Over 70 nations have formally signed the new United Nations Convention against Cybercrime in Hanoi, Vietnam, marking the creation of the first global treaty dedicated to combating digital crime. The landmark agreement, adopted by the UN General Assembly in December 2024 after five years of negotiations, is intended to establish a universal framework for investigating and prosecuting a range of online offenses, from sophisticated financial fraud and ransomware attacks to the non-consensual sharing of intimate images.
UN Secretary-General António Guterres hailed the signing as an “important milestone” and a commitment to strengthening collective defences against cybercrime, which is estimated to cost the global economy trillions of dollars annually.
The treaty will enter into force 90 days after it is ratified by at least 40 member states, setting the stage for increased international cooperation on cross-border law enforcement and the sharing of electronic evidence. The framework criminalizes several cyber-dependent and cyber-enabled crimes and establishes a 24/7 cooperation network to streamline mutual legal assistance, a vital tool for governments, especially in the Global South, seeking to enhance their digital defence capabilities.
Despite the visible show of multilateral support, the convention is facing intense criticism from an unusual alliance of human rights organizations and major technology companies. Critics, including Human Rights Watch and the Electronic Frontier Foundation (EFF), warn that the treaty’s broad and vaguely defined scope—which was heavily championed by states like Russia and China—creates significant risks.
They argue that the convention’s language can be exploited by authoritarian governments to expand state surveillance, stifle political dissent, and facilitate the cross-border targeting of journalists and activists. A key concern is that the treaty obligates states to establish broad electronic surveillance powers and compel companies to share data, with safeguards deemed “weak” and insufficient to prevent abuse. Furthermore, the blanket criminalization of unauthorized access to computer systems, a common provision, has been criticized by the tech industry for potentially criminalizing legitimate and vital cybersecurity research that seeks to expose vulnerabilities.
The Cybersecurity Tech Accord, representing over 160 firms, chose not to attend the signing ceremony in protest. Notably, the United States did not sign the treaty, stating it “continues to review” the document, though it supported the final text last year. This non-participation highlights the ongoing division between nations that favor the more rights-respecting framework of the existing Budapest Convention and those who see the new UN treaty as a necessary, universal tool against a rapidly evolving global threat.
