Cybersecurity researchers could face criminal charges for performing their legitimate work if the United Nations Convention against Cybercrime is ratified in a process beginning in Hanoi, Vietnam, this weekend, critics say.
Tech industry group Cybersecurity Tech Accord said today that little has changed since it presented a detailed critique of the UN Convention against Cybercrime more than a year ago.
The group, comprising tech heavyweights Arm, Cisco, Cloudflare, Dell, Meta, Microsoft, Salesforce, SAP, and over 100 others, warned that the convention opens the door to criminalization of legitimate online activities, as well as making fighting cybercrime more difficult.
The Accord said the Convention had an unclear and overly broad scope, vague criminalization provisions, missing protections for cybersecurity researchers, unnecessarily expansive data access provisions, and intrusive surveillance powers with no meaningful safeguards to protect individuals and victims of cybercrime from arbitrary abuse of executive authority. “As a result,” it said, “the latest draft reads more like a UN digital surveillance treaty than a targeted instrument to fight cybercrime.”
Consequently, it urged UN member-states not to ratify the Convention when the process begins this weekend.
Security researchers at risk
Human Rights Watch, an organization that investigates and reports on abuses worldwide, is also opposed to the Convention. In a post shortly after the UN adopted the Convention, it said that the treaty extends far beyond cybercrime to require states to establish “broad electronic surveillance powers” without adequate human rights safeguards.
“The convention will obligate governments to collect electronic evidence and share it with foreign authorities for any ‘serious crime,’ defined as an offense punishable by at least four years of imprisonment under domestic law,” wrote Deputy Director, Technology, Rights & Investigations, Deborah Brown, noting that many governments treat activities such as investigative journalism and the ordinary activities of security researchers as criminal offenses.
The Human Rights Research Center is one of numerous other groups warning against the Convention. “The poor drafting of the UN Cybercrime Treaty demonstrates that a minimum threshold for activities constituting a cybercrime has not been established, illustrating a problematic line that Member States need to walk in upholding national and international justice,” it warned in a March 2025 post.
However, Valence Howden, an advisory fellow at Info-Tech Research Group, said that the Convention had improved during the drafting process, particularly around the definition of what actions constitute cybercrimes.
“The current text of the agreement focused a lot more on ensuring that the action was taken with the intent to be malicious, so I see a lot of value in this moving forward,” he said. “I don’t believe it’s perfect, and we may need a bit more explicit protection for individuals who aren’t doing things with malicious intent. However, I believe the urge to make it hyper-specific will also allow nitpicking that will work to prevent this from moving forward at all. That approach favors the powerful companies and protects potential criminality on their part in accessing and leveraging data for AI.”
But, he added, “We need to see and understand the signatories and understand how they implement, because there is flexibility (read as vagueness) in the treaty. Much like global standards, it has to allow for flexibility to account for the variable approaches of different countries and regions. I suspect the debate that it’s driven by is beneficial as well.”
David Shipley, CEO of Beauceron Security, also applauded facets of the Convention.
“The good news here is that after five long years of negotiation, certain basics like making sure countries that sign on and ratify this treaty all have criminal laws on the books for various digital crimes consistently is a huge win,” he said, recalling a case he assisted in where the perpetrator of a series of non-consensual intimate image distributions fled the country to a region where the act was not considered a crime.
“In this scenario, if this convention was in effect, if the country the suspect had fled to had signed on, they would have been required to treat what happened as a crime and hopefully would have cooperated in the investigatation and prosecution of the perpetrator,” he said. “And the victim may have had some measure of justice. Instead, they were left only with the trauma of what happened to them.”
He is pleased that the European Union has decided to support the treaty, since it takes cybercrime seriously while still protecting the fundamental privacy and human rights of its citizens. However, he noted, “I think the key here is to remember each member state has to not just sign on, but has to ratify this treaty in their government and pass or amend laws as required. This is going to take quite some time. As well, nothing in this treaty compromises the judicial or policing processes, so if an authoritarian regime attempts to abuse this convention, western liberal democracies with strong foundations in the rule of law will have checks and balances.”
Better Budapest than Hanoi?
However, the Cybersecurity Tech Accord’s Nick Ashton-Hart, who headed the group’s delegation to the UN committee creating the treaty, said that rather than implementing the Convention against Cybercrime, UN member states should look to another agreement: the Council of Europe’s Budapest Convention. It, he said, “is a much better agreement that is already in force with a critical mass of member-states as parties, a growing list of states who want to join it, a proven track record, and extensive guidance in how to address the Convention in a rights respecting way.”
He added, “I expect that the private sector will continue to focus its efforts on capacity building and technical assistance for Budapest and won’t prioritize the UN Convention – unless the protocol negotiations [described in Articles 61 and 62 of the Convention] address its problems.”
Despite these problems, Shipley thinks that the industry should now focus on proper implementation of the Convention.
“I understand the concerns that the cybersecurity industry has raised,” he said. “They’re not at the idea of greater cooperation in taking down gangs. They’re aimed at the conventions ambiguous language around unauthorized access and the potential for security researchers to be caught in the crosshairs for doing ethical research. But that ship has sailed and we’d be better off ensuring the application of the convention within states that choose to sign on, does include robust protections for security research.”
The Convention will come into force 90 days after it has been ratified by 40 member states or regional economic integration organizations; the ratification process extends until December 31, 2026.