This post is divided into two parts. Part I looks at the draft UN's Cybercrime Convention and its potential implications for LGBTQ+ rights. Part II provides a closer look at how cybercrime laws might specifically impact the LGBTQ+ community and activists in the Middle East and North Africa (MENA) region.
EFF has consistently voiced concerns over the misuse of cybercrime laws across the globe, and particularly their impact on marginalized and vulnerable communities—notably LGBTQ+ individuals. These laws, often marked by their broad scope and vague wording, have also been weaponized against security researchers, artists, journalists, and human rights defenders.
And as nations continue to engage in negotiations regarding the polarizing UN Cybercrime Convention draft, they bear a significant responsibility to ensure that the misuse of these expanded surveillance powers isn't legitimized under the UN’s watch. Without changes, the initial zero draft, along with its subsequent amendments, might inadvertently grant broad investigative and prosecutorial authorities that could infringe upon fundamental human rights, both at home and abroad.
Article 5 on Human Rights Must be Strengthened
So far, it’s looking bleak for human rights. A proposed amendment championed by Uruguay and backed by 50 nations aimed at bolstering human rights in Article 5 with gender mainstreaming (see minutes 01:15) met strong opposition. Nations like Malaysia, Russia, Syria, Nigeria, and Senegal directly opposed it. Meanwhile, countries like China, Saudi Arabia, Egypt, Iraq chose to back Article 5 as written in the zero draft, which fails to recognize gender mainstreaming.
And nothing changed in subsequent behind the scenes negotiating sessions aimed at ironing out the amendments to this article—Japan, the chair of the informal group, reported that the "best way forward would be to respect [Ad Hoc Committee] Chair’s original Article 5 of the zero draft without any amendments." The outcomes of these secret informal deliberations were later presented in the main session. Uruguay's response was clear (see minutes 01:16): Integrating this language [gender, vulnerable groups and rule of law safeguards] isn't a threat nor imposition; it accurately mirrors contemporary realities, ensuring the Convention is up-to-date and aligned with current realities.
In contrast, the Preamble, Article 1 and 55 of the UN Charter support gender equality, and subsequent international instruments like the Convention on the Elimination of All Forms of Discrimination Against Women (CEDAW) further obligate states to actively combat all forms of gender discrimination and advance gender equality. And the most recent UN General Assembly Resolution (A/RES/77/211) on privacy in the digital age recognizes the right to privacy as a way to prevent gender-based violence and encourages all relevant stakeholders to mainstream a gender perspective in the development and adoption of digital technologies.
As Derechos Digitales and APC told the UN Member States, “it is essential that international instruments mainstream gender to ensure that norms contribute to the fulfillment of human rights and gender equality.” AlSur echoed this recommendation “to address the specific needs of people of diverse sexual orientations and gender expressions.”
Tighten the Loopholes in the International Cooperation Chapter (Article 3 and 35)
At the end of the treaty negotiating session in August, Canada affirmed (see minutes 01:01) that the convention’s scope allows each country to define what constitutes a “crime” or “serious crime” on its own terms, potentially leading to overly broad definitions that can be abused. Canada's concerns about the treaty ring especially true when examining real-life cases. Take, for instance Human Rights Watch case of "Yamen," a young gay man from Jordan. Yamen, after being victimized online, turned to his country's authorities, expecting justice. Yet, under the very cybercrime law he sought protection from, he found himself accused and sentenced for "online prostitution.”
The expansive scope of the Treaty, as highlighted in the "zero draft" and later set of amendments, presents a significant flaw. The chapter on domestic surveillance in the draft endorses evidence gathering with very intrusive surveillance measures for any criminal offenses as defined in each country domestic law. And the international cooperation chapter (also coined "cross-spying assistance" chapter) gives countries an unsettling degree of freedom, enabling them to cooperate based on their national criminal laws when gathering e-evidence for crimes punishable by more than three years (results of the informal negotiations) or four years (as in the zero draft).
In a nutshell, the draft text enables countries to assist each other in spying, but does so based so on each country criminal law rather than a limited set of core cybercrimes as defined by the Convention. This means that the country requesting the assistance can individually determine what they label as "crimes" and subsequently request another country to assist in deploying its sweeping surveillance measures to collect evidence for most crimes. Such a structure inadvertently greenlights nations to share surveillance data on actions or behaviors that might be intrinsically protected under international human rights law.
For instance, in some countries where LGBTQ+ online expressions, including sharing content deemed "immoral" are wrongly criminalized, the draft treaty provisions could be misused to further enable domestic surveillance measures targeting these communities. It can also allow one state to help another one to track an LGBTQ+ individual's whereabouts when that person is traveling abroad. While some countries can choose to require dual criminality, many who have similar laws or are friends with that government will be willing to cooperate. This is what is not acceptable. States should not only look at themselves but the broader picture of what they are authorizing under an UN umbrella.
The international cooperation chapter has another central problem. Its scope is overly dependent on the severity of penalties—specifically, three or four years of imprisonment—as the primary metric for allowing one country to request assistance from another in surveillance efforts. Numerous laws criminalizing LGBTQ+ individuals merely for their identity, or for content deemed "immoral," often carry penalties that are four years or more and are wrongfully considered "serious crimes." This poses a substantial threat, especially when such criteria can dictate international collaboration and surveillance.
In some jurisdictions, acts that are considered minor offenses could be elevated to appear as serious crimes in others, creating an imbalance in the intensity of surveillance applied to these supposed 'infractions'. This design flaw could lead to 'charging up'—where authorities might be motivated to amplify charges to fit the '4-year/serious crime' criteria. While this threshold is an improvement compared to an open mandate for any crime, its ambiguity risks exploitation. Moreover, the resulting surge in requests could further burden an already overwhelmed mutual legal assistance treaty (MLAT) system, thus exacerbating existing resource challenges.
Refining the proposed treaty to focus exclusively on core cybercrimes, as explicitly detailed within, isn't merely a constructive approach—it might be the only route to secure approval from multiple national parliaments. This is way, Human Rights Watch, ARTICLE 19, EFF, Privacy International and many others have called for the proposed convention to explicitly rule out provisions for domestic surveillance and cross-border cooperation concerning non-core cybercrimes, ensuring that nations don’t offer a legal foundation under the UN to legitimize collaboration for gathering evidence for investigation of these arbitrary offenses—many of which are not inherently criminal conduct but are even discriminatory laws targeting LGBTQ+ individuals mere expressions of one's gender identity, sexual orientation, or beliefs.
Imagine a nation assisting another spy on LGTBQ+ individual's internet use, discerning out what websites they visit. They intercept personal conversations in real time. And, they even track where this LGBTQ+ individual goes around their city. If authorities in certain countries disproportionately target LGBTQ+ individuals, surveilling them merely for expressing their authentic identities—because such expressions are wrongly categorized as “serious crimes'' with penalties of over three years in prison—it glaringly exposes a deep-rooted injustice and raises profound concerns. This isn't just about invading someone's privacy. It's about using intrusive technology to deeply and unfairly discriminate against LGBTQ+ people, putting their safety and freedom at severe risk.
Indeed, this is not an abstract concern but a reality that we’ve seen play out repeatedly in various countries. For instance, the Human Rights Watch 2022 World Report, alongside Derechos Digitales' findings on cybercrimes laws used against LGBTQ+ communities, provides evidence that vague cybercrime laws are frequently used to muzzle dissent, with marginalized groups like women and LGBTQIA+ most affected.
Domestic surveillance laws and indiscriminate personal data sharing exacerbate the negative impact of such tools when in the hands of state authorities. They are frequently manipulated to amass “evidence”—not just for prosecuting individuals on the grounds of engaging in same-sex relationships, but also for invoking archaic and suppressive “morality clauses.” This unnerving synergy doesn’t merely facilitate hostility; it amplifies the risks for the LGBTQ+ community and supporting activists. Succumbing to these concessions in any international convention would be devastating, and would mark a perilous setback for human rights.
Accepting a broader scope would be nothing short of catastrophic—especially for already vulnerable LGBTQ+ communities worldwide. There are many other aspects of the Treaty that raise red flags. Stay tuned to our blog in the coming days as we delve deeper into these pressing concerns.
Broadly speaking, the draft UN Cybercrime Convention needs to address and rectify certain areas, among others. (We're still delving into the details and may not have an exhaustive list as of yet):
- A focused scope of the treaty that is limited to genuine core cybercrimes without overreach, and to "specific" criminal investigations and proceedings.
- Integrate gender mainstreaming and protection of vulnerable populations to ensure that the draft treaty recognizes and protects the rights of diverse gender identities and expressions.
- Include robust operational safeguards, including transparency obligations, notification to third countries, ability from companies to notify users, minimum data protection safeguards, and independent oversight, and it is applicable to the international cooperation chapter.
- Delete highly intrusive surveillance powers if they do not have corresponding robust safeguards like real-time collection of traffic data and interception of content of communication.
- Eliminate Article 28.4, which mandates Parties to implement laws or measures that compel individuals with knowledge about a specific computer or device to provide information essential for searching that computer or device. This provision is fundamentally flawed and cannot be rectified, not even with safeguards in place.
- A focused scope of the international cooperation chapter, narrowed solely to core cybercrimes as specified by the Convention, rather than invoking powers based on the number of years of imprisonment as penalties.
- Incorporate grounds of refusal for political offenses in Article 40 and encourage also incorporating grounds for refusal where a request would likely prejudice, inter alia, “the protection of human rights or fundamental freedoms.
- Incorporate and strengthen grounds for refusal in 40(c)(ter) against discriminatory prosecution or punishment. Align the language of Articles 40(c)(ter) and 37(15) with non-discrimination standards under international human rights law, ensuring protection for vulnerable individuals or groups
- Refine and narrow the scope of Article 47 to ensure that data sharing is specific to criminal investigations, and explicitly exclude sharing of personal data like biometric, traffic, and location data unless accompanied by rigorous data protection and privacy safeguards. Any sharing should be proportionate, relevant, and tied to specific investigations to prevent potential abuse of shared databases and AI training datasets.
- Mandate dual criminality, ensuring it's not left as an optional provision.
- Clear and narrowly precise language throughout the treaty that leaves no room for misinterpretation or misuse.
Our second post will map out the recent cybercrime laws in the MENA region vis-a-vis the standards set under the proposed UN Cybercrime Treaty. Stay tuned.