At face value, reading the United Nations Convention against Cybercrime (UNCC or Hanoi Convention) may appear to be an international legal instrument of the highest importance in the digital era and to reflect a noble intent to spark global cooperation in combating cybercrime through the power of law. But in life, and in law, prima facie evidence can often be rebutted. The same happens when we scratch the surface of this new document, which, upon closer examination, comes with certain flaws, which I will discuss below. Nonetheless, it should be recognized that the prosecution and prevention of child sexual abuse online, fraud and extortion taking place in cyberspace, and data hacks—all need proper attention, including the responsibility of international actors and their cooperation in eradicating them. And in fact, as the international community, we already have one international instrument, the Budapest Convention of 2001 on Cybercrime, with 81 State Parties.
The state party behind the UNCC proposal is the Russian Federation, not a typical legal norm entrepreneur in recent years, nor a human rights champion given its involvement in the war against its neighbor and its own pro-democracy dissidents. But what we care about here is not who, but rather the quality of the material law proposed and what is missing. With respect to the latter, the convention allows for more robust surveillance in the name of cybercrime prevention; what is missing is the ability and willingness on the part of the UN to listen to the voices of civil society and other stakeholders (mostly human rights nonprofits) that have raised concerns that, without stronger and more adequate safeguards this document might be used against dissidents, human rights activists, or journalists. The latter, for various reasons, seem to not pay enough attention to the UNCC, hence the general public is largely uninformed about it. One may say, “who would care for a new bad piece of international law anyway?” In fact, one of the largest protests within the European Union was connected to the proposed instrument, the Anti-Counterfeiting Trade Agreement (ACTA) back in 2012, which, at its core, in addition to stricter digital copyright enforcement, encouraged deeper monitoring of internet traffic by law enforcement agencies. After pan-European mass protests, governments’ efforts to push the document forward ceased.
So what about the UNCC?
On October 25th, 2025, in Hanoi, the UNCC was opened for signature by contracting States and will enter into force upon the 40th State ratifying it. As of November 12th, 72 countries, including China, North Korea, Iran, Russia, Venezuela, the United Kingdom, France, Spain, and Poland, have signed it (with the full list available here).
The core purpose of this document is to allow robust cross-border collaboration on cybercrime, but, as human rights nonprofits such as Human Rights Watch, and other civil society stakeholders (including Article 19, the Electronic Frontier Foundation, and the International Press Institute) have warned, it could surpass existing domestic laws on data privacy.
What is at stake:
- States are granted broad digital surveillance powers when they suspect that cybercrime might be committed;
- Each State needs to cooperate with other State signatories (after ratification, in some jurisdictions) even though such cooperation may breach its existing data privacy standards;
- Electronic evidence will be collected and (if needed) shared across jurisdictions.
Human-rights defenders fear that the UNCC’s broad offenses, weak safeguards, and permissive data sharing could be abused to target vulnerable groups.
The document comes with ambiguities in defining cybercrimes and it ultimately opens up the leeway for state parties to use this margin of appreciation for potential illicit acts against those whose rights should be protected, e.g., human rights activists. In the name of preventing cybercrime, activities involving digital civil society could be surveilled and curtailed. The current document (available here) does not include adequate safeguards for noble activities that not-so-noble state actors may label as criminal, which, unsurprisingly, happens frequently in authoritarian regimes and eroding democracies (e.g., as reported by Citizen Lab).
Now what?
Democratic states who are considering signing the UNCC or have already signed it need to issue a memorandum on whether to adhere to or refraining from ratifying the UNCC until further clarity is gained on how this document may hamper digital human rights rather than advance them. If you are in a state that can listen to your voice before it ratifies the Convention, speak up! Hopefully the UK, France, Spain, Poland, and Ireland can hear their people.
To conclude, on a purely personal note: how often we end up having to react ex post, just as in this case, because civil society and the broader public are not listened to enough. The UNCC is a stark reminder that if we hope for a fourth generation of human rights that will enshrine our digital rights, a wide table needs to be set up so that everyone can be included and empowered to be a stakeholder in its development. This is our greatest chance as humanity to act not ex post, but before. Before AI safety conversations fully materialize as true challenges; and some of these challenges are already materializing, as with the replacement of some entry-level jobs by AI progression (as I discussed here). If we do not seize the chance for as inclusive and universal a bill of digital rights as possible, we will wake up to another poorly made treaty with the potential of becoming a malicious tool in the hands of non-democratic regimes.
Works Cited:
United Nations Convention against Cybercrime; Strengthening International Cooperation for Combating Certain Crimes Committed by Means of Information and Communications Technology Systems and for the Sharing of Evidence in Electronic Form of Serious Crimes (New York, 24 December 2024). United Nations.
Convention on Cybercrime (ETS No. 185, Budapest, 23.XI.2001). Council of Europe.
Citizen Lab. (2018, September 18). Hide and Seek: Tracking NSO Group’s Pegasus Spyware to Operations in 45 Countries – The Citizen Lab. https://citizenlab.ca/2018/09/hide-and-seek-tracking-nso-groups-pegasus-spyware-to-operations-in-45-countries/
Joint Statement on the Signing of the UN Convention on Cybercrime | Human Rights Watch. (2025, October 24). https://www.hrw.org/news/2025/10/24/joint-statement-on-the-signing-of-the-un-convention-on-cybercrime
Digital Kallipolis 