TheUnited Nations Convention against Cybercrime (Hanoi Convention) is a treaty to facilitate international cooperation in the enforcement ofcybercrime laws. It was proposed by Russia in 2017 and adopted by theGeneral Assembly in December 2024 amid resistance fromhuman rights organizations. NGOs, academics, technology companies, and policy experts have criticized the convention for expanding thesurveillance anddata collection capacities of repressive governments without human rights safeguards.[1] Complaints focus on its vague definition of cybercrime, which can include any crime committed using technology, as well as the way it defers to individual countries, including those with a record of human rights abuses, to determine how to protect human rights.
The signing ceremony and high-level conference are being held inHanoi,Vietnam, at theNational Convention Center. By the first day, the treaty has attracted 65 national signatories and endorsements, which includeWestern democracies like theCzech Republic andAustralia.[2][3] This treaty is the first to be signed in Vietnam and the first to be named after a Vietnamese location.[4]
As internet-enabled devices have proliferated, the transnational nature of cybercrime has posed challenges to national police and security agencies. Countries differ widely in how they investigate, enforce, and legislate against cybercrime.[5] In the early 2000s, theCouncil of Europe established the first international treaty to address internet andcomputer crime, theBudapest Convention, effectively harmonizing national laws, improving investigative techniques, and increasing cooperation among nations. It went into force in July 2004, and has been ratified by 78 states, including several from outside of Europe, as of 2025.[6]
The UN cybercrime convention was first proposed in 2017 by Russia, which had long objected to the Budapest Convention, viewing it as a threat to its internet sovereignty and control.[7][1][8] In 2019, it was passed by theGeneral Assembly as Resolution 74/247, with 88 votes in favor, 58 against, and 34 abstaining.[9][10] The vote took place amid opposition by the European Union, United States, and allies who were satisfied with the Budapest Convention and viewed Russia's proposal as an effort to shore up its censorship and surveillance capacities with obligatory international cooperation.[11][8][9]
The resolution created what became the Ad Hoc Committee to Elaborate a Comprehensive International Convention on Countering the Use of Information and Communications Technologies for Criminal Purposes, starting the drafting and negotiation process.[12] The committee met several times between 2021 and 2024, with support from theUnited Nations Office on Drugs and Crime, producing and approving a draftGeneral Assembly resolution in August 2024.[13] During the negotiation process, Iran repeatedly requested votes to remove the language "nothing in this Convention shall be interpreted as permitting suppression of human rights or fundamental freedoms", the removal of which was then supported by Russia, India, Sudan, Venezuela, Syria, North Korea, Libya, and 16 other states, but ultimately failed.[1] Class-based human rights protections were weakened during negotiations, and challenged by Iran and Russia until a group of member states declared they would not support and additional changes.[14]
The resolution was adopted by the General Assembly in December 2024. The full title isUnited Nations Convention against Cybercrime; Strengthening International Cooperation for Combating Certain Crimes Committed by Means of Information and Communications Technology Systems and for the Sharing of Evidence in Electronic Form of Serious Crimes.[15] A signing ceremony is planned for October 2025, after which member states will decide internally whether toratify it or otherwise consent to be bound by it. Individual countries' process for ratification, accession, approval, or adoption vary. Theheads of state orgovernment in some may simply decide to approve or adopt, while others may need to work with theirlegislatures.[16][17] The convention will be in force after forty member states consent to be bound by it through ratification, accession, approval, or adoption.[18]
The convention aims to facilitate international cooperation in criminal enforcement of cybercrime laws. It requires participating nations to criminalize certain forms of cybercrime, like illegal access to an information system, data interference, and the use of computer systems forfraud orchild exploitation. It also establishes procedures for law enforcement agencies to collect and preserveelectronic evidence. It creates frameworks for collaboration, including mutual legal assistance andextradition. There are also provisions for a support system, providing a contact network for fast processing of data requests. Alongside these provisions, the convention discusses the need to respectinternational human rights law, but it relies on existing instruments like theInternational Covenant on Civil and Political Rights rather than establish new or expanded standards specific to cybercrime. The implementation of human rights safeguards are left to individual countries to legislate.[15]
The following countries have signed the treaty as of 30 October 2025.[19]
Algeria
Angola
Australia
Austria
Azerbaijan
Belarus
Belgium
Brazil
Brunei
Burkina Faso
Cambodia
Chile
China
Costa Rica
Ivory Coast
Cuba
Czech Republic
North Korea
Democratic Republic of the Congo
Djibouti
Dominican Republic
Ecuador
Egypt
European Union[a]
France
Ghana
Greece
Guinea-Bissau
Iran
Ireland
Jamaica
Kazakhstan
Laos
Libya
Luxembourg
Malaysia
Maldives
Mali
Morocco
Mozambique
Namibia
Nauru
Nicaragua
Nigeria
Palau
Papua New Guinea
Peru
Philippines
Poland
Portugal
Qatar
Russia
Rwanda
Saudi Arabia
Slovakia
Slovenia
South Africa
Spain
Sri Lanka
Palestine
Sweden
Thailand
Togo
Turkey
Uganda
United Kingdom
Tanzania
Uruguay
Uzbekistan
Venezuela
Vietnam
ZimbabweAccording to Joan Barata inTech Policy Press, after Russia first proposed the law in 2017, it was "particularly promoted by countries willing to build a system alien to the protections granted by most relevant international human rights instruments, including Belarus, China, Iran, Sudan, Venezuela, Nicaragua, North Korea or Cuba".[7]
Though opposed to the convention at its start, the United States remained involved in the development of the treaty to avoid it being shaped by its adversaries.[16] TheBiden Administration in the United States ultimately voted in favor of the resolution, in some part to remain part of the conversation over its implementation,[16] amid objections to US-based human rights organizations and lawmakers who argued that it would make it easier for the US's foreign adversaries to surveil their citizens and access data generated inside US borders.[20][17] It is unclear whether the US Congress would support ratification.[17]
The potential for such a treaty to facilitate human rights abuses was recognized by the UN from the earliest discussions of the convention, when Russia proposed it in 2017.[11] Throughout the drafting process, several NGOs,cybersecurity companies, journalists, the International Chamber of Congress, academics, and theUN High Commissioner for Human Rights raised objections focusing on two central aspects of the convention: the vagueness and flexibility of the crimes it aimed to address, and the way it leaves human rights protections up to the individual member states.[21][1][22]
Other objections concern the obligations of member states. For example, the convention requires states to have laws that compel internet services to collect certain data, and does not require that requests for such data be transparent. There are limited cases when member states may deny a request for data, although there is a provision to do so if a state believes a request is due to "sex, race, language, religion, nationality, ethnic origin, or political opinions".[14] The latter statement was weakened during negotiations, and challenged by Iran and Russia until the end of negotiations.[14] TheInternational Chamber of Commerce andMicrosoft argued the convention was itself a threat to cybersecurity and national security, concerned that it provided grounds to force hackers and other skilled or knowledgeable parties to subvert security systems in ways that would expose infrastructure to attack and allow leaking of sensitive and classified data.[14]
The convention names four types of crimes in particular, which human rights advocates argue are framed too broadly, applicable to any crime committed using aninformation or communications technology. Many of the crimes it would apply to have only a thin connection to the kind of serious cybercrime, likeransomware and child exploitation, that motivated the convention.[21][22][14] As a result, the convention expands the reach of existing surveillance regimes and the enforcement of controversial, ambiguous laws which countries use to criminalize a range of forms of speech, expression, anddissent, like Jordan's law against "character assassination via social media" or the United Arab Emirates' "condoning sins".[23] In aLawfare article, Eli Scher-Zagier said the treaty "endorses a state criminalizing conduct by anyone, anywhere, so long as the conduct harms one of its nationals".[24] TheAtlantic Council offered an example of someone displaying arainbow flag online, which is illegal in Russia. Under the proposed convention, because the crime took place online, it falls within the definition of cybercrime and other countries may be expected to share data to assist in such investigations.[14]
Several organizations highlight the way the convention's language about human rights protections are largely suggestions left to the discretion of member states, including those with a record of human rights abuses.[21][23] According toFreedom House, which maintains theFreedom in the World index, Russia and the treaty's cosponsors are all categorized as "Not Free".[25] Whereas the Budapest convention of the early 2000s included a wide range of concrete protections due to its context in the European human rights system, the UN convention is both broader in scope and lacking in safeguards.[7]
The digital rights organizationAccess Now issued a statement that the convention "pays lip service to human rights while lacking any actual safeguards", instead "embolden[ing] authoritarian regimes ... to justify digital repression, at home and abroad, with a veneer of legitimacy".[23] According to Nick Benequista of theNational Endowment for Democracy, the consequences of ratifying the convention are harmful primarily for people who live in countries without robust protections forfree expression, where independent journalists – even in exile, from other countries – could be more easily suppressed or jailed.[26] Similarly, theElectronic Frontier Foundation (EFF) argues that without protections built into the convention, it simply provides an expansive spying and surveillance system "to enable transnational repression".[21]
In the lead-up to the draft going before the General Assembly, the Cybersecurity Tech Accord submitted a letter to the UN outlining objections and recommendations.[27] It then joined a dozen human rights organizations in a last-minute open letter "urging governments not to adopt or ratify the UN’s first landmark Cybercrime Convention unless substantial changes are made to address the serious and broad-based concerns in the final draft".[28][29] Other notable organizations issuing statements critical of the convention includeAmnesty International,Chaos Computer Club,Digitalcourage,Electronic Privacy Information Center,European Digital Rights,Human Rights Watch,[30]IFEX,International Press Institute,Privacy International,SHARE Foundation,Statewatch, and theWikimedia Foundation.[31]