A woman looks at her cell phone in front of the United Nations logo displayed on a computer screen. © 2022 Artur Widak/NurPhoto via AP

Cybercrime—the malicious hacking of computer networks, systems, and data—threatens people’s rights and livelihoods, and governments need to work together to do more to address it. But the cybercrime treaty sitting before the United Nations for adoption, presumably by August 9, could instead facilitate government repression. By expanding government surveillance to investigate crimes, the treaty could create an unprecedented tool for cross-border cooperation in connection with a wide range of offenses, without adequate safeguards to protect people from abuses of power.

It’s no secret that Russia is the driver of this treaty. In its moves to control dissent, the Russian government has in recent years significantly expanded laws and regulations that tighten control over Internet infrastructure, online content, and the privacy of communications. But Russia doesn’t have a monopoly on the abuse of cybercrime laws. Human Rights Watch has documented that many governments have introduced cybercrime laws that extend well beyond addressing malicious attacks on computer systems to target people who disagree with them and undermine the rights to freedom of expression and privacy.

For example, in June 2020, a Philippine court convicted Maria Ressa, the Nobel prize-winning journalist and founder and executive editor of the news website Rappler, of “cyber libel” under its Cybercrime Prevention Act. The government has used the law against journalistscolumnistscritics of the government, and ordinary social media users, including Walden Bello, a prominent progressive social activist, academic, and former congressman.

In Tunisia, authorities have invoked a cybercrime law to detain, charge, or place under investigation journalists, lawyers, students, and other critics for their public statements online or in the media. In Jordan, the authorities have arrested and harassed scores of people who participated in pro-Palestine protests or engaged in online advocacy since October 2023, bringing charges against some of them under a new, widely criticized cybercrimes law. Countries in the Middle East-North Africa region have weaponized laws criminalizing same-sex conduct and used cybercrime laws to prosecute online speech.

The treaty has three main problems: its broad scope, its lack of human-rights safeguards, and the risks it poses to children’s rights.

Instead of limiting the treaty to address crimes committed against computer systems, networks, and data—think hacking or ransomware—the treaty’s title defines cybercrime to include any crime committed by using Information and Communications Technology systems. The negotiators are also poised to agree to the immediate drafting of a protocol to the treaty to address “additional criminal offenses as appropriate.” As a result, when governments pass domestic laws that criminalize any activity that uses the Internet in any way to plan, commit, or carry out a crime, they can point to this treaty’s title and potentially its protocol to justify the enforcement of repressive laws.

In addition to the treaty’s broad definition of cybercrime, it essentially requires governments to surveil people and turn over their data to foreign law enforcement upon request if the requesting government claims they’ve committed any “serious crime” under national law, defined as a crime with a sentence of four years or more. This would include behavior that is protected under international human rights law but that some countries abusively criminalize, like same-sex conduct, criticizing one’s government, investigative reporting, participating in a protest, or being a whistleblower.

In the last year, a Saudi court sentenced a man to death and a second man to 20 years in prison, both for their peaceful expression online, in an escalation of the country’s ever-worsening crackdown on freedom of expression and other basic rights.

This treaty would compel other governments to assist in and become complicit in the prosecution of such “crimes.”

Moreover, the lack of human rights safeguards is disturbing and should worry us all.

With greater surveillance powers should come more robust rules to protect people against abuse. Instead, the current draft treaty defers to domestic law to provide for human-rights safeguards. That means that people are subject to the laws of individual countries, instead of benefitting from key human rights standards under international law—like the principles of necessity and legality, and the need to notify people when they’ve been subject to surveillance so that they can challenge it. Even the standards that could provide some protections are left optional, like requiring an independent court to review and authorize any request for surveillance.

Governments may argue that the treaty leaves room to refuse requests for mutual legal assistance where there are substantial grounds to believe that the request has been made to prosecute or punish a person based on their sex, race, language, religion, nationality, ethnic origin, or political opinions. But the grounds for refusal are entirely discretionary and so become the exception rather than the rule.

Finally, this treaty as it stands could be weaponized against the very people it’s meant to protect. It attempts to address child sexual abuse material, but it could require signatories to criminalize the consensual conduct of children of similar ages in consensual relationships, contrary to guidance by the UN Committee on the Rights of the Child. It would also put at risk the work of human rights organizations that document abuses of children’s rights and that may have access to such material as part of their investigations.

Instead of protecting people from abuses of power, the draft UN Cybercrimes treaty would facilitate transnational repression. All governments that contributed to this treaty have a responsibility to reject any version of this treaty that will undermine human rights and facilitate abuses.