Amy Hogan-Burney, Associate General Counsel for Cybersecurity Policy & Protection at Microsoft, has raised serious concerns about a proposed United Nations cybercrime treaty led by Russia.
As cybercrime becomes more sophisticated and widespread, international cooperation among law enforcement, governments, private companies, and civil society is essential. Effective cross-border action depends on clear definitions, shared standards, and mechanisms that enable collaboration without undermining fundamental rights.
A major obstacle to such cooperation is the lack of consensus on what constitutes cybercrime, which complicates investigations, mutual legal assistance, and the development of consistent legal frameworks across jurisdictions.
The UN’s Ad Hoc Committee has entered its sixth round of negotiations to draft a global cybercrime treaty. The current draft—originally tabled by Russia and supported by several other states—aims to harmonise definitions and create a legal framework for international cooperation on cyber threats.
Hogan-Burney warns that the treaty’s imprecise language could produce harmful side effects. Rather than serving exclusively as a tool to combat cybercrime, the treaty could be repurposed to justify intrusive cross-border data access, increased state surveillance, and restrictions on online expression—outcomes that could empower authoritarian governments to misuse the treaty’s provisions in the name of security.
To prevent misuse, negotiators must draft clear, narrow provisions that advance cybersecurity and criminal justice goals without enabling abuses. The treaty should not provide cover for censorship, unchecked surveillance, broad extraterritorial access to personal data, or vague criminalisation that could criminalise routine and legitimate security work.
One especially troubling aspect of the current draft is the expansive scope it gives to government access to personal data, including provisions that could allow real-time surveillance and cross-border data collection without notifying the individuals affected or the states where they reside. Such measures would raise serious privacy and human rights concerns and could conflict with established data protection norms.
Expanding surveillance powers in this way risks creating jurisdictional conflicts and eroding trust between countries, undermining the treaty’s aim of enhancing cooperation against cybercrime.
Hogan-Burney also stresses the need to protect legitimate cybersecurity activities. The draft’s criminalisation language, she notes, is too vague and does not explicitly require criminal intent. Without that safeguard, essential practices like vulnerability testing and penetration testing—critical for identifying and fixing security flaws—could be wrongly treated as criminal acts.
“The text also does not contain language protecting lawful cybersecurity work that keeps the digital ecosystem secure. We need to ensure that ethical hackers who use their skills to identify vulnerabilities, simulate cyberattacks, and test system defenses are protected.
Key criminalisation provisions are too vague and do not include a reference to ‘criminal intent’, which would ensure activities like penetration testing remain lawful.
In other words, unless these issues are addressed, the treaty could create the ideal conditions for cybercrime to thrive.”
Negotiations at the sixth session are progressing slowly as member states debate the merits and risks of the draft. The final outcome remains uncertain.
As delegates prepare to consider revised text, Hogan-Burney urges them to adopt clear, balanced standards that protect human rights while enabling effective action against cybercrime. Her recommendations focus on aligning the treaty with existing privacy protections, limiting overbroad criminalisation, and ensuring robust oversight.
Key recommendations include:
- Align the treaty with established data protection frameworks to avoid conflicts and preserve privacy norms.
- Criminalise clearly defined core cybercrime offences while resisting overly broad or ambiguous definitions that could sweep up legitimate activities.
- Include human rights safeguards, such as independent oversight, transparency measures, and effective remedies for affected individuals.
- Ensure the treaty explicitly protects ethical hackers and cybersecurity researchers conducting lawful security testing and vulnerability disclosure.
- Improve transparency in cross-border data requests and strengthen extradition and mutual legal assistance to prevent safe havens for cybercriminals.
Microsoft’s engagement highlights how governments, the private sector, and civil society can work together to counter cyber threats. Hogan-Burney’s critique underlines the importance of careful drafting: a treaty with precise language and firm human rights protections could become a powerful instrument for global cybersecurity, while a poorly written one could unintentionally facilitate abuse.
The stakes are high. The direction taken by negotiators will shape international law and practice on cybercrime for years to come, affecting privacy, digital security, and trust between nations.
Photo by Mathias Reding on Unsplash
See also: Russian hackers suspected of a cyberattack that exposed data of 40 million citizens
Want to learn more about cybersecurity and the cloud from industry leaders? Check out Cyber Security & Cloud Expo, which takes place in Amsterdam, California, and London and is co-located with Digital Transformation Week.
Explore other upcoming enterprise technology events and webinars powered by TechForge.