Should We Celebrate the UN Convention against Cybercrime? Lessons from the UN Convention against Transnational Crime

[Dr Marika McAdam is an independent international law and policy advisor who works globally on human rights-based criminal justice responses to organized crime and other issues]

As the United Nations Convention against Cybercrime opened for signature last month, one would like to imagine cybercriminals pulling their computers from their sockets, anxious about their doors being kicked down when that instrument enters into force. But lessons learnt from earlier international law suggest that they may have little to fear.

The year that the Cybercrime Convention opens for signature also marks the 25^th anniversary of the United Nations Convention against Transnational Organized Crime (UNTOC). These two instruments are intimately related, cybercrime being an evolving form of transnational crime that poses challenges that were unanticipated by the drafters of that earlier instrument. Reviews are mixed as to whether the UNTOC has effectively fulfilled its purpose or fallen short of it. The time spent trying to decide has yielded many lessons the Cybercrime Convention can learn from as it embarks on its own journey towards implementation. Here are three.

Firstly, without State consensus on what the problem is, it is difficult for States to cooperate to address it. The wordy sub-title of the Cybercrime Convention is “Strengthening International Cooperation for Combating Certain Crimes Committed by Means of Information and Communications Technology Systems and for the Sharing of Evidence in Electronic Form of Serious Crimes.” In short, it is an instrument to promote international cooperation. Similarly, the primary purpose of the UNTOC is to promote transnational cooperation against transnational organized crime. And yet, one of the most challenging aspects of implementing the UNTOC and its supplementary protocols is the disparity of State understanding of the crimes at issue. This is true even though those instruments achieved universal definitions of an organized crime group and particular forms of organized crime, resulting in widespread harmonization of legal frameworks. Yet the ambiguity and malleability of these definitions are nonetheless revealed in efforts to interpret and apply them domestically.

The Cybercrime Convention does not define cybercrime, raising questions about whether the ‘certain crimes’ referred to in its title will be understood broadly or narrowly. Indeed, negotiations of the Cybercrime Convention stalled over questions of what activities should – and critically, should not – be considered cybercrimes. The key risk of course is that cybercrime legislation can be used as an instrument to repress rather than protect, depending on what activities a State deems to be criminal. In blunt terms, what one State may consider to be permissible actions against cybercrime, another State may consider to be unacceptable actions that repress human rights. The key lesson for the Cybercrime Convention is that States parties must be able to cooperate in addressing common problems, even where they cannot arrive at a common description of what those problems are. And they also must be clear on their conditions for cooperating or not.

Secondly, the ‘legally binding’ language of international law is powerful for advocacy, but less useful for action in the absence of an effective system to monitor implementation. The approach taken to the UNTOC review mechanism is for States parties to undertake a self-assessment as a basis on which to be then reviewed by their peers. Yet States have little capacity or commitment to measure their own compliance, let alone that of another State, to say nothing of the political dynamics at play. As of September 2025, only 1% of reviews have been completed. Whether States will take any action on the basis of whatever reviews may emerge in the future poses another layer of questions about what mandatory obligations mean in practical terms. If a goal for the Cybercrime Convention is to achieve more timely and meaningful insights on implementation, then the key lesson here is to take a different approach than has been taken for reviewing the implementation of the UNTOC.  

Thirdly, international law offers tools, not silver bullets. The Cybercrime Convention, like the UNTOC, gives criminal justice practitioners a framework for cooperating on common challenges. Whether or not States will actually cooperate on the basis of that framework, and to what end, does not wholly depend on how well States domesticate their laws and institutional mechanisms in line with what is set out in this new international law. More than two decades of effort to support States to implement the UNTOC and its Protocols reveal that it is possible to enact domestic laws that accord with international law, without the issues the law was enacted to address being meaningfully acted on as a result. Explained in other words, it is true that States have taken steps to implement the cooperative frameworks at the regional and domestic level in line with the UNTOC. But it is also true that transnational crime is flourishing and international cooperation has not kept pace with it. Ultimately, then, whether States will use the tools in the Cybercrime Convention to cooperate depends almost entirely on whether or not they want to.

The fact that the signing ceremony was hosted in Viet Nam is significant. In the days after commitments to combat cybercrime were being made in Viet Nam, the 2025 ASEAN Summit kicked off in nearby Kuala Lumpur. Southeast Asia is a recognized hot bed of cybercrime that is fuelled by and fuelling a host of other serious crime types that victimize people both within and far beyond Southeast Asia. That region is home to a large-scale cyber-scamming industry involving hundreds of thousands of people being trafficked into scamming compounds, yielding trillions of dollars of illicit profits for powerful criminal actors laundered through real estate and cryptocurrencies. That some of the States that have expressed their commitment to combating cybercrime are at the same time enabling and profiting from it is a reminder that commitment alone is no measure of what the Convention will achieve. These realities also signify that the Cybercrime Convention does not stand alone but depends on the simultaneous implementation of the UNTOC and the Convention against Corruption, among other complementary instruments.

Whether the Cybercrime Convention – forever now the Hanoi Convention – will come to be seen as a solid structure on which an effective global response was built or as mere ‘nonsense on stilts’, will depend on whether the gap between commitments and actions closes or continues to widen. In reality, both outcomes will likely eventuate. In the same way, it is impossible to say definitively whether technology is a force for good or for evil, the Cybercrime Convention will not either move mountains or miss the mark. As with the UNTOC, implementation of the Cybercrime Convention can mean proactive steps to leverage a legal basis for cooperation, or endless meetings that distract from and delay actual action. And also like the UNTOC, it is possible that States parties will use the Cybercrime Convention to effectively target criminals, or misuse it to harm human rights.

The negotiations of the Cybercrime Convention were marked by deep ideological and geopolitical divisions between States advocating for stronger human rights safeguards on the one hand, and those advocating for stronger State powers in digital spaces on the other. As with the issues that took up the most time during the negotiations of the UNTOC and Protocol, the final text was not arrived at as a result of consensus being achieved but by compromises being reached. Whether the human rights safeguards included in the Convention will prove sufficient to guard against human rights harms depends on the interpretation and implementation challenges that face every other provision in the Convention. 

For now, at this early point in the history of the Cybercrime Convention, we will achieve more through optimism than scepticism. The realities of our time – which is increasingly spent in cyberspace – require that its adoption be hailed as a victory of multilateralism, its accession be encouraged as both urgent and necessary, and its upcoming entry into force be treated as a cause for cautious celebration.