UN cybercrime convention: the "result of rocky negotiations"

The UN convention against cybercrime was approved by consensus in August 2024, two and a half years after negotiations began. What kind of a milestone does this represent?

Irene Grohsmann (IG): For the first time, a convention on cybercrime has been agreed on at the UN level. The fact that consensus was ultimately reached is a victory for multilateralism.

Sara Pangrazzi (SP): It's all the more impressive when you look at how far apart the positions were at the outset. It took quite a while just to conclude the exploratory talks and before it was even possible to get into the substance. Standpoints differed right up to the end. So the outcome is a hard-won compromise that had to accommodate a range of views and, in some cases, even disparate legal systems.

What does the convention, as negotiated, cover?

Andrea Candrian (AC): The convention has three main thrusts. First, it addresses criminalisation by member states. Second, it deals with procedural issues, i.e. national measures that states intend to take to combat cybercrime and other offences. The third thrust concerns international cooperation, i.e. the ways in which member states join forces to fight cybercrime. 

In 2019, Switzerland did not support the resolution to launch negotiations on a UN cybercrime convention. What was behind this scepticism?

IG: There was concern that a UN convention might undermine the existing level of protection. You see, there's already an international cybercrime agreement: the Council of Europe's Budapest Convention, which Switzerland had ratified. It wasn't clear whether the UN would be able to set standards comparable to those of the Council of Europe's regional convention.

Why did Switzerland get involved after all when the negotiations began in 2022?

IG: For the Swiss delegation, one thing was clear: if negotiations at the UN level were to actually begin, we would take part. Otherwise, we wouldn't be able to put forward our views or ensure that elements important to Switzerland were incorporated. After all, this is a UN convention. Moreover, as an active member of the UN, Switzerland strives to help shape multilateral processes and support them wherever possible.

Would you say that having joined the negotiations was worth it?

AC: Absolutely. The existing Council of Europe Convention on Cybercrime, also known as the Budapest Convention, has almost 80 member states. Over 120 countries worldwide have at least looked to this Convention for guidance when adapting or revising their cybercrime-related legislation. However, it is and will always remain a Council of Europe agreement. Having a convention at the UN level, in contrast, establishes an opportunity to find further partners in the fight against cybercrime - and this on a basis that enshrines procedural guarantees and protective mechanisms in favour of human rights.

What were Switzerland's main objectives at the start of the negotiations – and to what extent were they achieved?

IG: For our delegation, it was crucial for the convention's scope to be clearly defined and for it to include a clear list of offences covering cybercrime in the stricter sense. We also placed particular emphasis on the human rights safeguards and on establishing firm grounds where Switzerland would have the right to refuse to cooperate, so that the limits of the Swiss legal system are respected.

Where did the disagreements about the term "cybercrime" lie when the negotiations were starting?

IG: Well cybercrime can generally be either cyber-enabled or cyber-dependent. The Swiss delegation worked to ensure that the convention focuses as much as possible on cyber-dependent offences (so called "core cybercrime"), such as hacking, which can only be committed using information and communications technologies (ICT). Cyber-enabled crimes, on the other hand (i.e. crimes that may or may not have a cyber component), are generally committed in the real world, but facilitated by ICT. Such an understanding of cybercrime would therefore go much further. It could, for example, also include the planning of a terrorist attack using mobile phones.

That would result in such attacks being considered cybercrimes.

IG: Exactly. Various states wanted to use this much broader concept of cybercrime in the convention. In this context, genocide and the dissemination of Nazi ideology were also proposed as offences. For us, that would have been going too far. The final text, however, is now primarily confined to cyber-dependent offences. Only the protection of children from online sexual exploitation, which is de facto a cyber-enabled offence, was included in the convention. And we view that positively. 

What were the red lines for the Swiss delegation?

AC: A red line would have been if the UN convention were to include obligations to create criminal provisions that are essentially based on ideological views or if "coming together for a purpose" were to be criminalised as an offence that threatens the security of the state. Such a scenario would create a high risk of far-reaching restrictions on fundamental rights being put in place under the guise of the new UN convention.

SP: It was also crucial to the Swiss delegation that every law enforcement measure be accompanied by specific standards of protection that must be observed both nationally and when cooperating at international level. There were also discussions during the negotiations about softening the territoriality principle, i.e. the understanding of territorial connection, given that the internet functions across borders. But the final consensus was to uphold state sovereignty. This is important for the concept of international mutual legal assistance, which continues to be based on "state" entities cooperating with other states, which can assess and take into account their own national standards. From the point of view of the Swiss delegation, it would not have been acceptable for Switzerland to have had to fall short of our own applicable legal procedural principles and safeguards in the context of law enforcement measures. 

When it comes to cyber matters, it is crucial for Switzerland that the human rights that apply offline are also respected online. So would the UN convention ensure this?

AC: Yes. We now have a draft treaty before us that allows Switzerland and the authorities providing mutual legal assistance to refuse to cooperate with other states if fundamental rights, including the protection of human rights, could be jeopardised as a result.

SP: The articles setting out safeguards, e.g., the specific provisions on human rights and grounds for refusal to cooperate, remained a bone of contention throughout the negotiation process. Until the end, some negotiating states were even completely opposed to including such provisions or wanted to significantly weaken them. The fact that the safeguards are now included in the convention is the result of rocky negotiations.

Various NGOs have criticised the fact that "thanks" to the convention, it will be easier to monitor communications between private individuals and that protecting whistleblowing sources will be more difficult for media professionals. Is this indeed the case?

SP: There is an explicit provision in Article 6 that the convention cannot be used to prosecute persons on the basis of their opinions or beliefs or to suppress other human rights. If other states interpret these rights differently in their legal systems, we also have the protective mechanism of double criminality: cooperation with another state is only possible for us in the case of behaviour that would be subject to criminal prosecution in Switzerland too.

Regarding the criticism that the convention makes it "easier" to monitor communications: the convention hasn't reinvented the wheel here, either. Any prosecution may still only proceed in relation to a specific crime and is subject to clear conditions and, as already mentioned, the applicable safeguard provisions. So it will not be possible to simply "override" nationally applicable procedural rules.

20 years is an eternity in the field of information technology. We've come a long way since the Budapest Convention was adopted. Does the UN convention close any gaps that have opened up as a result of technological developments?

AC: The Budapest Convention may be 23 years old, but it is surprisingly fit for today's purposes. Part of the reason for that is that it largely uses technology-neutral wording and language. It does not get lost in specific IT topics such as spamming or artificial intelligence. Instead, it includes clear provisions on criminalisation, on the states' procedural measures, and cooperation between states. That is why it still works relatively well. So asking which gaps have been closed is perhaps not entirely relevant. Where I really see the UN convention's core added value is in the expansion of the circle of potentially involved partners of member states. That can be helpful for international criminal prosecution and thus for law enforcement.

IG: The technology-neutral wording and language used in the Budapest Convention led to similar formulations being used in the UN convention's list of criminal offences. We see this as a success. 

So where are things going to go from here? Will the draft convention now head back to the General Assembly of the United Nations, which mandated its drafting?

IG: Exactly. On the UN side, the negotiating committee has completed its work and handed it over to the UN General Assembly. The General Assembly will decide whether to formally adopt it in December 2024. The convention would then be open for signature by the individual states.

And what are the next steps in Switzerland?

AC: Switzerland's agreement to the text resulting from the negotiations does not mean that we've already decided whether we'll sign the convention in the end. The federal authorities responsible for this area will analyse the text now available and submit a proposal for further action to the Federal Council.

Moreover, the convention will only enter into force once 40 states have ratified it. Only then can cooperation based on the agreement start. However, Switzerland is one of the countries in which international criminal law based on a convention is not directly applicable. If Switzerland ratifies the convention, a legislative basis will have to be developed. Such a process would include consultations with political stakeholders, associations, parties, and cantons, and a decision by Parliament.