On October 25–26, countriesgathered in Hanoi to sign the UN Convention on Cybercrime. Although intended to combat cybercrime, this treaty could jeopardize cross-border online rights, particularly in countries with authoritarian tendencies.
The Tifa Foundation joins civil society voices around the world in calling on governments to reject or amend this agreement to protect our freedom online. Read the joint statement here.
What is the UN Convention on Cybercrime?
Text: The UN Cyber Convention is the first global treaty to combat cybercrime, signed in 2025. This treaty regulates surveillance powers and data sharing for “serious crimes,” including peaceful protests, criticism of the government, journalism, and reporting of violations. It also promotes global cooperation through the sharing of electronic evidence and the establishment of a 24-hour network for law enforcement.
Although intended to make the digital world safer, this agreement includes surveillance powers and data-sharing rules that could threaten privacy and freedom of expression without strong human rights protections.
Why should we worry?
Many countries criminalize free speech and activism that are protected by human rights.
In the Indonesian context, signing the agreement could exacerbate existing risks of digital repression embedded in domestic law, including the Electronic Information and Transactions Law (ITE Law). The broad surveillance powers and cross-border data sharing provisions in this Convention reflect concerns about the weak safeguards and broad definitions in these laws, which already allow for the criminalization of online dissent, activism, journalism, and minority rights.
In addition, the Personal Data Protection Act (PDP Law) is still in the early stages of enforcement, making it vulnerable to disruption by the Convention’s broad law enforcement data-sharing obligations, thereby risking the erosion of developing privacy protections and digital rights.
Key risks and problematic provisions in the UNCC
The harmful provisions in this agreement include:
- Section 24: Allows forintrusive domestic surveillance with weak safeguards, granting the government the authority to collect content, traffic, and subscriber data without adequate oversight.
- Section 25: Allows for gag orders against service providers, prohibiting them from informing users about data access or surveillance.
- Sections 29–30:Authorize law enforcement officials to conduct wiretapping and collect data in real time as part of criminal investigations.
- Article 35:Calls for broad cross-border sharing of electronic evidence to facilitate the investigation and prosecution of transnational cybercrimes, thereby allowing countries with poor human rights records to request data on activists or dissidents.
- Section 42: Explicitlypermits “not notifying users” about surveillance or data requests.
- Section 47: Allows for extensive law enforcement cooperation, including the sharing of biometric data and police predictive tools, which often target marginalized communities.
These provisions risk infringing on privacy, freedom of expression, and the right to peaceful assembly. Without strong human rights protections and transparency, this agreement empowers governments to monitor, silence, and suppressonline dissentacross borders.
What should countries, including Indonesia, do?
Before signing, the government must:
- Conducting extensive consultations with civil society, human rights organizations, data protection authorities, the private sector, and other stakeholders.
- Ensuring that national laws comply with international human rights standards, such as the Necessity and Proportionality Principles and Convention 108+.
- Implement the agreement while respecting human rights through legislative reforms and by making reservations where necessary.
- Regulate international cooperation based on the principle of dual criminality and reject requests for legal assistance that could potentially violate human rights.
- Maintaining transparency by publicly reporting requests that have been received, approved, or rejected in accordance with the agreement.
- Strongly involving stakeholders in the implementation of the agreement.
Is the UN Convention on Cybercrime a Threat to Our Digital Freedoms?
On October 25–26, countries gathered in Hanoi to sign the UN Convention on Cybercrime. While intended to combat cybercrime, this treaty could jeopardize online rights across borders, particularly in countries undergoing an authoritarian shift.
The Tifa Foundation joins civil society organizations around the world in calling on governments to reject or amend this treaty to protect our online freedoms. Read the joint statement here.
What is the UN Convention on Cybercrime?
The UN Cybercrime Convention is the first global treaty to combat cybercrime, signed in 2025. It grants surveillance powers and authorizes data sharing for “serious crimes,” including peaceful protest, criticism of the government, journalism, and whistleblowing. The treaty also promotes global cooperation through the sharing of electronic evidence and the establishment of a 24/7 network for law enforcement.
While it aims to make the digital world safer, it includes surveillance powers and data-sharing rules that could threaten privacy and freedom of expression without strong human rights protections.
Why should we be concerned?
Many countries criminalize speech and activism that are protected under human rights.
In the Indonesian context, signing the treaty could exacerbate existing risks of digital repression embedded in domestic laws, including the Electronic Information and Transactions Law (ITE Law). The Convention’s expansive surveillance and cross-border data-sharing powers echo concerns regarding weak safeguards and broad definitions in these laws, which already allow for the criminalization of online dissent, activism, journalism, and minority rights. Furthermore, Indonesia’s nascent Personal Data Protection Law (PDP Law), with limited enforcement capacity and institutional maturity, risks being undermined by the Convention’s extensive law enforcement data-sharing obligations, threatening privacy and digital rights.
Key risks of this treaty and problematic provisions
The treaty’s dangerous provisions include:
- Article 24: Allows intrusive domestic surveillance with weak safeguards, empowering states to collect content, traffic, and subscriber data without robust oversight.
- Article 25: Allows for gag orders on service providers, prohibiting them from notifying users about data access or surveillance.
- Articles 29–30: Grants law enforcement officers the authority to conduct interception and real-time data collection as part of a criminal investigation (real-time collection and interception).
- Article 35: Requires broad cross-border sharing of electronic evidence to facilitate the effective investigation and prosecution of cross-border cybercrime.
- Article 42: Explicitly authorizes “no notification to the user” regarding surveillance or data requests.
- Article 47: Enables extensive law enforcement cooperation, including the sharing of biometric data and predictive policing tools, which often target marginalized communities.
These provisions risk violating privacy, freedom of expression, and the right to peaceful assembly. Without robust human rights safeguards and transparency, the treaty empowers governments to surveil, silence, and repress online dissent across borders.
What must do, including Indonesia, do?
Before signing, governments must:
- Consult extensively with civil society, human rights organizations, data protection authorities, the private sector, and other stakeholders.
- Ensure that laws are consistent with international human rights standards, such as the Necessary and Proportionate Principles and Convention 108+.
- Implement the treaty on human rights by updating laws and making reservations if necessary.
- Base international cooperation on the principle of dual criminality and reject requests that are likely to violate human rights.
- Maintain transparency by publicly reporting requests that have been received, approved, or denied.
- Involve stakeholders actively in the implementation of the treaty.