Around 70 countries have signed the new United Nations (UN) Convention against Cybercrime—the first global treaty designed to combat cybercrime through unified international rules and cooperation.

The treaty needs at least 40 UN member states to ratify it before it becomes international law. Once the 40th country does so, it will take another 90 days for the convention to become legally binding for all those who have joined.

Notably, the United States declined to sign. In a brief statement, a State Department spokesperson said:

“The United States continues to review the treaty.”

And there is a lot to review. The convention has sparked significant debate about privacy, sovereignty, and how far law enforcement powers should reach. It was created in response to the rising frequency, sophistication, and cost of cybercrime worldwide—and the growing difficulty of countering it. As cyberattacks increasingly cross borders, international cooperation has become critical.

Supporters say the treaty closes legal loopholes that allow criminals to hide in countries that turn a blind eye. It also aims to solve miscommunication by establishing common definitions of cybercrimes, especially for threats like ransomware, online fraud, and child exploitation.​

But civil rights and digital privacy advocates argue that the treaty expands surveillance and monitoring powers, in turn eroding personal freedoms, and undermines safeguards for privacy and free expression.

Cybersecurity experts fear it could even criminalize legitimate research.

Katitza Rodriguez, policy director for global privacy at the Electronic Frontier Foundation (EFF) stated:

“The latest UN cybercrime treaty draft not only disregards but also worsens our concerns. It perilously broadens its scope beyond the cybercrimes specifically defined in the Convention, encompassing a long list of non-cybercrimes.”

The Foundation for Defense of Democracies (FDD) goes even further, arguing that the treaty could become a platform for authoritarian states to advance ideas of state control over the internet, draw democratic governments into complicity with repression, and weaken key cybersecurity tools on which Americans depend.

“Russia and China are exporting oppression around the world and using the United Nations as legal cover.”

Even Microsoft warned that significant changes would need to be made to the original draft before it could be considered safe:

“We need to ensure that ethical hackers who use their skills to identify vulnerabilities, simulate cyberattacks, and test system defenses are protected. Key criminalization provisions are too vague and do not include a reference to criminal intent, which would ensure activities like penetration testing remain lawful.”

Those changes never came to life. Many observers now say the treaty creates a legal framework that allows monitoring, data storage, and cross-border information sharing without clear data protection. Critics argue it lacks strong, explicit safeguards for due process and human rights, particularly when it comes to cross-border data exchange and extradition.

When you think about it, the idea of having a global system to counter cybercriminals makes sense—criminals don’t care about borders, and the current patchwork of national laws only helps them hide. But to many, the real problem lies in how the treaty defines cybercrime and what governments could do in its name.

We don’t just report on privacy—we offer you the option to use it.

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.