Dispatch from Hanoi: UN Cybercrime Treaty Signing Exposes a Highly State-Centric Process

Last week, UN Member States gathered in Hanoi, Vietnam, for the signing ceremony of the United Nations Convention against Cybercrime (UNCC). The event, held at the National Convention Center, came amid mounting concerns from civil society groups, tech companies, and digital rights advocates about the treaty’s potential impact on online freedoms. Critics also pointed to the host country’s long-standing record of digital human rights violations and a global shift toward increasingly restrictive internet regulations.

Proposed by Russia in 2017 and approved unanimously by the UN General Assembly in 2023, the Convention is intended to serve as the first universal legal instrument to combat cybercrime through harmonized definitions, enhanced cross-border cooperation, and streamlined access to electronic evidence.

On the first day, 64 states signed the treaty at the official signing event, with an additional five signatures added by the end of the second day. While these signatures indicate broad state-level support for the UNCC, several key countries were notably absent from the signatories’ list, including Canada, New Zealand, and the United States.

Whether the UNCC achieves its stated goals of preventing and addressing cybercrime, or instead enables censorship of protected expression, overbroad surveillance, or transnational repression, will depend on whether its scope is further expanded through a supplementary protocol, which states ratify it, and how those states implement its provisions.

A key argument repeated by states throughout the signing ceremony was that the Convention establishes a shared baseline for defining cybercrime, creating uniformity in the fight against digital crime and ensuring that “no state is left behind.”

This approach, as well as the composition of participants in the ceremony itself, reflects a starkly state-centric framing. The vast majority of delegates represented member states, while private-sector, academic, and civil society participants were few and faced significant barriers to engagement. Many secured Vietnamese visas only at the last minute, if at all. In addition, programme instructions and guidance on accessing the venue were limited, and logistical hurdles such as registration approval further complicated attendance. Many delegates had limited insight into their countries’ signing and ratification processes, and were often able to provide only high-level responses when asked for details. These challenges related to inclusive multistakeholder engagement felt particularly disappointing in the context of a treaty with far-reaching implications for human rights, digital governance, and international cooperation.

Convention context and human rights concerns

While ICT-enabled crimes have existed since the early days of the Internet, “cybercrime” remains a somewhat vaguely constructed concept – one that the Convention empowers States Parties to define within their domestic legal frameworks. As the Global Network Initiative (GNI) has monitored over the last decade, these definitions vary greatly across different jurisdictions and can include criminalization of conduct ranging from cyber-dependent crimes, such as online fraud and scams; cyber-enabled crimes, including technology-facilitated gender-based violence; offences targeting computer systems, such as unauthorised access or modification; and speech-related offences.

The Budapest Convention on Cybercrime, adopted in 2001 under the Council of Europe, already provides an established international framework for addressing cybercrime. Unlike the UNCC, it includes more robust human rights safeguards, clearer implementation guidance, and oversight through mechanisms such as the European Court of Human Rights. Supported by the Cybercrime Convention Committee (T-CY), which reviews implementation and promotes state cooperation, the Budapest Convention is also open to accession by non–Council of Europe states and has been joined by over 70 countries worldwide.

Many stakeholders have argued that the Convention risks broadening state powers without adequate checks, particularly through articles 28 to 31 on electronic‑evidence access; articles 43 to 45 on cross‑border cooperation; and article 22(2), which risks facilitating extraterritorial overreach and inconsistent national-level implementation. Human rights groups, including GNI, have warned that the Convention does not sufficiently safeguard against its abusive application, especially when many states already rely on broadly drafted cybercrime-related laws that could be legitimized and accelerated under this treaty.

Who showed up, and who couldn’t

The atmosphere during the signing ceremony reflected the event’s state-centric participation and a high degree of orchestration. Applause was particularly pronounced when Russia and Vietnam signed the Convention, highlighting which delegations drew the most attention. By the second day, overall participation had noticeably declined. Plenary halls and side-event rooms were filled with young participants in school uniform, who appeared to have been instructed to applaud whenever Vietnamese officials took the stage.

The choice of Vietnam as host for the signing ceremony added another layer of significance. The modernizing digital regulation agenda of the Socialist Republic of Vietnam – which GNI has flagged for human rights and governance risks – provides a revealing backdrop. Vietnam’s regulatory developments (for example, tight controls over online information, content-moderation mandates, real-name registration rules, and data localization obligations) have raised concerns that the UNCC could provide further legal reinforcements for broad, non-transparent, and unaccountable exercises of government authority over the digital space. The fact that the signing ceremony occurred in a jurisdiction already advancing regulatory measures that emphasize state control, rather than multistakeholder transparency or independent oversight, underscores how international frameworks and national regulatory environments can converge, and why the question of which actors are included, how definitions are shaped, and how procedural powers are exercised, matters so much.

The composition of delegations further highlighted how governments approached the UNCC. Most signatories were represented by ministries responsible for internal affairs, justice, migration, or economic policy, rather than digital or ICT portfolios. Among non-government participants, a few child- and women-safety groups were present, while GNI was the only digital rights-focused organization in attendance, reflecting existing divisions within civil society and a tendency by some states to pick and choose which groups they wish to engage. Private sector attendance was also limited, particularly from large technology companies, though some cybersecurity service providers noted the Convention’s potential to support international cooperation against malicious cyber activity.

While not surprising, it was nevertheless disappointing that human rights safeguards were not a central focus during the signing ceremony. There was only limited discussion of how the Convention might affect journalists, security researchers, or political dissidents, even amid rising incidents of digital transnational repression. The absence of gender mainstreaming – in a treaty signed by states that continue to criminalize LGBTQ+ conduct – was observed by some participants but did not feature in official remarks.

Next steps

There remains considerable uncertainty about which countries will ratify the UNCC, which requires 40 ratifications to enter into force. Given the convention’s negotiating history, it is not surprising that authoritarian countries such as China, Iran, Russia, and Vietnam are keen to ratify it. However, it was notable that several geo-politically significant, democratic countries, including Austria, Belgium, Brazil, France, Ireland, South Africa, and the United Kingdom, also signed the Convention.

Many of these countries are already parties to the Budapest Convention and host major technology companies, reflecting their engagement across multiple, and sometimes diverging, international frameworks in terms of their approach to human rights. However, the fact that the United States did not attend the ceremony points to a potentially significant setback. Given the number of important platforms headquartered there and the amount of global data that resides in the United States, its lack of support would substantially limit the UNCC’s impact.

In the meantime, the Ad Hoc Committee (AHC) that negotiated the treaty will continue its work, with the next session in January 2026 to consider the draft rules of procedure for the Conference of the States Parties (CoSP), which will oversee implementation of the Convention. Civil society actors have emphasized the importance of ensuring that the multistakeholder modalities developed during the original AHC process continue to apply in this next phase and are formally incorporated into the CoSP’s procedures, including clear opportunities for observation and participation.

It will be essential for democratic states to use their leverage within the CoSP to ensure that both the rules of procedure and any future supplementary protocol strengthen human rights safeguards, promote transparency, and guarantee meaningful inclusion of non-state stakeholders. Carrying forward the multistakeholder modalities developed during the original AHC process will be critical to ensuring that civil society, the private sector, academia, and independent experts have opportunities for genuine participation and oversight.

The signing ceremony in Hanoi marked a procedural milestone for the UNCC. While it reflected broad political support for international cooperation on cybercrime, the practical and rights-related implications of the Convention will become clearer only over time. The next AHC session and subsequent steps toward ratification will determine how the treaty’s commitments are operationalized and how diverse stakeholders are engaged in shaping its implementation.