In December 2024, the UN General Assembly adopted the Convention against Cybercrime — the first international criminal-justice treaty in more than two decades.
The document creates a legal mechanism for swifter, more coordinated responses to digital offences. Alongside mutual legal assistance for cross-border investigations, it obliges states parties to criminalise specific acts committed using information and communication technologies.
We examine whether the Hanoi Convention is designed for a real fight against online miscreants — or to tighten the screws in the digital realm.
Substance and aims
The Convention spans 55 pages across 68 articles, intended to serve as a single international legal foundation for combating cybercrime. Its provisions amount to three goals: harmonisation, cooperation and protection of vulnerable groups.
The document identifies 11 categories of conduct that all states parties undertake to criminalise in their domestic law.
They include technical acts (unauthorised access to systems, data interception, interference with the operation of an ICS) as well as broader crimes such as online fraud and the unlawful distribution of sexualised materials.
The Hanoi Convention also seeks to overcome the fragmentation that has prevailed in cybersecurity for decades. Cooperation previously relied on bilateral treaties or regional instruments such as the Council of Europe’s 2001 Budapest Convention.
The UN now offers a global alternative: the new initiative requires each state party to set up a round-the-clock contact point to assist investigations and sets common procedures for exchanging electronic evidence.
It also emphasises support for victims and protection of the most vulnerable, particularly children. This is among the first international treaties to criminalise not only the distribution of illegal content but also online solicitation of minors.
Russia’s role
Russia has long been the ideological and political driver of a cybercrime convention. Its diplomacy pursued adoption for roughly 15 years.
At first, Russia, together with China and others, pushed to broaden the list of cybercrimes to include the spread of extremist content and the use of ICT for terrorist purposes.
Such proposals met fierce criticism from several Western jurisdictions, which feared the wording could enable the persecution of dissent.
A compromise followed: the Convention’s scope was narrowed to classic computer offences. Even so, Russia has not abandoned its ambitions.
According to RBC, citing experts, Moscow has already announced work on additional provisions to expand the catalogue of criminal acts in the digital realm. Western countries are unlikely to join them, but such an initiative could attract support from some states in Africa and Asia.
An ideological rift
The UN General Assembly vote in December 2024 laid bare a global split. The Convention was adopted not by consensus but by a majority: 79 in favour, 60 against, 33 abstentions.
Votes roughly broke down as follows:
- in favour: Russia, other BRICS and CIS members, and several states in the Middle East, Africa and Latin America (Saudi Arabia, Algeria, Venezuela);
- against: the United States, Canada, the United Kingdom, Australia, EU countries, Ukraine, Georgia, South Korea and Israel;
- abstentions: Argentina, Mexico, Chile and Singapore, among others.
The Convention will enter into force after ratification by 40 states.
Russia and its allies see in the document a historic milestone — the first universal instrument that enshrines the principle of state sovereignty in cyberspace and fair regulation “in the interests of the entire global community.”
Critics reject the current text. Their central argument is the threat to human rights. Western diplomats point to vague drafting and easier extradition and data-sharing procedures that could legitimise transnational repression.
“Ideologically, the Hanoi Convention reflects the approach promoted by countries that previously refused to join the Budapest Convention — it is focused on state sovereignty and security. The Budapest Convention has always been embedded in the European system of human-rights protection with established safeguards and oversight mechanisms,” noted cyber-lawyer and RKS Global and VPN Guild expert Sarkis Darbinyan in a comment to ForkLog.
How it could be applied
On the one hand, the document is useful: it creates a common legal language for countries that previously lacked mutual arrangements. It will be harder for criminals to find a “grey” jurisdiction if the main states in a region agree to treat, say, phishing or creating botnets as crimes.
On the other hand, the Convention itself contains broad exceptions. A state may refuse legal assistance if it deems a request a threat to its sovereignty, security or essential interests. In today’s realities, cooperation between adversarial countries looks unlikely.
According to Sarkis Darbinyan, in practice the Convention will be applied both to familiar cross-border cybercrime investigations and to a much wider set of cases.
For example, interpretations of its provisions could be used in cases concerning online speech, journalism and political activism — especially in countries whose domestic laws allow such actions to be classified as cybercrimes.
“In some places it will be the dissemination of false information, elsewhere extremist activity, elsewhere the insult of national or religious symbols on social networks. This approach significantly increases the risk of abuse, including through mechanisms of mutual legal assistance and cross-border data requests,” Darbinyan specified.
The expert believes that beyond criminal activity the Convention will most affect:
- cybersecurity research and vulnerability testing;
- investigative journalism and the work of whistleblowers;
- digital activism and the expression of opinions online;
- the operations of tech companies that process user data.
Cybersecurity researchers regularly access systems without formal authorisation to identify vulnerabilities, Darbinyan explained. Investigative journalists, meanwhile, often work with leaks or data obtained through hacking.
“In the absence of clear protective mechanisms, both groups may face criminal prosecution, including through international cooperation mechanisms. This creates a chilling effect and undermines activity necessary for public safety and government accountability,” the cyber-lawyer warned.
Needs revision
Many states involved in drafting disagreed with parts of the text. Even so, it was endorsed on the principle that it is better to adopt an imperfect treaty and seek fixes later.
Darbinian believes that, to reduce the risk of abuse, the Convention needs to:
- narrow its application to basic cybercrimes;
- provide clear, unambiguous protections for cybersecurity researchers, journalists and whistleblowers;
- define binding, concrete human-rights standards for surveillance, data access and international cooperation;
- impose strict data-protection requirements and limit permissible uses of data;
- establish effective oversight to prevent politically motivated requests.
“Without these clarifications, there is a risk that the Convention will become a global instrument of digital repression rather than an effective international mechanism for combating cybercrime,” the expert stressed.
***
This duality — both aiding the fight against crime and enabling potential abuse — makes the Hanoi Convention one of the most contentious yet consequential international agreements for the digital realm.
Only future practice will show how effective the initiative is at countering crime without harming human rights. Until then, potentially vulnerable groups may need to watch their online actions more carefully, even if they consider them entirely lawful.