Big Question: How are Cybercrime Laws Weaponized to Legalize Repression?

Edited by Maya Recanati and Beth Kerley

Across the globe, autocrats are working to quash dissent online through a combination of domestic legal tools and digital surveillance. In particular, vaguely worded cybercrime laws have emerged as a powerful tool to help authoritarians turn political opponents into criminals. In this context, digital rights defenders fear that the UN General Assembly’s possible adoption of a new global Convention against Cybercrime—the outgrowth of a Russian-led initiative—could give an international stamp of approval to legalized assaults on free expression. In addition, there are worries that ambiguous provisions within the treaty could encourage abusive forms of state surveillanceboth within and across bordersand deepen transnational repression. To better understand how the democratic community can push back against an alarming global trend toward the abuse of cybercrime charges, the International Forum for Democratic Studies asked four leading experts from different regions to answer the following questions:  

What concerns do the abuse of cybercrime laws (and the potential UN Convention against Cybercrime, as drafted) present for the work and safety of democratic actors in your region or field of study? What strategies can democratic actors use to push back against these practices?


 

Andrej Petrovski, SHARE Foundation

The abuse of overly broad or repressive cybercrime laws poses a serious threat to democratic actors worldwide. In authoritarian regimes, vague legislation nominally aimed at combating cybercrime provides a framework for criminalizing online expression that challenges elites—whether by critiquing the government, advocating for human rights, or providing visibility to stigmatized and oppressed groups. The UN Convention against Cybercrime as currently drafted has the potential to amplify and legitimize such abuses, further constricting online spaces. 

To understand why the Convention’s deference to domestic cybercrime laws may create problems, we can look to Jordan, where the 2023 Cybercrime Law has been used to prosecute people for online activities labeled as “spreading fake news” or “provoking strife.” Such subjective designations can cover a wide range of expression depending on the whims of the authorities.  

Free expression is also at risk from other kinds of national-legal provisions that, when applied to online spaces, effectively create “cybercrimes.” In my country, Serbia, civil society is concerned that proposed changes to the Criminal Code banning the “dissemination of materials that advise on committing criminal acts,” including online, could leave space for authorities to criminalize social media posts that contain calls to join protests. This type of speech has already been criminalized in settings such as Turkey. Adoption of the treaty—which applies broadly to “criminal offences committed by means of an information and communications technology system”—would legitimate government actions penalizing people merely for speaking out online. 

An additional area of concern is the convention’s provisions on cross-border electronic data sharing. The convention enables data sharing between countries without judicial oversight for any crime punishable by four or more years of imprisonment. Given this provision, repressive governments could target activists and political opposition figures abroad by compelling other states to surrender their digital data. Take the example of Georgia’s new “foreign agent” law, which carries a sentence of up to five years for those deemed to be “foreign agents.” Under the treaty, the host country of a Georgian activist living abroad could be required to hand over data to Georgian authorities on his or her online activity. For individuals seeking to challenge government repression from abroad, unconstrained cross-border data sharing is a threat not only to freedom of expression, but also to basic privacy and security. 

For individuals seeking to challenge government repression from abroad, unconstrained cross-border data sharing is a threat not only to freedom of expression, but also to basic privacy and security. 

To counter these threats, democratic actors must push for legislative protections that limit the reach of cybercrime laws to genuine cybercriminal activities—such as fraud and the production and distribution of malware, as well as other activities outlined by frameworks like the 2001 Budapest Convention. Furthermore, building coalitions of civil society organizations can amplify resistance against ratification of the convention, helping to secure the digital space for freedom of expression, even under increasing authoritarian pressure. 

Andrej Petrovski is the Director of Tech/CERT at SHARE Foundation, based in Belgrade, Serbia, with a background in software engineering and a master’s degree in electronic crime and digital forensics. Follow him on X. 

 

Nenden Sekar Arum, Southeast Asia Freedom of Expression Network (SAFEnet)

Digital regulations and policies adopted by Southeast Asian governments have posed serious threats to human rights and civil liberties. Although they are allegedly intended to combat cybercrime, these regulations are often misused to limit democratic space under the guise of protecting “national security” and “improving safety.”  

Many countries in Southeast Asia have enacted ambiguous cybercrime laws that create opportunities for states to target journalists, activists, political opposition, and other democratic actors. The overly broad definitions of “online harms” and “cybercrime” in these laws have made them tools for censorship and unreasonably restrict citizens’ online activities. These risks are exacerbated by a lack of transparency around the adoption and implementation of these regulations. 

The overly broad definitions of “online harms” and “cybercrime” in Southeast Asian laws have made them tools for censorship and unreasonably restrict citizens’ online activities.

For example, my organization Southeast Asia Freedom of Expression Network (SAFEnet) noted that between 2013 and 2023, there were at least 626 cases in which Indonesian citizens were reported to the police under articles on defamation, hate speech, and insults in the Electronic Information and Transactions Law (EIT Law), Indonesia’s version of a cybercrime law. In addition, SAFEnet found when criminal cases were based on the EIT Law and heard in Indonesian courts, the conviction rate was a remarkable 96.8% and the imprisonment rate was 88%, raising questions about due process. 

One striking case involves an environmental activist in Karimun Jawa, Indonesia who was prosecuted for posting “hate speech” after criticizing shrimp pond pollution on social media. Although he was eventually acquitted following an appeal, this case shows how digital regulations can be weaponized against those advocating for even basic public interest. 

To counter these challenges, democratic actors must continue to educate the public about the implications of dubious ‘cybercrime laws’ on their digital rights and strengthen civil society organizations’ capacities for mitigation and incident response. Regional networks must also consistently monitor the implementation of cyber regulations across countries, fostering solidarity to resist and challenge any violations of rights and freedoms collectively. 

Southeast Asian countries must improve their approach to digital regulation, ensuring that laws protect democracy and uphold human rights rather than restrict them. Without these changes, digital regulations or cybercrime laws will become widely used tools of oppression, eroding citizens’ fundamental freedoms and undermining democratic values. 

Nenden Sekar Arum is the Executive Director of Southeast Asia Freedom of Expression Network (SAFEnet) defending digital rights in the region. With a computer science degree and a journalism background, she is committed to exploring and addressing the critical intersection of technology and social issues. Follow her on LinkedIn. 

 

Metehan Durmaz, SMEX

The misuse of cybercrime laws in Southwest Asia and North Africa has become a tool for suppressing dissent, targeting democratic actors, and silencing marginalized voices. The Convention—which fails to define cybercrime adequately and includes language that covers cyber-enabled crimes—could exacerbate these serious threats to freedom of expression and privacy.  

Across the region, cybercrime laws have led to the arrests of activists and government critics. In Jordan, between August 2023 and August 2024, authorities charged hundreds of individuals under the country’s Cybercrimes Law for social media posts that criticized authorities. For example, in July 2024, lawyer and activist Moutaz Awwad was convicted under Article 17 of the Cybercrimes Law for “provoking sedition or strife” through his posts on X (formerly Twitter). Awwad’s posts, which criticized Arab policies toward Israel, resulted in a fine of 5,000 Jordanian Dinars (about 7,000 USD).  

In Jordan, between August 2023 and August 2024, authorities charged hundreds of individuals under the country’s Cybercrimes Law for social media posts that criticized authorities.

In Egypt, the 2018 Cybercrime Law, particularly Article 7, allows the government to block websites and arrest individuals for online content deemed harmful to “national security” or “public morals.” This provision has enabled Egyptian authorities to suppress independent journalism and detain activists under ambiguous charges like “spreading false news.”  

But the risks posed by the Convention do not end with its potential to reinforce domestic abuses. The inclusion of language enabling mutual assistance for “severe crimes,” defined as those punishable by at least four years of imprisonment, encourages invasive cross-border data sharing that can target LGBTQI+ groups and individuals, as well as human rights and democratic actors. To put this issue in perspective, the threshold set for severe crimes is low enough to cover “crimes” like defamation and libel in Tunisia or homosexuality in Kuwait and Libya. These cooperation provisions jeopardize the safety of communities targeted for state repression, as well as democratic and human rights activists—even when they are outside the country that seeks to condemn them.  

If the UN Convention against Cybercrime is adopted, civil society can use Articles 6 and 24 of the treaty, which focus on human rights and safeguards, as a critical tool to counter the misuse of cybercrime laws. The Convention explicitly mandates that its implementation must align with international human rights obligations, including the protection of freedoms such as expression, association, and privacy. This language provides a strong legal basis for advocacy against the exploitation of the Convention’s provisions to target dissent, LGBTQ+ individuals, or marginalized voices.  

Unfortunately, Southwest Asian and North African civil society’s ability to counter the misuse of cybercrime laws is severely limited, leaving activists with little recourse to leverage domestic legal protections. Nevertheless, civil society has a crucial role in documenting abuses and amplifying the stories of those affected. Civil society’s role in the region remains one of resistance through exposure, advocacy, and an unwavering commitment to human rights, even when immediate impact seems out of reach.  

Metehan Durmaz is a policy analyst at SMEX. He has a background in IT law and international law, and specializes in digital rights, privacy, AI and compliance, focusing on issues like data protection, AI regulation, and the ethical governance of emerging technologies.  

 

Allie Funk, Freedom House

The United Nations’ Cybercrime Convention may escalate transnational repression. The Convention could rubber-stamp the broad criminalization of online expression as “cybercrime,” making it easier for governments to extradite journalists and human rights defenders based abroad. The treaty also contains provisions that enable cross-border data sharing with minimal human rights safeguards, which could strengthen authoritarians’ ability to track dissidents in exile.  

The majority of the convention’s co-sponsors—Russia, Belarus, Cambodia, China, Iran, Burma, Nicaragua, Russia, and Venezuela—have a track record of transnational repression. The link between gathering personal data and efforts to silence dissent beyond borders is clear: of the 44 governments that Freedom House has identified as origin states of transnational repression, at least 23 have issued digital threats. Moreover, at least 17 have used spyware to surveil critics and members of the diaspora.  

Saudi human rights defender Loujain Al-Hathloul was extradited in 2018 from the UAE to Saudi Arabia, after surveillance technology from DarkMatter—an Emirati spyware developer—helped officials identify her geographic location. Carine Kanimba, the Belgium-based daughter of Rwandan activist Paul Rusesabagina, had her phone infected with Pegasus spyware as she advocated against her father’s abduction, forced return to, and imprisonment in Rwanda in 2020.  

In these types of cases, the convention would provide a new legal mechanism for governments to surveil their targets: simply requesting access to personal data from host countries and tech companies. Such practices will put people in exile at further risk of physical targeting. 

A recent statement by Russian diplomats asserts that they “are convinced that [the Cybercrime Treaty] is the first step towards a universal international legal regulation of the use of ICTs.” The Vietnamese government has also volunteered to host the convention’s signing ceremony next year. Such moves confirm fears that many states see this initiative less as a tool for combating cybercrime than as a chance to curtail human rights. 

A recent statement by Russian diplomats asserts that they “are convinced that [the Cybercrime Treaty] is the first step towards a universal international legal regulation of the use of ICTs.”

A diverse coalition of experts have outlined how to reduce the likelihood of the Convention facilitating transnational repression. Civil society groups should push for their governments to resist ratification domestically, encourage democratic governments to refuse cooperation with data sharing requests from states where access to personal information could lead to abuses, and advocate for improvements to the Convention via follow-on protocol negotiations. They should also reform and bring strategic litigation against repressive domestic laws that criminalize online activities. But to do this work, civil society needs far more support from democracies, the private sector, and philanthropy. They should be provided with the necessary resources—financial support, as well as robust transparency about how states and companies are implementing the convention—to counter its human rights harms effectively. 

Allie Funk is Research Director for Technology and Democracy at Freedom House. She also serves on the Advisory Network for the Freedom Online Coalition, on the Board of Directors for the Global Network Initiative, and is a Term Member at the Council on Foreign Relations. Follow her on LinkedIn and Bluesky.

 

CLICK HERE FOR MORE “BIG QUESTIONS.”


Respondents’ answers have been edited for length and clarity, and do not necessarily reflect the views of the National Endowment for Democracy. Image Credit: Shutterstock/Nicescene.

Share