The UN Cybercrime Convention Could Help & Harm Victims

Uploaded on 2023-08-16 in NEWS-Cybersecurity News, FREE TO VIEW

In 2019, the UN General Assembly voted to establish an Ad Hoc Committee (AHC) to develop a convention on countering the use of Information and Communication Technologies (ICTs) for criminal purposes. The AHC has met twice since January 2022, convening UN member state delegations in Vienna and New York to negotiate the future cybercrime convention.

The mandating resolution expressed concern about the impact of crimes committed in the digital world on the well-being of individuals. Just as cybercrime is borderless, the impacts of cybercrime on the security of vulnerable groups are inexact.

Vulnerable and marginalized groups offline face newfound, rapidly evolving, and ill-defined threats online.

Determining who is vulnerable in cyberspace – and their levels of protection – is an intersectional exercise; however, as the second session of the AHC has shown, it is also a political and culturally-determined one.

Most states agreed that provisions for protecting vulnerable groups are important. However, continued disagreement on defining and protecting vulnerable groups has resulted in tension, particularly in discussions around gender considerations, combatting child sexual abuse materials (‘CSAM’) and victim and witness protection.

These tensions are the product of divergences in national cultural norms, political values, and existing anti-cybercrime frameworks.

The Vienna Spirit?

In early June, UN member states met in Vienna to share views on three chapters in the future convention (General Provisions, Provisions on Criminalization, and Law Enforcement and Procedural Measures), each of which has direct consequences for the protection of vulnerable groups in cyberspace.

From the get-go, many state and non-state representatives agreed the future treaty needs to include provisions for vulnerable groups and victims, although many states did not make the distinction between the two terms.

Many shared proposals to strengthen international cooperation to counter child sexual abuse material (‘CSAM’) and gender-based violence online; others recommended provisions for improving victim protection.

Why Protecting Vulnerable Groups Is At The Core Of Cybercrime Policymaking

An individual’s social and political identities can expose them to different harms and vulnerabilities. These vulnerabilities are often amplified in cyberspace.

Vulnerability and oppression online – and, conversely, empowerment and privilege – is determined by intersecting identities, including gender, race, sex, sexuality, disability, religion, caste and geography. This is why an intersectional and human-first approach is central to all stages of the anti-cybercrime lifecycle: from policymaking to implementation.

As elaborated in this paper on gender mainstreaming the convention, women and girls are more likely to be victims of the non-consensual sharing of intimate images online, although it is generally unhelpful to synonymize women with victims. Similarly, young men – especially immigrants living in cities – are more likely to experience other forms of cybercrime.

At the national, regional, and international level, there are already several instruments that address cybercrime risks faced by vulnerable groups, like the Council of Europe’s Budapest Convention. However, many instruments fall short of providing adequate protections for vulnerable groups, including the Budapest Convention, which has been criticized for not having stronger safeguards for human rights.

Recognizing shortcomings of current provisions, in July the Law Commission of England and Wales recommended reforms that would make it easier to prosecute sharing non-consensual images and deepfake pornography, crimes which disproportionately affect women.

How Is The AHC Addressing Vulnerable Groups In Cyberspace?

Reflecting interest from states, the AHC chair requested comments on how the future convention should consider gender perspectives. While most states demonstrated an understanding of some gender issues in cybercrime, there was disagreement about whether gender-specific provisions were necessary. Some states - like Armenia -  note that while gender perspectives are a priority, the convention does not need gender-specific provisions.

Recognizing gaps in knowledge about the gendered dimension of cybercrime, Australian and Canadian delegates recommend provisions including appointing a gender adviser and encouraging states to broaden their understanding about gender and cybercrime. Others (notably, the Philippines) push for broadening gender provisions beyond ‘women-specific’ measures, advocating against synonymizing gender with ‘women’, as many states have done so far.

‘Considering gender perspectives’ carries different meanings for different countries. Diverging approaches were demonstrated by discussions on sexual extortion and non-consensual sharing of intimate images. While most agree ‘sextortion’ is a serious issue, delegations disagreed on whether to include or exclude these acts, and why to do so: Jamaica – on behalf of CARICOM – is an advocate for inclusion, whereas EU states cite concerns about the freedom of expression if interpretations about what constitutes these behaviours (and ‘consent’) differs nationally.

Discussions on protecting children in cyberspace and combatting CSAM face similar issues. Despite consensus that children must be protected online, states disagree on what language to use to describe the offence. Terms range from CSAM (a term favoured by Australia, New Zealand, and others) to ‘child pornography’ (the term used in Russia’s proposed text).

Despite consensus that children must be protected online, states disagree on what language to use to describe the offence.

Terminology matters: ‘pornography’ might assume consent, but children – by definition – cannot consent. A ‘child pornography’ provision could have damaging consequences by establishing a higher threshold for criminalization and not covering other exploitative offences, like grooming and harassment.

On the national level, how ‘children’ and ‘protection’ are defined further complicates this issue. Most states agree children are ‘18 and under’, but many EU countries recommend flexibility on ages of consent in accordance with national laws, which compounds existing vulnerabilities if ‘consent’ is already ill-defined.

Marriage laws and cultural expectations around maturity differ between countries (and between boys and girls within countries), which could lead to serious harmonization risks for the future convention.

There is further divergence between states on how to criminalize the access and viewing of child sexual abuse material; while states agree clear ‘intent’ is required, a handful of states argue against criminalizing ‘artistic expressions’ (referring to comics or cartoons), based on their national approaches to freedom of expression.

Strong support among states to include a reference to victim rights and protections is promising. States are willing to borrow language from the UN Convention against Transnational Organized Crime (Articles 24 and 25), which mandates appropriate measures to protect, relocate and compensate victims and witnesses.

States may face definitional issues (a ‘witness’ in cyberspace is more ambiguous than a ‘victim’) but UNTOC appears a productive starting point, demonstrating the merit of adapting language that enjoys international consensus in existing anti-crime frameworks.

Looking Ahead To New York & Beyond

Despite calls from the Secretariat to de-politicize the negotiations, the AHC process - and especially how to define and protect vulnerable groups - has been determined by political, social, and cultural priorities. The next negotiating session in New York may be no different.

States must find a common ground between norms and precedents on gender, protecting children, victims, and witnesses in cyberspace, ensuring that the future treaty (whether narrow or broad) contains adaptable provisions for addressing cyber-dependent and cyber-enabled crimes disproportionately affecting vulnerable groups.

Agreeing to narrow definitions and making explicit reference to vulnerable groups is vital, as is establishing baselines for best practices (with reasonable flexibility in interpretations and implementation). The AHC should welcome experts from diverse disciplinary backgrounds to share national and cultural approaches.

Designing specific, adaptable mechanisms to protect vulnerable groups will be invaluable for the convention’s longevity and efficiency – and contribute to a strong, appropriate cybercrime treaty for all.

Isabella Wilkinson is Research Associate, International Security Programme at Chatham House

Amrit Swali Research Associate, International Security Programme at Chatham House

You Might Also Read:

Online Safety Act Places US  Adults At Risk:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Staying Ahead Of Cyberthreats
How SMEs Can Achieve Cyber Resilience »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Infosecurity Europe, 3-5 June 2025, ExCel London

Infosecurity Europe, 3-5 June 2025, ExCel London

This year, Infosecurity Europe marks 30 years of bringing the global cybersecurity community together to further our joint mission of Building a Safer Cyber World.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Superscript

Superscript

Superscript (formerly Digital Risks) is an insurance broker for small businesses, sole-traders, landlords and high-growth tech firms. Our services include Cyber Liability insurance.

Cyber Future Foundation (CFF)

Cyber Future Foundation (CFF)

CFF was established to create a cyberspace where digital commerce and innovation can thrive based on trust and respect to individual privacy.

TrustArc

TrustArc

TrustArc provide privacy compliance and risk management with integrated technology, consulting and TRUSTe certification solutions – addressing all phases of privacy program management.

VivoSecurity

VivoSecurity

VivoSecurity is a pioneer in cyber risk quantification based on data science. Our products and services help organizations achieve optimal information security and GRC programs.

Cybertonica

Cybertonica

Cybertonica is a FinTech company which detects and prevents fraudulent transactions and reduces risk for financial services organisations.

Innovent Recycling

Innovent Recycling

Innovent Recycling provides a secure IT recycling & data destruction service to all types of organizations across the UK.

Digitpol

Digitpol

Digitpol’s Cyber Crime Investigation experts investigate hacking incidents, ransomware, extortion and conduct security audits and IT upgrades.

Cyber Bytes Foundation

Cyber Bytes Foundation

Cyber Bytes Foundation exists to establish and sustain a unique Cyber Ecosystem to accelerate the development of a strong Cyber workforce and support community outreach programs.

East Midlands Cyber Resilience Centre (EMCRC)

East Midlands Cyber Resilience Centre (EMCRC)

The East Midlands Cyber Resilience Centre is set up to support and help protect businesses across the region against cyber crime.

Stronghold Cyber Security

Stronghold Cyber Security

Stronghold Cyber Security is a consulting company that specializes in NIST 800, the Cybersecurity Framework and the Cybersecurity Maturity Model Certification.

Nine23

Nine23

Nine23 are a highly focused cyber security solutions company that defines, builds and manages innovative services, enabling end-users to use technology securely in today’s workplace.

Cyberani Solutions

Cyberani Solutions

Cyberani Solutions was created to fulfill the cybersecurity needs of industry and government in Saudi Arabia, and across the Middle East and North Africa regions.

xdr.global

xdr.global

Xdr.global is a cybersecurity consulting firm, focused on promoting and aligning Extended Detection and Response (XDR) security solutions.

SquareX

SquareX

Squarex secures your online activities without compromising productivity.

MadWolf Technologies

MadWolf Technologies

MadWolf’s mission is to deliver enterprise-quality managed services and focused applications to organizations operating in the non-profit, association and international development sectors.

ShieldHaus

ShieldHaus

Protect your business from evolving cyber threats with ShieldHaus. Our real-time, AI-powered security solutions block malicious IPs, phishing attempts, and harmful domains to safeguard your systems an