A New Era of Cybercrime Governance: In the early days of the internet, international criminal law lag far behind the technological realities of transnational cybercrime. The adoption of the Budapest Convention on Cybercrime in 2001 marked a watershed moment. For the first time, states committed to a common framework for criminalizing core forms of cybercrime, harmonizing procedural tools, and facilitating international cooperation. But this Eurocentric model, while groundbreaking, has become a geopolitical fault line. In 2024, after years of behind-the-scenes negotiation, the United Nations adopted its own global cybercrime treaty—promising inclusivity and updated standards, but raising deep concerns about surveillance, human rights, and the rise of authoritarian cyber-sovereignty.
The Politics of Treaty-Making: Inclusion and Its Discontents
The geopolitical ambitions behind the new UN Convention cannot be ignored. Proposed by Russia and supported early on by China, the treaty was positioned as an inclusive alternative to the Budapest Convention, which both states refused to join. At stake was more than procedural efficiency; it was about control over the normative architecture of cyberspace. The move reflects a broader realignment in international law: an assertion of sovereignty against perceived Western legal hegemony, and an effort to reshape the global legal order from within the very institutions that were once its critics.
While this expansion of participation may appear as democratization, it carries a heavy cost. The coalition of states championing the treaty includes some of the world’s most repressive regimes, known for their instrumental use of cybercrime laws to criminalize dissent, restrict free expression, and surveil civil society. Embedding their perspectives into the international legal fabric risks normalizing practices that liberal democracies have long contested. It is not merely a question of who joins the conversation—but of who defines its terms.
Substantive Scope: Crime Control or Rights Erosion?
The substantive provisions of the new convention appear, at first glance, uncontroversial. Unlawful access, data interference, malware distribution, online fraud, and exploitation-related offenses are all well-known categories. But their definitions, and the absence of meaningful exemptions for public interest activities, reveal the real tension. Ethical hackers, cybersecurity researchers, and whistleblowers—essential actors in digital accountability—may find their work reframed as criminal conduct. Where the Budapest Convention carved out room for rights-based considerations, the UN treaty leaves troubling ambiguity.
Of particular concern is the criminalization of unauthorized access “without right,” a formulation so vague it could capture everything from accessing publicly available data to probing for vulnerabilities in the public interest. The lack of safe harbor provisions or research exceptions suggests a drift toward criminalizing knowledge rather than intent. Combined with provisions outlawing the possession or dissemination of dual-use tools, the result is a chilling effect on security innovation.
Procedural Authority and Surveillance Mechanisms
Even more controversial are the treaty’s procedural components. States are empowered to authorize real-time interception of telecommunications data, compel third parties to assist law enforcement, and engage in cross-border data requests. While such powers may be defensible in tightly controlled legal systems with strong judicial oversight, their internationalization without binding safeguards poses immense risks.
The specter of mass surveillance looms large. Articles enabling the retention of telecommunications metadata and the real-time capture of user communications grant expansive power to governments—some of which have no tradition of privacy protection or due process. Without clear limitation principles, proportionality standards, or independent review mechanisms, these tools become blunt instruments for political control.
Human Rights as Decorative Constraint
The treaty references human rights, but does so with a conspicuous lack of normative depth. Article 6 asserts the primacy of international law and rights protections, yet offers no enforcement mechanism to resolve conflicts between data-sharing obligations and human rights concerns. The practical result is a lowest-common-denominator approach in which states may cite national security to justify almost any action—leaving victims of overreach with no effective remedy.
Critics, including the UN Special Rapporteur on the right to privacy, the Electronic Frontier Foundation, and dozens of civil society organizations, have warned that the treaty opens the door to abuses under the veneer of legality. The failure to include binding limitations on cooperation with authoritarian regimes, or to require human rights impact assessments, reflects either political naivety or a deliberate strategic omission. In either case, the cost is the erosion of normative clarity.
Strategic Implications for Liberal Democracies
For democratic states, the treaty poses a paradox. On the one hand, it offers a much-needed platform for global cooperation in combating cybercrime, especially with regard to cross-border evidence collection and mutual legal assistance. On the other, it threatens to entangle liberal legal systems in a web of obligations that may contradict their own constitutional norms.
The risk is not theoretical. Under the treaty’s provisions, democracies may be compelled to respond to evidence requests from regimes that criminalize dissent. They may be asked to extradite individuals for acts protected under their own laws—such as investigative journalism, whistleblowing, or encryption research. The result could be not only moral complicity, but legal fragmentation and political backlash at home.
Moreover, the treaty’s expansive reach undermines existing jurisprudence in Europe, where courts have repeatedly rejected indiscriminate data retention as incompatible with fundamental rights. If international law now mandates precisely what constitutional courts prohibit, national legal systems will be forced to choose between treaty compliance and civil liberty—an untenable position that may destabilize the rule of law itself.
The Future of Digital Sovereignty
At a deeper level, the treaty reflects the growing tension between competing visions of digital sovereignty. For some states, sovereignty means defending privacy, decentralization, and the rule of law in a transnational context. For others, it means asserting full control over digital infrastructure, content, and access. The UN treaty accommodates both, but at the cost of coherence. Its ambiguity is not a compromise, but a concession to power.
As the global order fractures into overlapping and conflicting regimes—Budapest versus the UN, liberal versus authoritarian—cyberspace becomes a contested terrain not only of infrastructure and intelligence, but of legality itself. The very idea of a universal digital public sphere is at risk.
A Call for Strategic Legal Realism
The adoption of the UN Cybercrime Convention is not the end of the story, but its beginning. Ratification, implementation, and interpretation will determine whether the treaty is used to promote justice or to shield oppression. Lawyers, lawmakers, and technologists in liberal democracies must now prepare for a new era of legal resistance—not in the streets, but in the courts, the legislatures, and the treaty bodies that define the rules of global digital conduct.
To protect digital rights in this emerging landscape, it is not enough to oppose bad laws. We must build robust doctrines of legal interpretation, insist on transparency in treaty enforcement, and forge new alliances across borders to defend the principles we claim to uphold. The future of cyberspace will be written in legal code—but also in political will.
Our law firm specialises in criminal defence, white-collar crime and IT law / technology law. Note our activity in digital evidence in IT security and software law.
- Liability of Companies in Phishing and CEO Fraud Incidents - 13. May 2025
- Domain Law in Germany - 10. May 2025
- Art Law in Germany - 10. May 2025