it must be rejected outright.

How the Convention Fails to Protect Human Rights in Domestic Surveillance

The idea that checks and balances are essential to avoid abuse of power is a basic “Government 101” concept. Yet throughout the negotiation process, Russia and its allies have sought to chip away at the already-weakened human rights safeguards and conditions outlined in Article 24 of the proposed Convention. 

Article 24 as currently drafted requires that every country that agrees to this convention must ensure that when it creates, uses, or applies the surveillance powers and procedures described in the domestic procedural measures, it does so under its own laws. These laws must protect human rights and comply with international human rights law. The principle of proportionality must be respected, meaning any surveillance measures should be appropriate and not excessive in relation to the legitimate aim pursued.

Why Article 24 Falls Short?

1. The Critical Missing Principles

While incorporation of the principle of proportionality in Article 24(1) is commendable, the article still fails to explicitly mention the principles of legality, necessity, and non-discrimination, which hold equivalent status to proportionality in human rights law relative to surveillance activities. A primer:

• The principle of legality requires that restrictions on human rights including the right to privacy be authorized by laws that are clear, publicized, precise, and predictable, ensuring individuals understand what conduct might lead to restrictions on their human rights.
• The principles of necessity and proportionality ensure that any interference with human rights is demonstrably necessary to achieving a legitimate aim and only include measures that are proportionate to that aim.
• The principle of non-discrimination requires that laws, policies and human rights obligations be applied equally and fairly to all individuals, without any form of discrimination based on race, color, sex, language, religion, political or other opinion, national or social origin, property, birth, or other status, including the application of surveillance measures.

Without including all these principles, the safeguards are incomplete and inadequate, increasing the risk of misuse and abuse of surveillance powers.

2. Inadequate Specific Safeguards 

Article 24(2) requires countries to include, where “appropriate,” specific safeguards like:

• judicial or independent review, meaning surveillance actions must be reviewed or authorized by a judge or an independent regulator.
• the right to an effective remedy, meaning people must have ways to challenge or seek remedy if their rights are violated.
• justification and limits, meaning there must be clear reasons for using surveillance and limits on how much surveillance can be done and for how long.

Article 24 (2) introduces three problems:

2.1 The Pitfalls of Making Safeguards Dependent on Domestic Law

Although these safeguards are mentioned, making them contingent on domestic law can vastly weaken their effectiveness, as national laws vary significantly and many of them won’t provide adequate protections. 

2.2 The Risk of Ambiguous Terms Allowing Cherry-Picked Safeguards

The use of vague terms like “as appropriate” in describing how safeguards will apply to individual procedural powers allows for varying interpretations, potentially leading to weaker protections for certain types of data in practice. For example, many states provide minimal or no safeguards for accessing subscriber data or traffic data despite the intrusiveness of resulting surveillance practices. These powers have been used to identify anonymous online activity, to locate and track people, and to map people’s contacts. By granting states broad discretion to decide which safeguards to apply to different surveillance powers, the convention fails to ensure the text will be implemented in accordance with human rights law. Without clear mandatory requirements, there is a real risk that essential protections will be inadequately applied or omitted altogether for certain specific powers, leaving vulnerable populations exposed to severe rights violations. Essentially, a country could just decide that some human rights safeguards are superfluous for a particular kind or method of surveillance, and dispense with them, opening the door for serious human rights abuses.

2.3 Critical Safeguards Missing from Article 24(2)

The need for prior judicial authorization, for transparency, and for user notification is critical to any effective and proportionate surveillance power, but not included in Article 24(2).

Prior judicial authorization means that before any surveillance action is taken, it must be approved by a judge. This ensures an independent assessment of the necessity and proportionality of the surveillance measure before it is implemented. Although Article 24 mentions judicial or other independent review, it lacks a requirement for prior judicial authorization. This is a significant omission that increases the risk of abuse and infringement on individuals' rights. Judicial authorization acts as a critical check on the powers of law enforcement and intelligence agencies.

Transparency involves making the existence and extent of surveillance measures known to the public; people must be fully informed of the laws and practices governing surveillance so that they can hold authorities accountable. Article 24 lacks explicit provisions for transparency, so surveillance measures could be conducted in secrecy, undermining public trust and preventing meaningful oversight. Transparency is essential for ensuring that surveillance powers are not misused and that individuals are aware of how their data might be collected and used.

User notification means that individuals who are subjected to surveillance are informed about it, either at the time of the surveillance or afterward when it no longer jeopardizes the investigation. The absence of a user notification requirement in Article 24(2) deprives people of the opportunity to challenge the legality of the surveillance or seek remedies for any violations of their rights. User notification is a key component of protecting individuals’ rights to privacy and due process. It may be delayed, with appropriate justification, but it must still eventually occur and the convention must recognize this.

Independent oversight involves monitoring by an independent body to ensure that surveillance measures comply with the law and respect human rights. This body can investigate abuses, provide accountability, and recommend corrective actions. While Article 24 mentions judicial or independent review, it does not establish a clear mechanism for ongoing independent oversight. Effective oversight requires a dedicated, impartial body with the authority to review surveillance activities continuously, investigate complaints, and enforce compliance. The lack of a robust oversight mechanism weakens the framework for protecting human rights and allows potential abuses to go unchecked.

Conclusion

While it’s somewhat reassuring that Article 24 acknowledges the binding nature of human rights law and its application to surveillance powers, it is utterly unacceptable how vague the article remains about what that actually means in practice. The “as appropriate” clause is a dangerous loophole, letting states implement intrusive powers with minimal limitations and no prior judicial authorization, only to then disingenuously claim this was “appropriate.” This is a blatant invitation for abuse. There’s nothing “appropriate” about this, and the convention must be unequivocally clear about that.

This draft in its current form is an egregious betrayal of human rights and an open door to unchecked surveillance and systemic abuses. Unless these issues are rectified, Member States must recognize the severe flaws and reject this dangerous convention outright. The risks are too great, the protections too weak, and the potential for abuse too high. It’s long past time to stand firm and demand nothing less than a convention that genuinely safeguards human rights.

Check out our detailed analysis on the criminalization of security research activities under the UN Cybercrime Convention. Stay tuned for our next post, where we'll explore other critical areas affected by the convention, including its scope and human rights safeguards.

This is the first post in a series highlighting the problems and flaws in the proposed UN Cybercrime Convention. Check out The UN Cybercrime Draft Convention is a Blank Check for Surveillance Abuses. 

The latest and nearly final version of the proposed UN Cybercrime Convention—dated May 23, 2024 but released today June 14—leaves security researchers’ and investigative journalists’ rights perilously unprotected, despite EFF’s repeated warnings.

The world benefits from people who help us understand how technology works and how it can go wrong. Security researchers, whether independently or within academia or the private sector, perform this important role of safeguarding information technology systems. Relying on the freedom to analyze, test, and discuss IT systems, researchers identify vulnerabilities that can cause major harms if left unchecked. Similarly, investigative journalists and whistleblowers play a crucial role in uncovering and reporting on matters of significant public interest including corruption, misconduct, and systemic vulnerabilities, often at great personal risk.

For decades, EFF has fought for security researchers and journalists, provided legal advice to help them navigate murky criminal laws, and advocated for their right to conduct security research without fear of legal repercussions. We’ve helped researchers when they’ve faced threats for performing or publishing their research, including identifying and disclosing critical vulnerabilities in systems. We’ve seen how vague and overbroad laws on unauthorized access have chilled good-faith security research, threatening those who are trying to keep us safe or report on public interest topics. 

Now, just as some governments have individually finally recognized the importance of protecting security researchers’ work, many of the UN convention’s criminalization provisions threaten to spread antiquated and ambiguous language around the world with no meaningful protections for researchers or journalists. If these and other issues are not addressed, the convention poses a global threat to cybersecurity and press freedom, and UN Member States must reject it.

This post will focus on one critical aspect of coders’ rights under the newest released text: the provisions that jeopardize the work of security researchers and investigative journalists. In subsequent posts, Wwe will delve into other aspects of the convention in later posts.

How the Convention Fails to Protect Security Research and Reporting on Public Interest Matters

What Provisions Are We Discussing?

Articles 7 to 11 of the Criminalization Chapter—covering illegal access, illegal interception, interference with electronic data, interference with ICT systems, and misuse of devices—are core cybercrimes of which security researchers often have been accused of such offenses as a result of their work. (In previous drafts of the convention, these were articles 6-10).

• Illegal Access (Article 7): This article risks criminalizing essential activities in security research, particularly where researchers access systems without prior authorization to identify vulnerabilities.
• Illegal Interception (Article 8): Analysis of network traffic is also a common practice in cybersecurity; this article currently risks criminalizing such analysis and should similarly be narrowed to require malicious criminal intent (mens rea).
• Interference with Data (Article 9) and Interference with Computer Systems (Article 10): These articles may inadvertently criminalize acts of security research, which often involve testing the robustness of systems by simulating attacks that could be described as “interference” even though they don’t cause harm and are performed without criminal malicious intent.

All of these articles fail to include a mandatory element of criminal intent to cause harm, steal, or defraud. A requirement that the activity cause serious harm is also absent from Article 10 and optional in Article 9. These safeguards must be mandatory.

What We Told the UN Drafters of the Convention in Our Letter?

Earlier this year, EFF submitted a detailed letter to the drafters of the UN Cybercrime Convention on behalf of 124 signatories, outlining essential protections for coders. 

Our recommendations included defining unauthorized access to include only those accesses that bypass security measures, and only where such security measures count as effective. The convention’s existing language harks back to cases where people were criminally prosecuted just for editing part of a URL.

We also recommended ensuring that criminalization of actions requires clear malicious or dishonest intent to harm, steal, or infect with malware. And we recommended explicitly exempting good-faith security research and investigative journalism on issues of public interest from criminal liability.

What Has Already Been Approved?

Several provisions of the UN Cybercrime Convention have been approved ad referendum. These include both complete articles and specific paragraphs, indicating varying levels of consensus among the drafters.

Which Articles Has Been Agreed in Full

The following articles have been agreed in full ad referendum, meaning the entire content of these articles has been approved:

• Article 9: Interference with Electronic Data
• Article 10: Interference with ICT Systems
• Article 11: Misuse of Devices 
• Article 28(4): Search and Seizure Assistance Mandate

We are frustrated to see, for example, that Article 11 (misuse of devices) has been accepted without any modification, and so continues to threaten the development and use of cybersecurity tools. Although it criminalizes creating or obtaining these tools only for purposes of violations of other crimes defined in Articles 7-10 (covering illegal access, illegal interception, interference with electronic data, and interference with ICT systems), those other articles lack mandatory criminal intent requirements and a requirement to define “without right” as bypassing an effective security measure. Because those articles do not specifically exempt activities such as security testing, Article 11 may inadvertently criminalize security research and investigative journalism. It may punish even making or using tools for research purposes if the research, such as security testing, is considered to fall under one of the other crimes.

We are also disappointed that Article 28(4) has also been approved ad referendum. This article could disproportionately empower authorities to compel “any individual” with knowledge of computer systems to provide any “necessary information” for conducting searches and seizures of computer systems. As we have written before, this provision can be abused to force security experts, software engineers, tech employees to expose sensitive or proprietary information. It could also encourage authorities to bypass normal channels within companies and coerce individual employees—under threat of criminal prosecution—to provide assistance in subverting technical access controls such as credentials, encryption, and just-in-time approvals without their employers’ knowledge. This dangerous paragraph must be removed in favor of the general duty for custodians of information to comply with data requests to the extent of their abilities.

Which Provisions Has Been Partially Approved?

The broad prohibitions against unauthorized access and interception have already been approved ad referendum, which means:

• Article 7: Illegal Access (first paragraph agreed ad referendum)
• Article 8: Illegal Interception (first paragraph agreed ad referendum)

The first paragraph of each of these articles includes language requiring countries to criminalize accessing systems or data or intercepting “without right.” This means that if someone intentionally gets into a computer or network without authorization, or performs one of the other actions called out in subsequent articles, it should be considered a criminal offense in that country. The additional optional requirements, however, are crucial for protecting the work of security researchers and journalists, and are still on the negotiating table and worth fighting for.  

What Has Not Been Agreed Upon Yet?

There is no agreement yet on Paragraph 2 of Article 7 on Illegal Access and Article 8 on illegal interception, which give countries the option to add specific requirements that can vary from article to article. Such safeguards could provide necessary clarifications to prevent criminalization of legal activities and ensure that laws are not misapplied to stifle research, innovation, and reporting on public interest matters. We made clear throughout this negotiation process that these conditions are a crucially important part of all domestic legislation pursuant to the convention. We’re disappointed to see that states have failed to act on any of our recommendations, including the letter we sent in February.

The final text dated May 23, 2024 of the convention is conspicuously silent on several crucial protections for security researchers:

• There are no explicit exemptions for security researchers or investigative journalists who act in good faith.
• The requirement for malicious intent remains optional rather than mandatory, leaving room for broad and potentially abusive interpretations.
• The text does not specify that bypassing security measures should only be considered unauthorized if those measures are effective, nor make that safeguard mandatory.

How Has Similar Phrasing Caused Problems in the Past?

There is a history of overbroad interpretation under laws such as the United States’ Computer Fraud and Abuse Act, and this remains a significant concern with similarly vague language in other jurisdictions. This can also raise concerns well beyond researchers’ and journalists’ work, as when such legislation is invoked by one company to hinder a competitor’s ability to access online systems or create interoperable technologies. EFF’s paper, “Protecting Security Researchers' Rights in the Americas,” has documented numerous instances in which security researchers faced legal threats for their work:

• MBTA v. Anderson (2008): The Massachusetts Bay Transit Authority (MBTA) used a  cybercrime law to sue three college students who were planning to give a presentation about vulnerabilities in Boston’s subway fare system.
• Canadian security researcher (2018): A 19-year-old Canadian was accused of unauthorized use of a computer service for downloading public records from a government website.
• LinkedIn’s cease and desist letter to hiQ Labs, Inc. (2017): LinkedIn invoked cybercrime law against hiQ Labs for “scraping” — accessing publicly available information on LinkedIn’s website using automated tools. Questions and cases related to this topic have continued to arise, although an appeals court ultimately held that scraping public websites does not violate the CFAA. 
• Canadian security researcher (2014): A security researcher demonstrated a widely known vulnerability that could be used against Canadians filing their taxes. This was acknowledged by the tax authorities and resulted in a delayed tax filing deadline. Although the researcher claimed to have had only positive intentions, he was charged with a cybercrime.
• Argentina’s prosecution of Joaquín Sorianello (2015): Software developer Joaquín Sorianello uncovered a vulnerability in election systems and faced criminal prosecution for demonstrating this vulnerability, even though the government concluded that he did not intend to harm the systems and did not cause any serious damage to them.

These examples highlight the chilling effect that vague legal provisions can have on the cybersecurity community, deterring valuable research and leaving critical vulnerabilities unaddressed.

Conclusion

The latest draft of the UN Cybercrime Convention represents a tremendous failure to protect coders’ rights. By ignoring essential recommendations and keeping problematic language, the convention risks stifling innovation and undermining cybersecurity. Delegates must push for urgent revisions to safeguard coders’ rightsandrights and ensure that the convention fosters, rather than hinders, the development of a secure digital environment. We are running out of time; action is needed now.

Stay tuned for our next post, in which we will explore other critical areas affected by the proposed convention including its scope and human rights safeguards. 

The proposed UN Cybercrime Convention, scheduled for a critical concluding session from 29 July to August 9th, poses a significant threat to global human rights unless major changes are made. Despite two and a half years of intense discussions and seven negotiation sessions, states remain deeply divided on fundamental aspects, leading to a deeply  flawed draft text and a problematic chair’s proposal from February 2024. They can’t even agree what to call the Convention, much less its scope—should it address only core cybercrime, or any crime committed using technology? 

The February 2024 language continues to risk criminalizing protected speech, granting broad surveillance powers without robust safeguards, and raising serious cybersecurity concerns. Despite continuous advocacy from civil society and industry, these key issues remain unaddressed. A new version of the Convention is expected soon, but without addressing these critical flaws, the risks to human rights remain.

Joint NGO Letter and EFF's Redlines

In a joint letter with over 100 NGOs, we state that the Cybercrime Convention must not advance without addressing critical flaws. The letter outlines clear requirements: the Convention must focus solely on cyber-dependent crimes, incorporate comprehensive human rights safeguards, and ensure robust protections for security researchers, whistleblowers, activists, and journalists. Absent these minimum requirements, we call on state delegations to reject the draft Convention and refuse to advance it to the UN General Assembly for adoption.

EFF echoes such requirements, among others:

• First, the Convention must be narrowly focused on cyber-dependent crimes, excluding overly broad content-related crimes that contradict human rights law from the proposed Convention.
• Second, it must include robust protections for security researchers, whistleblowers, activists, and journalists to ensure they are not unjustly criminalized for performing their essential work.
• Third, it must incorporate comprehensive human rights safeguards, including the principles of legality, non-discrimination, legitimate purpose, necessity, proportionality, transparency, effective remedy, and prior judicial authorization applicable throughout the entire Convention.
• Fourth, the scope of procedural measures and international cooperation must be limited to the defined cyber-dependent crimes, with explicit minimum robust safeguards against abuses of surveillance and data sharing, and adequate protection of personal data. 
• Fifth, direct sharing of personal data must be limited to specific criminal investigation, and be subject to robust minimum safeguards mandated in the text itself to prevent misuse, such as the need to comply with the principles of legality, necessity, proportionality, transparency, user notification, and the need for prior judicial authorization.
• Sixth, proactive sharing of personal data must be strictly limited and conditioned on compliance with minimum robust standards and international human rights law.

As is, the Convention will be a tool for states with repressive domestic laws to impose arbitrary and disproportionate restrictions on rights and freedoms. As the negotiations resume, it is crucial to address these issues and ensure the Convention aligns with international human rights standards to prevent disaster.

Many other NGOs and industry representatives have expressed similar concerns about the proposed UN Cybercrime Convention. You can read their detailed opinions here: Human Rights Watch and Article 19, Privacy International, Global Partners Digital, Derechos Digitales, Microsoft, Cybersecurity Tech Accord, and a joint civil society and industry statement.

Origins and Development of the Convention 

The proposed UN Cybercrime Convention's journey began in October 2017 when Russia proposed a draft, aiming to tackle the “use of information and communication technology for criminal purposes.” This effort gained momentum in November 2019 when a UN Resolution, backed by a block of nations that included China, Iran, and Syria, was passed despite strong opposition from the US, EU and others.

By December 2019, the UN General Assembly adopted a Resolution to form an Ad Hoc Committee (AHC) to draft the Convention. The process faced delays due to COVID-19, with the first organizational meeting postponed to 2021. Despite initial resistance, the AHC's inaugural session in May 2021 saw participation from over 160 countries, outlining a plan for multiple negotiating sessions. The AHC mandate specifies that the Convention must “conclude its work in order to provide a draft Convention to the General Assembly at its seventy-eighth session in September 2024.”

EFF has been involved in the UN Cybercrime Convention process from the start, though we've always been skeptical about its necessity due to the significant risks it poses to human rights. Together with a coalition of 130 NGOs, we have consistently raised alarms about the potential misuse of cybercrime laws to target dissent, activists, advocates, security researchers, and journalists. Our concerns, shared with allies, date back way before the first substantive session began in 2022. In 2021, the UN General Assembly expressed grave concerns that cybercrime legislation was being misused to target human rights defenders, hinder their work, and endanger their safety in a manner contrary to international law.  

The UN Special Rapporteur on the rights to freedom of peaceful assembly and association has noted that the increasing number of laws and policies aimed at combating cybercrime have often been used as a means to punish and monitor activists and protesters globally. The Special Rapporteur highlighted that although technology can indeed be used “to promote terrorism, incite violence, and manipulate elections, these concerns are frequently exploited to justify crackdowns on digital civil society.” 

As is, the Convention will be a tool for states with repressive domestic laws to impose arbitrary and disproportionate restrictions on rights and freedoms.

This sentiment has been echoed by the the Office of the High Commissioner for Human Rights in 2022, highlighting that national cybercrime laws are often used to "restrict freedom of expression, target dissenting voices, justify internet shutdowns, interfere with privacy and anonymity of communications, and limit the rights to freedom of association and peaceful assembly." 

Analyzing the Convention’s Expansive Reach and Human Rights Concerns

Article 3: Scope of the Convention

Article 3 outlines the scope of the UN Cybercrime Convention, dividing it into two crucial parts. Article 3(a) limits the scope of application to crimes “established in accordance with the Convention,” covering their prevention, investigation, and prosecution. In contrast, Article 3(b) broadens the reach to include domestic (Article 23) and international cooperation (Article 35), including evidence-gathering for activities deemed serious by national law, expanding the Convention's application to a wide array of any serious offenses regardless of their connection to cybercrime. Understanding this difference is key to grasping the potential impact and reach of the Convention.

EFF has consistently argued that the Convention should be limited to core or cyber-dependent crimes—offenses in which computer systems are the direct objects and instruments, crimes which could not exist without information and communications technology (ICT) systems. By focusing exclusively on these core cybercrimes, the Convention would allow states to concentrate their resources, expertise, and capacity-building on these specific offenses. This approach would also prevent cross-border cooperation on a range of other offenses that are often antithetical to human rights. 

This limitation should apply to the criminalization chapter and the chapter on international cooperation (including spying assistance and data sharing powers), and even to the chapter on  domestic spying powers. Core cybercrimes include unauthorized access to ICT systems, illegal interception, damaging, deleting, deteriorating, altering, or suppressing electronic data, hindering the functioning of ICT systems, and misuse of devices.

Regrettably, the Convention is broader in scope than just core cybercrimes. It addresses cyber-enabled crimes, which are traditional crimes that may in certain instances be facilitated or amplified by the use of technology. These crimes leverage the reach, speed, and anonymity provided by the internet and other digital platforms to enhance their impact, such as ICT-related theft or fraud (Article 12), and solicitation or grooming for sexual offenses against children (Article 14).

It also includes overly broad and vague content-related offenses—crimes that involve the creation, distribution, or possession of material considered illegal or harmful, such as online child sexual abuse material (Article 13), non-consensual dissemination of intimate images (Article 15)—which can lead to the over-criminalization of protected speech.

Regrettably, the Convention is broader in scope than just core cybercrimes.

On tIIn the spying front, the proposed convention also allows for extensive data sharing and cross-border assistance to gather evidence for any crime a state deems serious in its national law. The Convention also deals with extradition and lacks clear limitations and minimum human rights safeguards explicitly embedded in the text itself, and thus risks becoming a tool for human rights abuses and transnational repression, undermining cybersecurity and the very principles it aims to protect.

Human Rights Safeguards

The proposed convention has two articles on human rights that could potentially limit its broad scope and intrusive surveillance powers: a general provision under Article 5, which applies to the entire draft convention, and Article 24, which describes the conditions and safeguards for new domestic surveillance powers.  However, both articles are insufficient and inadequate to provide meaningful protections in practice.

Article 5: General Human Rights Provisions 

First, it should mandate compliance with human rights obligations, not merely consistency. This less stringent wording would allow for broader interpretation by States, and potentially looser application, which could lead to inconsistent protection across different jurisdictions as states with weaker human rights records may interpret "consistent with" in a way that minimally satisfies their obligations without fully protecting individuals' rights.

Second, Article 5 fails to explicitly incorporate core tenets of human rights including the principles of legality, necessity, proportionality, and non-discrimination, and generally fails to impose explicit limitations. In practice, this means that many elements of the convention are likely to be implemented in ways that fall short of international human rights standards. Notably, some prospective signatories to this convention have refused to sign and ratify core human rights instruments such as the ICCPR, and in negotiations a number of states have explicitly rejected attempts to incorporate equality rights into Article 5, including the obligation to mainstream a gender perspective and to take into consideration, when implementing this convention, the circumstances of people who face marginalization in society. Uruguay, for example, has proposed that integrating language on gender, vulnerable groups, and rule of law safeguards.

One of the critical components of effective human rights safeguards is the inclusion of prior judicial authorization, transparency and user notification.

Article 24: Conditions and Safeguards for Domestic Surveillance Powers

Article 24 of the proposed UN Cybercrime Convention outlines how states should protect human rights when using domestic surveillance powers.  While Article 24 helpfully incorporates the principle of proportionality—a central human rights principle—it fails to explicitly include the principles of legality, necessity and non-discrimination. The principle of legality requires laws to be clear, publicized, and precise, ensuring individuals understand what is criminalized. The principle of necessity ensures any interference with human rights is proportionate to achieving a legitimate aim. The principle of non-discrimination requires that laws and policies be applied equally and fairly to all individuals, without any form of discrimination based on race, color, sex, language, religion, political or other opinion, national or social origin, property, birth, or other status. Without these principles, the safeguards are incomplete and inadequate, increasing the risk of misuse and abuse of surveillance powers.

One of the critical components of effective human rights safeguards is the inclusion of prior judicial authorization, transparency, user notification, and the right to an effective remedy. The Chair’s Proposal specifies in Article 24(2) that conditions and safeguards should "include, inter alia, judicial or other independent review, the right to an effective remedy, grounds justifying application, and limitation of the scope and duration of such power or procedure." However, making these safeguards contingent on domestic law can weaken their effectiveness, as national laws vary significantly and may not provide adequate protections. Moreover, while both versions of Article 24 incorporate the principle of proportionality, they fail to explicitly include the principles of legality and necessity. The principle of legality requires laws to be clear, publicized, and precise, ensuring individuals understand what is criminalized. The principle of necessity ensures any interference with human rights is proportionate to achieving a legitimate aim. By granting states broad discretion to decide what safeguard to apply in relation to which surveillance power, the convention fails to ensure the text will be implemented in a manner that is in accordance with human rights. 

To address these issues, the Special Rapporteur has already called on states to revise and amend (...)  surveillance (...) and bring them into compliance with international human rights norms and standards governing the right to privacy, the right to free expression, peaceful assembly, and freedom of association. This issue remains unresolved, and the current convention risks perpetuating these existing concerns.

Domestic Spying Powers and Domestic Safeguards

The Convention grants extensive domestic surveillance powers to gather evidence for any crime, accompanied by minimal and insufficient safeguards, many of which do not even apply to its chapter on cross-border surveillance (Chapter V).  Key measures include expedited preservation of electronic data (Article 25), production orders for specific data (Article 27), and real-time collection of traffic and content data (Articles 29 and 30). These provisions enable rapid and comprehensive data access, essential for investigating cybercrimes. One particularly troubling aspect is Article 28(4), which allows authorities to compel individuals with knowledge of ICT systems to provide necessary information for accessing data. We has consistently voiced concerns that this provision could lead to forced assistance without adequate protection for the rights of those compelled. This broad and potentially coercive power risks significant abuse, especially in jurisdictions lacking strong human rights safeguards.

The combination of intrusive domestic surveillance powers paired with insufficient safeguards heightens the risk of misuse, potentially leading to arbitrary and disproportionate restrictions on privacy and other human rights. To illustrate the potential risks of granting states broad discretion in applying safeguards, consider the following examples:

1. Lack of legal protection of subscriber data: This threatens the anonymity of the LGBTQ+ community, making them vulnerable to identification and subsequent persecution. Without strong safeguards and a narrow scope, the mere act of engaging in virtual communities, sharing personal anecdotes, or openly expressing relationships could lead to their subscribers' identities being disclosed, putting them at significant risk. Offline, the implications intensify with amplified hesitancy to participate in public events, showcase LGBTQ+ symbols, or even undertake daily routines that risk revealing their identity. The draft convention's potential to bolster digital surveillance capabilities means that even private communications, like discussions about same-sex relationships or plans for LGBTQ+ gatherings, could be monitored, collected, intercepted and turned against them.
2. Metadata Tracking: A country could classify metadata, such as location data, with less stringent protections compared to content data, leading to extensive tracking of individuals' movements without adequate oversight. 
3. Weak Judicial Oversight: In a country with a weak judicial system, surveillance activities might not require judicial oversight or prior judicial authorization, allowing authorities to conduct intrusive surveillance without proper scrutiny. 
4. Discriminatory Surveillance Practices: Broad discretion could enable discriminatory surveillance practices, disproportionately targeting certain ethnic or religious groups under the pretext of “protecting the children.”
5. International Data Sharing: Without clear limitations, a country could share surveillance data internationally, risking the persecution of political dissidents or human rights activists in countries with poor human rights records.
6. Lack of Transparency: A lack of transparency requirements for surveillance activities could prevent individuals from knowing whether they are being surveilled or challenging unlawful surveillance. 
7. Weak Protections for Digital Communications: Lastly, weak protections for digital communications such as emails and instant messages could allow authorities to intercept and read private communications without robust legal safeguards or oversight. 

For safeguards to be meaningful, the Convention should mandate prior approval by a judge for surveillance activities. As specified in the Necessary and Proportionate Principles, meaningful safeguards should also set strict time limits and establish transparency obligations, such as notifying individuals when their personal data has been accessed. While the Chair’s Proposal includes the right to an effective remedy, individuals cannot effectively exercise this right if they are unaware that their data was accessed, especially in cases where the investigation does not lead to legal proceedings. The authorities should also be required to explain the specific facts that justify surveilling particular individuals and publicly report the frequency of using these powers.

In conclusion, while the Chair’s  Proposal makes some improvements by explicitly including the right to an effective remedy and continuing to recognize the principle of proportionality, its reliance on domestic law for oversight significantly weakens the protection of human rights. The absence of the principles of legality and necessity, combined with the broad discretion given to States, heightens the risk of misuse and abuse of surveillance powers. To truly safeguard human rights, the Convention must mandate strict compliance with international human rights standards and ensure comprehensive and consistent application of safeguards across all states.

The Dangers of Cross-Border Surveillance and Data Sharing

Scope Creep in International Cooperation

One might assume a "cybercrime" convention would focus exclusively on cybercrimes. However, the principles of international cooperation in this convention exemplify significant and dangerous scope creep. And without mandated safeguards in the convention itself for this chapter, this opens the door wide for abuse and transnational repression.

The scope of the international cooperation chapter is still notably wide, and is one primary reason that we've repeatedly said that this convention is truly an all-purpose global surveillance instrument:

• Article 35(1)(b) of the chair's proposal requires states to cooperate in the collection, obtaining, preservation, and sharing of electronic evidence for criminal investigations or proceedings of criminal offenses established in accordance with the Convention. Essentially, this means that states are obliged to assist each other in managing electronic evidence related to Articles 6-16, regardless of their severity;
• Article 35(1)(c) of the chair's proposal significantly broadens the scope of international cooperation by including the collection, obtaining, preservation, and sharing of electronic evidence for any activity deemed serious by national law. The defining criteria for "serious" is a crime that carries a prison term of at least four years, as stated in Article 2(1)(h) of the convention. Importantly, the crime itself is defined by the national law of the state requesting cooperation. The only requirement set by the convention is the severity of the penalty (a prison term of at least four years). Therefore, as long as the national law includes a crime punishable by at least four years of imprisonment, it qualifies for international cooperation under this provision. This is applicable whether the alleged offense is cybercrime or not. This also includes serious offenses established in accordance with “other applicable United Nations conventions and protocols in force at the time of adoption” of the Convention.

 This broad scope could lead to abuses, particularly in countries with weaker human rights protections, where national laws might include offenses that do not align with international human rights standards.

Such a UN endorsement could establish a perilous precedent, authorizing surveillance measures that are in stark contradiction with international human rights law and UN values. Even more concerning, it might tempt certain countries to formulate or increase their restrictive criminal laws, eager to tap into the broader pool of cross-border surveillance cooperation that the proposed convention offers. In certain countries, many of these criminal laws might be based on subjective moral judgments that suppress what is considered protected speech under international human rights standards. 

As such, these provisions could result in heightened cross-border monitoring and potential repercussions for individuals, leading to torture or even the death penalty in countries like Iran. For example, activists urged the UN to relocate Cop27 from Egypt due to concerns over Egypt’s record of LGBTQ+ torture, woman slaughter, civil rights suppression, and limitations on the participation of diverse voices, including protesters and indigenous rights groups.

The Special Rapporteur on the rights to freedom of peaceful assembly and association has observed that states increasingly use technology to silence, surveil, and harass dissidents, political opposition, human rights defenders, activists, and protesters, as well as manipulate public opinion. This includes the use of digital surveillance (...) to suppress civil society activities.

Effectively, whenever countries deem any criminal act to be subject to a prison term of at least four years in their domestic law, they can use the Convention to ask other governments to assist in spying to collect evidence, even if they are speech offenses or otherwise criminalize human rights protected activities. All these illustrate how repressive regimes can exploit the broad scope of the Convention’s international cooperation regime—including cross-border spying assistance, and extradition—to gather evidence and target marginalized communities, posing significant human rights problems.

Even worse, the situation is exacerbated by the fact that cross-border data sharing and surveillance assistance between states are not subject to the safeguards in Article 24. Instead, the safeguards will be those of the requesting country, whatever that standard may be, further amplifying the risk of human rights abuses and transnational repression.

Transnational repression refers to actions by governments that reach beyond their borders to silence dissent among their nationals abroad through tactics like surveillance, harassment, and intimidation. For decades, Human Rights Watch has documented governments reaching outside their borders to silence or deter dissent by committing human rights abuses against their own nationals or former nationals. Governments have targeted human rights defenders, journalists, civil society activists, and political opponents, among others, deemed to be a security threat. Many are asylum seekers or recognized refugees in their place of exile. These governmental actions beyond borders leave individuals unable to find genuine safety for themselves and their families. See table of cases at the end.

According to research by Freedom House, the top five perpetrators of transnational repression are China, Turkey, Tajikistan, Egypt, and Russia. Followed by Turkmenistan, Uzbekistan, Iran, Belarus, and Rwanda, with the 10 nations collectively responsible for 80 percent of documented cases. China alone accounts for 30 percent of these cases.

It is a growing concern that poses significant challenges to international human rights norms and protections. Several other organizations have also been warning that existing international law enforcement cooperation mechanisms are being abused or twisted to allow political repression even beyond forceful data localization mandates that seek to bypass international cooperation rules. 

INTERPOL, for instance, is an intergovernmental organization of 193 countries that facilitates worldwide police cooperation. But Human Rights Watch has documented numerous allegations of how China, Bahrain, Turkey, and other countries have abused INTERPOL’s Red Notice system—a request to law enforcement worldwide to “locate and provisionally arrest a person pending extradition, surrender, or similar legal action”—to locate peaceful critics of government policies ostensibly for minor offenses but really, for political gain. 

While states continue to negotiate over whether some of the conventions’ specific cross-border surveillance powers will be limited in application to a subset of crimes, the overall impact of the convention is concerning. By obligating states to process cooperation requests in relation to any offense deemed serious as defined by national law, the convention’s broad scope threatens to overwhelm the ability of already overburdened legal assistance bodies to ensure they are processing requests in a way that is consistent with their own human rights obligations. It would also operate as an internationally authorized vehicle of cooperation between states where the rule of law has broken down and which have a track record of abusing international cooperation instruments for repression.

While some democratic countries may believe they can sidestep these pitfalls by not collaborating with countries that have controversial laws, this confidence may be misplaced. First, grounds for refusal are optional, not obligatory. The draft convention allows countries to refuse a request if the activity in question is not a crime in its domestic regime (the principle of "dual criminality"). However, given the current strain on the mutual legal assistance treaty (MLAT) system, there's an increasing likelihood that requests, even from countries with contentious laws, could slip through the cracks. This opens the door for nations to inadvertently assist in operations that might contradict global human rights norms. Second, where countries do share the same subjective values and problematically criminalize the same conduct, this draft convention seemingly provides a justification for their cooperation. And even governments that claim to uphold free expression and privacy domestically frequently abandon these principles in international cooperation, especially under the pretext of counterterrorism.

It's now less likely that governments will refuse mutual legal assistance requests on human rights grounds

Third, as we previously discussed with Deborah Brown, with the rise of cloud computing and companies storing data in various countries, including those with poor human rights records like Saudi Arabia, it's now less likely that governments will refuse mutual legal assistance requests on human rights grounds. In the past, most data was stored in only a handful of countries, making it easier to deny disproportionate requests. Today, with data scattered across multiple jurisdictions, enforcing human rights protections becomes more complicated and less consistent.

Article 40: Mutual Legal Assistance (MLA)

Article 40 outlines the principles and procedures for mutual legal assistance (MLA) between states. It mandates that states provide the broadest measure of MLA in investigations, prosecutions, and judicial proceedings related to offenses established "in accordance with the Convention," specifically those outlined in Articles 6 to 16, which cover various cybercrimes. The article sets the framework for cooperation in collecting electronic evidence and ensures that MLA is provided to the fullest extent possible under relevant laws and treaties. There is a bracket in Article 40(1) ["as well as of serious crimes"] indicating the text has received preliminary approval during informal discussions, but the bracket is still under negotiation and has not yet been finalized. The inclusion of "serious crimes" would broaden the scope of mutual legal assistance to include serious crimes beyond those specifically defined in the Convention, pending consensus among the negotiating states. 

Additionally, Article 40(8) of the Convention allows countries to refuse requests for help if: the request doesn’t follow the rules of the Convention; helping would harm the country’s sovereignty, security, or other important interests; the requested action would be illegal under the requested country’s own laws if it were applied to a similar crime within their jurisdiction; or granting the request would go against the requested country’s legal system. However, these grounds of refusal are not enough. The chair has proposed the addition of Article 40.20 (bis), allowing states to refuse mutual legal assistance if the request is believed to be made for political purposes or to prosecute someone based on their political opinions, sex, race, language, religion, nationality, or ethnic origin. However, the high evidentiary threshold may limit the practical effectiveness of this safeguard, making it difficult for states to justify refusals and potentially allowing such requests to proceed. 

Article 40.4: Proactive Information Sharing and Its Risks

Article 40.4 also allows authorities to share information about criminal matters with foreign counterparts proactively, without a formal request. While intended to facilitate international cooperation, this provision poses significant risks to privacy and data protection. Without stringent safeguards, sensitive personal data could be shared too freely, potentially leading to misuse, especially if the receiving country lacks strong data protection laws. Article 40.4 must be amended to ensure that personal data is only shared when absolutely necessary for specific criminal investigations, prosecutions, and judicial proceedings, and with robust data protections rules in place.

Article 47: Extensive Data Sharing for Investigative Purposes

Article 47 also presents significant and troubling legal challenges due to its expansive scope and the absence of essential safeguards. This new version continues to authorize extensive cooperation among States Parties, including the sharing of personal and sensitive data for analytical or investigative purposes, but now it has been limited to a set of crimes. However, it fails to incorporate critical protections found in Article 24, such as principles of legality, necessity, proportionality, transparency, prior judicial authorization, and robust data protection measures. This omission is alarming, as it could permit the unregulated exchange of  potentially biometric, traffic, and location data. The provision's lack of specificity and its disconnection from particular criminal investigations or proceedings exacerbate these concerns, potentially enabling large scale data-sharing and the targeting of vulnerable populations, including journalists, activists, and minority groups.

Moreover, the absence of oversight by central authorities and the lack of clear limitations or exclusions for sharing sensitive personal data further amplify the risk of human rights violations. It is imperative that this article be fundamentally revised to include robust human rights protections, ensuring that international cooperation does not come at the expense of civil liberties and data protection.

In conclusion, the breadth of the cross-border regime and the absence of adequate human rights safeguards will facilitate human rights abuses by allowing states to request assistance in national investigations. Disagreements—from the broad scope to the absence of robust minimum human rights safeguards—are deep and substantive, and continue to be on the negotiating table, albeit now in closed-door informal meetings. Yet despite these fundamental issues, negotiators continue to present compromises that sweep these problems under the rug as a manufactured potential consensus. 

The breadth of the cross-border regime and the absence of adequate human rights safeguards will facilitate human rights abuses

The next version of the Convention’s text, expected early June, must address these issues that were left unresolved in the chair’s compromise text published in February 2024. Critical unanswered questions remain. The text continues to reflect the deep divides among states. Minimal progress has been made in limiting the convention's scope of cross border spying assistance and data sharing or strengthening human rights safeguards, even less in ensuring these safeguards apply to the international cooperation chapter. Prioritizing consensus over human rights protections risks disproportionate surveillance abuses and significant erosion of privacy and freedom of expression. EFF and a coalition of NGOs have consistently warned about the dangers of such compromises, cautioning that "there is a real risk that, in an attempt to entice all States to sign a proposed UN cybercrime convention, bad human rights practices will be accommodated, resulting in a race to the bottom.”

Missed Opportunities: The Exclusion of Key Safeguards 

To mitigate the harm of the Convention’s broad scope and limited safeguards, during the January session Canada proposed an amendment to Article 3, to narrow the application of the Convention so it does not apply to acts of repression.

“Nothing in this Convention shall be interpreted as permitting or facilitating repression of expression, conscience, opinion, belief, peaceful assembly or association; or permitting or facilitating discrimination or persecution based on individual characteristics.”

 This proposal would, in principle, render some of the Convention’s more problematic features such as its cross-border cooperation regime inapplicable to acts of repression or discrimination.

The current chair's proposal would permit (but not require) states to refuse cross-border MLA requests that are politically motivated or discriminatory, provided there are substantial grounds for believing this to be the case. However, the requirement for substantial grounds sets a high evidentiary threshold that may limit the practical effectiveness of this safeguard, making it challenging for states to justify refusals and potentially allowing politically motivated or discriminatory requests to proceed.

Similarly, Article 59 (3) of the chair's proposal is intended to safeguard human rights by ensuring that the Convention cannot be used to justify unlawful restrictions on human rights and fundamental freedoms. However, its general language and lack of specific enforcement mechanisms render it weak. The provision relies on the interpretation and goodwill of states, which can vary significantly, particularly in jurisdictions with poor human rights records. 

Neither of these proposals, however, would solve all of the Convention’s ills. Rights-respecting states will be better equipped to refuse requests that conflict with their human rights obligations, but the Convention's broad scope will flood national MLAT units with requests from governments around the world in relation to all serious crimes. 

This will make it far more difficult for these already over-burdened MLAT units to identify human rights abuses when processing foreign requests. Canada’s proposal would also further permit impacted people to challenge government action directly on the basis that it falls outside the scope of the Convention, including action taken on the basis of its substantive criminal provisions and its domestic surveillance powers. However, the Convention includes a number of secrecy provisions and fails to include an individual notice obligation. As a result, individuals rarely will be aware that they are the object of a request and will have limited opportunities to challenge these on the basis that they fall outside the scope of the Convention.

Nonetheless, these proposals would have provided tools to mitigate some of the convention’s more problematic aspects, yet neither is included in the current text.

Broadening Criminalization: Risks of Overreach and Repression in the Convention

Since the start of the process, a number of states have pushed for including a much expanded list of criminal offenses in the convention, simply on the basis these offenses were committed using communications technologies. These include proposals for vaguely defined “terrorism” crimes and offenses that would criminalize “incitement to subversion”.  

The chair’s amendment Article 60bis (Article 17 in previous versions) ensures that offenses established under other applicable United Nations conventions and protocols are also considered criminal offenses under domestic law when committed through the use of information and communications technology systems. The provision is improved over past proposals which would have applied to all present and future conventions, but continues to be a source of concern in that it could require the creation of new offenses based on convention’s obligations that were not designed with ICT networks in mind.

Article 60bis is also an improvement over its predecessor in that it adds subsection (2), which clarifies that Article 60bis “shall not be interpreted as establishing offenses under this Convention.” As a number of the Convention’s provisions are carefully limited to offenses “established in accordance with the Convention,” including the convention’s extradition provision, this could have the impact of limiting those provisions so that they do not apply to Article 60bis offenses. However, as our ally ARTICLE 19 pointed out, subtle differences in language might mean that Article 60bis offenses might be considered as established “in accordance with the Convention” despite not being “established under this Convention”, resulting in a far greater scope of application.

One surprising element of the chair’s compromise was its inclusion of a proposal to extend the mandate of the Ad Hoc Committee to negotiate a future protocol supplementing the Convention immediately upon adoption of the Convention by the General Assembly. This could include another list of crimes for a subset of states, further expanding the Convention's reach and exacerbating the risk of human rights abuses.

Real-World Implications

The proposed UN Cybercrime Convention, with its broad cross-border assistance scope and lack of minimum robust safeguards, poses significant risks to human rights. The potential for misuse and abuse is not theoretical: It is a reality faced by individuals and communities around the world. The proposed convention amplifies the existing threats to the LGBTQ+ community, journalists, activists and minority religious groups among others. It endorses a framework where nations can surveil benign activities such as simply sharing LGBTQ+ content, potentially intensifying the already-precarious situation for this community in many regions.

The following examples illustrate how transnational repression is already being practiced by various governments, highlighting the urgent need for a narrow scope and robust safeguards in the Convention.

Examples of Transnational Repression Documented by Human Rights Watch's Report “We Will Find You” A Global Look at How Governments Repress Nationals Abroad:

Country	Description
China	The Chinese government has been implicated in targeting political dissidents abroad through online harassment and defamation campaigns. These tactics aim to silence criticism and control the narrative internationally.
Turkey	Documented instances of Turkey misusing INTERPOL’s Red Notice system to target political opponents abroad. This misuse extends to other multilateral tools, increasing the risk of transnational repression.
Rwanda	Authorities targeted thousands of activists, journalists, and politicians using NSO Group’s Pegasus spyware. This surveillance extends to those living abroad, creating a pervasive sense of fear and threat among the diaspora.
Saudi Arabia	Government agents infiltrated Twitter to spy on dissidents. Similarly, Saudi authorities have been known to use other platforms to gather information on critics, exacerbating the risks faced by activists both domestically and internationally.
Ethiopia	Surveillance follows political refugees abroad, with Ethiopian authorities using commercial spyware to target family members of dissidents living in the UK, thereby exerting pressure on the individuals in exile.

Examples of Arbitrary, Illegitimate and Disproportionate Laws that Could Trigger Surveillance and International Cooperation

Country	Description
Russia	Following the 2023 Supreme Court decision designating the “international LGBT movement” as extremist, arbitrary prosecutions for activities such as displaying the rainbow flag or wearing rainbow-colored accessories have occurred, with penalties up to four years in prison for repeat offenses. Under Article 35’s provisions, Russia could request other countries to surveil and track LGBTQ+ individuals in real time, treating their expressions of identity as serious crimes.
Egypt	In 2017, during a concert where attendees waved rainbow flags, numerous individuals were arrested, with some sentenced to six years in prison for "debauchery" and "inciting debauchery." Cybercrime Law No. 175/2018 contains broad provisions to silence dissent and target LGBTQ+ individuals. Articles 25 and 26 have been used to prosecute "violations of family values," and other forms of online expression.
Thailand	It is a crime of lèse-majesté to defame, insult, or threaten members of the royal family, carrying a maximum penalty of 15 years in prison. This law has been used to target activists. Thailand could request assistance from its allies to track down and intercept communications of their nationals criticizing the monarch, even while traveling or living abroad.
Jordan	The pre-existing cybercrime law has been used against LGBTQ+ people, and the new Cybercrime Law of 2023 expands its capacity to do so. With overly broad and vaguely defined terms, this law will severely restrict individual human rights and will become a tool for prosecuting innocent individuals for their online speech.
Saudi Arabia	Between 2011 and 2015, at least 39 individuals were jailed under the pretense of counterterrorism for expressing themselves online. Authorities have used the 2007 Anti-Cyber Crime Law to criminalize online content and activity that is considered to impinge on “public order, religious values, public morals, and privacy.”
Tunisia	Decree-Law No. 54 (2022) has been used to prosecute media and individuals for "false news," information that harms “public security,” and opposition to government policies, mandating a five-year prison sentence. The first criminal investigation saw the arrest of student Ahmed Hamada for reporting on law enforcement clashes. In the year since Decree-Law 54 was enacted, authorities in Tunisia have prosecuted media outlets.
United Arab Emirates	Federal Decree Law No. 34 of 2021 replaces an older law used to stifle dissent, such as sentencing human rights defender Ahmed Mansoor to 10 years in prison. Article 22 mandates prison sentences for sharing unauthorized information online, further restricting the already heavily-monitored online space and making it harder for ordinary citizens, as well as journalists and activists, to share information.

The inclusion of these examples underscores the importance of ensuring that the UN Cybercrime Convention incorporates robust human rights safeguards to prevent its misuse as a tool for transnational repression. The international community must prioritize the protection of fundamental rights and freedoms in the drafting and implementation of this Convention.