UN’s Cybercrime Convention Draft: A Slippery Slope for LGBTQ+ and Gender Rights

This post is divided into two parts. Part I looks at the draft UN’s Cybercrime Convention and its potential implications for LGBTQ+ rights. Part II provides a closer look at how cybercrime laws might specifically impact the LGBTQ+ community and activists in the Middle East and North Africa (MENA) region.

EFF has consistently voiced concerns over the misuse of cybercrime laws across the globe, and particularly their impact on marginalized and vulnerable communities—notably LGBTQ+ individuals. These laws, often marked by their broad scope and vague wording, have also been weaponized against security researchers, artists, journalists, and human rights defenders.

And as nations continue to engage in negotiations regarding the polarizing UN Cybercrime Convention draft, they bear a significant responsibility to ensure that the misuse of these expanded surveillance powers isn’t legitimized under the UN’s watch. The draft Convention could redefine cross border surveillance laws across the world. Without changes, it  could potentially legitimize sweeping investigative and prosecutorial powers to investigate crimes that fundamentally violate human rights (both domestically and internationally).

Article 5 on Human Rights Must be Strengthened

So far, it’s looking bleak for human rights. A proposed amendment championed by Uruguay and backed by 50 nations aimed at bolstering human rights in Article 5 with gender mainstreaming (see minutes 01:15) met strong opposition. Nations like Malaysia, Russia, Syria, Nigeria, and Senegal directly opposed it. Meanwhile, countries like China, Saudi Arabia, Egypt, Iraq chose to back Article 5 as written in the zero draft, which fails to recognize gender mainstreaming. 

And nothing changed in subsequent behind the scenes negotiating sessions aimed at ironing out the amendments to this article—the co-chairs Australia and Jamaica opted to stick to Article 5 of the zero draft. The outcomes of these secret informal deliberations were later presented in the main session. Uruguay’s response was clear (see minutes 01:16): Integrating this language [gender, vulnerable groups and rule of law safeguards] isn’t a threat nor imposition; it accurately mirrors contemporary realities, ensuring the Convention is up-to-date and aligned with current realities.

In contrast, the Preamble, Article 1 and 55 of the UN Charter support gender equality, and subsequent international instruments like the Convention on the Elimination of All Forms of Discrimination Against Women (CEDAW) further obligate states to actively combat all forms of gender discrimination and advance gender equality. And the most recent UN General Assembly Resolution (A/RES/77/211) on privacy in the digital age recognizes the right to privacy as a way to prevent gender-based violence and encourages all relevant stakeholders to mainstream a gender perspective in the development and adoption of digital technologies. As Derechos Digitales and APC told the UN, “it is essential that international instruments mainstream gender to ensure that norms contribute to the fulfillment of human rights and gender equality.” AlSur echoed this recommendation “to address the specific needs of people of diverse sexual orientations and gender expressions.”

Tighten the Loopholes in the International Cooperation Chapter (Article 3 and 35)

At the end of the treaty negotiating session in August, Canada affirmed (see minutes 01:01) that the convention’s scope allows each country to define what constitutes a “crime” or “serious crime” on its own terms, potentially leading to overly broad definitions that can be abused. Canada’s concerns about the treaty ring especially true when examining real-life cases. Take, for instance Human Rights Watch case of Yamen, a young gay man from Jordan. Yamen, after being victimized online, turned to his country’s authorities, expecting justice. Yet, under the very cybercrime law he sought protection from, he found himself accused and sentenced for “online prostitution.”

The expansive scope of the Treaty, as highlighted in the “zero draft” and later set of amendments, presents a significant flaw. The chapter on domestic surveillance in the draft endorses evidence gathering with very intrusive surveillance measures for a wide array of criminal offenses. And the draft’s “cross-spying assistance” provision gives countries an unsettling degree of freedom, enabling them to cooperate based on their national criminal laws when gathering e-evidence for crimes punishable by more than three years. 

In a nutshell, the draft text enables countries to assist each other in spying, but does so based so on each country criminal law rather than a limited set of core cybercrimes as defined by the Convention. This means that the country requesting the assistance can individually determine what they label as “crimes” and subsequently request another country to assist in deploying its sweeping surveillance measures to collect evidence for most crimes. Such a structure inadvertently greenlights nations to share surveillance data on actions or behaviors that might be intrinsically protected under international human rights law. For instance, in some countries where LGBTQ+ online expressions, including sharing content deemed “immoral” are wrongly criminalized, the draft treaty provisions could be misused to further enable domestic surveillance tools targeting these communities.

The international cooperation chapter has another central problem. Its scope is overly dependent on the severity of penalties—specifically, three or four years of imprisonment—as the primary metric for allowing one country to request assistance from another in surveillance efforts. Numerous laws criminalizing LGBTQ+ individuals merely for their identity, or for content deemed “immoral,” often carry penalties that are four years or more and are wrongfully considered “serious crimes.” This poses a substantial threat, especially when such criteria can dictate international collaboration and surveillance. 

In some jurisdictions, acts classified as misdemeanors could be perceived as grave crimes elsewhere, introducing a disparity in surveillance levels for potentially minor offenses. Such a system risks abuse, with authorities incentivized to charge suspects with graver offenses. 

Refining the proposed treaty to focus exclusively on core cybercrimes, as explicitly detailed within, isn’t merely a constructive approach—it might be the only route to secure approval from multiple national parliaments. This is way, Human Rights Watch, ARTICLE 19, EFF, and many others have called for the proposed convention to explicitly rule out provisions for domestic surveillance and cross-border cooperation concerning non-core cybercrimes, ensuring that nations don’t offer a legal foundation under the UN to legitimize collaboration for gathering evidence for investigation of these arbitrary offenses—many of which are not inherently criminal conduct.

The broad parameters of the draft Treaty may inadvertently provide a veneer of international legitimacy for states pursuing surveillance and prosecution rooted in restrictive moral or cultural norms. In regions where discriminatory practices target LGBTQ+ individuals and expressions, the draft Treaty’s current domestic and cross-border mandates—lacking robust human rights safeguards—might empower a nation’s authorities to gather evidence, not just for genuine criminal activity, but also for acts that are mere expressions of one’s gender identity, sexual orientation, or beliefs.

Imagine a nation assisting another spy on LGTBQ+ individual’s internet use, discerning out what websites they visit. They intercept personal conversations in real time. And, they even track where this LGBTQ+ individual goes around their city. If authorities in certain countries disproportionately target LGBTQ+ individuals, surveilling them merely for expressing their authentic identities—because such expressions are wrongly categorized as  “serious crimes” with penalties of over three years in prison—it glaringly exposes a deep-rooted injustice and raises profound concerns. This isn’t just about invading someone’s privacy. It’s about using intrusive technology to deeply and unfairly discriminate against LGBTQ+ people, putting their safety and freedom at severe risk.

Indeed, this is not an abstract concern but a reality that we’ve seen play out repeatedly in various countries. For instance, the Human Rights Watch 2022 World Report, alongside Derechos Digitales’ findings on cybercrimes laws used against LGBTQ+ communities, provides evidence that vague cybercrime laws are frequently used to muzzle dissent, with marginalized groups like women and LGBTQIA+ most affected.

Domestic surveillance laws and indiscriminate personal data sharing exacerbate the negative impact of such tools when in the hands of state authorities. They are frequently manipulated to amass “evidence”—not just for prosecuting individuals on the grounds of engaging in same-sex relationships, but also for invoking archaic and suppressive “morality clauses.” This unnerving synergy doesn’t merely facilitate hostility; it amplifies the risks for the LGBTQ+ community and supporting activists. Succumbing to these concessions in any international convention would be devastating, and would mark a perilous setback for human rights. 

Accepting a broader scope would be nothing short of catastrophic—especially for already vulnerable LGBTQ+ communities worldwide. 

In addition, the draft UN Cybercrime Convention must have:

• A focused scope of the treaty that is limited to genuine core cybercrimes without overreach, and to “specific” criminal investigations and proceedings. 
• Integrate gender mainstreaming and protection of vulnerable populations to ensure that the draft treaty recognizes and protects the rights of diverse gender identities and expressions. 
• Include robust operational safeguards, including transparency obligations, notification to third countries, ability from companies to notify users, minimum data protection safeguards, and independent oversight, and it is applicable to the international cooperation chapter.
• Delete highly intrusive surveillance powers if they do not have corresponding robust safeguards like real-time collection of traffic data and interception of content of communication.
• Eliminate Article 28.4, which mandates Parties to implement laws or measures that compel individuals with knowledge about a specific computer or device to provide information essential for searching that computer or device. This provision is fundamentally flawed and cannot be rectified, not even with safeguards in place.
• A focused scope of the international cooperation chapter, narrowed solely to core cybercrimes as specified by the Convention, rather than invoking powers based on the number of years of imprisonment as penalties.
• Incorporate grounds of refusal for political offenses in Article 40 and encourage also incorporating grounds for refusal where a request would likely prejudice, inter alia, “the protection of human rights or fundamental freedoms.
• Incorporate and strengthen grounds for refusal in 40(c)(ter) against discriminatory prosecution or punishment. Align the language of Articles 40(c)(ter) and 37(15) with non-discrimination standards under international human rights law, ensuring protection for vulnerable individuals or groups
• Refine and narrow the scope of Article 47 to ensure that data sharing is specific to criminal investigations, and explicitly exclude sharing of personal data like biometric, traffic, and location data unless accompanied by rigorous data protection and privacy safeguards. Any sharing should be proportionate, relevant, and tied to specific investigations to prevent potential abuse of shared databases and AI training datasets.
• Mandate dual criminality, ensuring it’s not left as an optional provision.
• Clear and narrowly precise language throughout the treaty that leaves no room for misinterpretation or misuse. 

Our second post will map out the recent cybercrime laws in the MENA region vis-a-vis the standards set under the proposed UN Cybercrime Treaty. Stay tuned.