UN’s first cybercrime convention sparks concern over data requests

The UN’s Convention against Cybercrime (UNCC), which strengthens international cooperation in combating online crime, was officially signed by 72 countries last month. The legal framework, however, has raised concerns about legally sensitive data requests among tech companies, including those in the identity verification industry.

The UN document is the first global convention focused on preventing cybercrime, including offences ranging from online fraud and financial crimes to drug trafficking and child sexual abuse. It is the first international treaty to recognize the non-consensual dissemination of intimate images as an offence.

More importantly, the convention introduces international standards for the sharing and use of electronic evidence for all “serious offences.”

“Cybercrime is changing the face of organized crime as we know it, and the new UN Cybercrime Convention provides Member States with a vital tool to fight back together,” Ghada Waly, executive director of the UN Office on Drugs and Crime (UNODC), said at the treaty’s signing ceremony in Vietnam on October 25th.

Technology companies, academics and civil society organizations, however, say that the convention is flawed.

Following the signing ceremony in October, identity verification provider Jumio highlighted that the treaty could bring new challenges around compliance for organizations.

“Over-prescriptive compliance requirements may thrust organizations into an unfamiliar position of responsibility for sensitive personal data,” says Joe Kaufmann, Jumio’s global head of privacy and data protection officer.

Other stakeholders are warning of even more dire consequences.

Last year, industry group Cybersecurity Tech Accord, which includes tech companies such as NEC, Microsoft, Meta, Oracle and more, warned that the Convention could result in individuals’ private information shared with global governments, without “legal challenges to problematic requests and without any transparency or accountability mechanisms.”

The text also fails to protect cybersecurity researchers and penetration testers, says the organization.

A coalition of rights groups, including Access Now, Electronic Frontier Foundation and Human Rights Watch, also highlights that the convention could be used by rogue states to go after government critics, whistleblowers and journalists by designating their activity as a “serious offense.”

“It obligates states to establish broad electronic surveillance powers to investigate and cooperate on a wide range of crimes, including those that don’t involve information and communication systems,” the coalition wrote in a statement earlier this year. “It does so without adequate human rights safeguards.”

During the signing ceremony, UNODC’s Waly highlighted that the treaty was shaped over 420 hours of formal negotiations spread out over five years.

Proposed by Russia in 2017 and approved unanimously by the UN General Assembly in 2024, the framework included inputs from more than 150 UN member states. Among the 72 countries that placed their signatures on the treaty in Hanoi in October were the European Union, the UK, China, Russia and Brazil.

Other countries such as India and the U.S. have abstained, with the U.S still reviewing the document, according to Recorded Future.

The future of the UN Convention against Cybercrime will depend on the number of countries that decide to adopt it. The treaty still must be ratified by each state according to its own procedures. It will enter into force 90 days after being ratified by the 40th signatory.

Article Topics

cybersecurity  |  data sharing  |  digital identity  |  identity verification  |  Jumio  |  surveillance  |  United Nations