The New UN Cybercrime Treaty Is a Bigger Deal Than Even Its Critics Realize
Published by The Lawfare Institute
in Cooperation With
On Aug. 9, after years of heated debate, a UN General Assembly committee unanimously agreed on the text of a new cybercrime convention. The treaty sets out to foster international cooperation on cybercrime, a notoriously transnational issue. But in the weeks since, criticism and calls to reject the treaty have poured in from a rare alliance: business and human rights groups.
Opposition to the treaty has focused on its broad substantive offenses. Digital rights advocates warned of the treaty’s “new cross-border electronic surveillance powers,” which provide for investigative and electronic monitoring cooperation for any “serious crime,” a category each state can largely define for itself. And despite excluding Russian proposals for vague extremism-related offenses, the proposed treaty still includes some expansive crimes that are not intrinsically tied to computers, such as money laundering and computer-related fraud—meaning fraud conducted over text, email, or phone call.
Nevertheless, both the treaty’s proponents and its critics fail to recognize that the human rights danger from the treaty goes far beyond authoritarian states using these broad powers to repress domestic speech, dissent, and journalism (although they surely will). A critical risk of the treaty is its legitimization of cases where states apply their domestic criminal codes extraterritorially and then leverage those powers to target foreigners abroad.
Article 22 of the proposed convention received far less attention, but its jurisdictional provisions are some of the most alarming. One of the provisions would authorize states to exercise jurisdiction over extraterritorial conduct that harms their nationals—known as passive personality jurisdiction. This jurisdiction is controversial: By signing this treaty, states would essentially cede sovereignty to other states, eliminating what would be states’ ordinarily exclusive jurisdiction to regulate—including, importantly, to permit—the conduct of their citizens in their territory.
Under the cybercrime treaty’s version of passive personality jurisdiction, for instance, Russia could seek Turkey’s help in surveilling and extraditing an American journalist vacationing in Istanbul who discovered a misconfigured database and reported on the exposure of Russian citizens’ personal data (potentially, illegal access under Article 7). The journalist’s only recourse would be the treaty’s weak human rights provisions, which require compliance with international human rights law but offer no independent enforcement mechanism, instead relying on existing (or nonexistent) national safeguards.
As detailed in my forthcoming article in the Yale Journal of Law & Technology, “Jurisdictional Creep: The UN Cybercrime Convention and the Expansion of Passive Personality Jurisdiction,” this jurisdictional expansion is part of a growing trend of expanding extraterritorial jurisdiction under international law, a trend that has escaped scrutiny and that, if left unchecked, will facilitate a nearly unlimited reach for authoritarian countries’ criminal laws.
The cybercrime treaty is emblematic of the dangers of expanding passive personality jurisdiction, and it would remove any meaningful limits on this type of criminal jurisdiction. When the General Assembly votes on the treaty in the coming months, it should remove this provision.
The Treaty’s Jurisdictional Revolution
Historically, international law allowed a state to create criminal offenses only over conduct on that state’s territory, by the state’s nationals, or in certain other limited cases. But states began to recognize additional jurisdictional bases, some of which developed into customary international law. One example is the protective principle, which allows jurisdiction when the offense affects the vital interests of a state (for example, espionage and counterfeiting).
Jurisdiction over offenses committed against a state’s nationals is the newest jurisdictional basis recognized by the UN General Assembly’s International Law Commission. This principle, known as passive personality jurisdiction, allows broad jurisdiction regardless of scale or severity, in contrast to other jurisdictional bases that have inherent limitations.
The rise of passive personality jurisdiction has been dizzying. Today, the American Law Institute’s Restatement recognizes passive personality jurisdiction as part of international law. But 50 years ago, the body flatly rejected such jurisdiction. Until recently, passive personality jurisdiction was largely limited to civil law states, with many common law states opposing and persistently objecting to it. Even as passive personality jurisdiction has expanded, most states, including the U.S., have limited it to a few violent or serious crimes, notably terrorism.
Recognition of passive personality jurisdiction in the cybercrime convention would represent a significant expansion beyond terrorism and violence. It would legitimize the use of passive personality jurisdiction in any context and risk its acceptance becoming customary international law. Unlike previous uses of passive personality jurisdiction, its inclusion here would be freed from substantive limits (to terrorism or violence) and functional limits, as exist in the UN corruption and organized crime treaties.
These two treaties also accepted passive personality jurisdiction, indicating that UN crime treaties are quietly revolutionizing the international law of criminal jurisdiction. But both contain limiting elements. The transnational organized crime treaty covers participation in an organized criminal group, which the convention defines to exclude any activity committed individually or for non-financial/material purposes. And most of the corruption treaty offenses involve public officials as perpetrators (examples include embezzling funds or accepting bribes) or targets (for example, being offered bribes). In this way, the treaty operates more like a broad application of the protective principle—for example, protecting government operations from official bribery—than a significant expansion of passive personality jurisdiction.
In the view of one scholar, “it is fair to say that the United States and other common law countries adopting such [passive personality jurisdiction] statutes have abandoned their objection to passive personality jurisdiction with respect to terrorist crimes … not … the persistent objection as to other types of crime.” Accepting a cybercrime treaty that authorizes far broader passive personality jurisdiction could void this persistent objector status, just as it did in the protective principle context.
Judging by the near universal ratification of past UN crime treaties and the unanimous vote for the final cybercrime treaty text, it is likely that most states will ratify the new UN cybercrime treaty. If such widespread adoption occurs, it will be difficult for states to articulate any reasoned, persistent objection to the scope of passive personality jurisdiction, particularly given the treaty’s wide-ranging substantive offenses.
Passive Personality Jurisdiction’s Troubled Past
Passive personality jurisdiction has been the most contested jurisdictional basis for criminal offenses and remains controversial for a reason. When France suddenly adopted unlimited passive personality jurisdiction in 1975—asserting it could try anyone for any crime committed against a French national—the French justice minister called it “manifest imperialism that is difficult to justify.”
This French official recognized that passive personality jurisdiction intrudes upon a state’s sovereign regulation of those within its territory. As another scholar has written, the U.S. and many other states “consider passive personality jurisdiction to be more intrusive than nationality or territorial jurisdiction, even if exercised when the conduct is criminal in the state in which the crime occurred.”
Passive personality jurisdiction is also ripe for abuse since it gives a state the power to punish foreigners who harm its nationals. This poses fundamental due process issues, as citizens of one state may not be familiar—or reasonably be expected to be familiar—with foreign states’ criminal codes. Even if noncitizens were familiar with foreign laws, passive personality jurisdiction subjects them “not merely to a dual, but an indefinite responsibility,” as the U.S. State Department observed in the 19th-century Cutting Case.
Although it involved no computers, the Cutting Case was an early instance of American opposition to passive personality jurisdiction and powerfully demonstrates the stakes. An American newspaper editor, A.K. Cutting, wrote in a Texas newspaper that a rival Mexican publisher was a “fraud” and “dead beat.” Asserting jurisdiction over crimes committed against Mexicans anywhere in the world, the Mexican government prosecuted Cutting for libel upon his return to Mexico and sentenced him to a year of imprisonment and hard labor.
Alarm was palpable in Washington. “If Mr. Cutting can be tried and imprisoned in Mexico for publishing in the United States a criticism on a Mexican business transaction in which he was concerned,” the then-secretary of state warned, “there is not an editor or publisher of a newspaper in the United States who could not, were he found in Mexico, be subjected to like indignities and injuries on the same ground.” The secretary also raised sovereignty concerns, procedural violations, and the risk of abuse.
These risks are just as real today. Because states are largely free to craft broad offenses, the cybercrime treaty facilitates states using passive personality jurisdiction to target foreign journalists and dissidents.
Consider Pakistan’s 2021 arrest of domestic journalists for alleged cybercrimes. Their conduct seemingly entailed only political commentary, but their arrest was for “alleged electronic forgery; making, obtaining, or supplying a device for an offense; and the transmission of malicious code.” All of those offenses could fall under the proposed convention’s provisions on interference (Articles 9 and 10), device misuse (Article 11), and forgery (Article 12). Now, freed from the traditional constraints on targeting extraterritorial conduct, Pakistan and other countries could start prosecuting any foreign journalists who wrote similar articles.
Of course, a state could invoke its obligation to comply with international human rights law under Article 6 of the treaty to decline to assist in electronic monitoring or extradition. But as the Electronic Frontier Foundation astutely observed, the broader problem in the convention “is the leeway that it gives to states to decide whether or not to require human rights safeguards,” including the ability to “choose to cooperate with” investigating conduct that is not a crime under those states’ domestic law. This means that states that want to use the treaty’s endorsement of passive personality jurisdiction to cooperate in punishing noncitizens’ conduct outside the territory of a requesting state (or of either state) can do so.
A Barrier to Cooperation
Passive personality jurisdiction is unnecessary to address the challenges of cybercrime, and it is not clear the states negotiating the treaty thought otherwise. The passive personality language in the cybercrime treaty mirrors the language in the organized crime and corruption conventions, and it appears to have been reprised without much thought. For instance, the brief reference to jurisdiction in the European Union’s early submission to the negotiations notedonly that it “should be modelled on the approach set out in existing legal instruments, such as in article 15 of the Organized Crime Convention.” This may have reflected a genuine desire for expansive jurisdiction, but it was more likely part of a consistent effort to focus the drafting process on existing, acceptable language, as the EU repeatedly referenced prior conventions for substantive language.
Tellingly, neither the Budapest Convention on Cybercrime nor the Arab League’s Convention on Combating Information Technology Offences contains any endorsement of passive personality jurisdiction. These existing instruments have been treated as valuable during the UN drafting process precisely because of their efficacy. Indeed, more than a dozen countries have requested accession or have acceded to the Budapest Convention since the launch of the UN treaty negotiations in February 2022.
Passive personality jurisdiction is unhelpful in part because it does nothing to address a primary jurisdictional issue in cyberspace: the competing jurisdictional claims that arise because a cybercrime may involve elements that occur in multiple states’ territory. By expanding when countries can claim jurisdiction, passive personality jurisdiction would worsen the problem of concurrent jurisdiction. In cases of concurrent jurisdiction, the treaty only has the lackluster, essentially optional requirement that states “shall, as appropriate, consult one another with a view to coordinating their actions.”
Thus, perversely, passive personality jurisdiction undermines the fundamental treaty purpose of unifying the cybercrime regime. Rather than encouraging cooperation on a shared core of cybercrimes, the treaty permits fragmented criminal enforcement that legitimizes states exercising jurisdiction over many cyber offenses—defined as each state chooses—against any of their nationals.
The General Assembly is not obligated to accept the treaty text as proposed by the committee it created. While changes would be difficult—every state would seek to reopen debates—excising passive personality jurisdiction need not be. Because most states likely did not understand the implications of this provision, nor was it the focus of debate, removing it should be high on the General Assembly’s list when member states gather to deliberate this fall.