Cybercrime Treaties and Domain Policy The Budapest Convention and Beyond

The governance of domain names has long been a technical and commercial matter, but the rise of cybercrime has pulled the DNS into the orbit of international law and diplomacy. Domains are not only the addresses of legitimate businesses, nonprofits, and individuals but also the infrastructure exploited by criminals for phishing, botnet control, ransomware distribution, intellectual property theft, and disinformation. As such, domain policy now intersects directly with international treaties on cybercrime, the most prominent being the Budapest Convention on Cybercrime of 2001. Over the past two decades, this treaty and subsequent efforts at multilateral cooperation have shaped how states approach the DNS as a tool of investigation, enforcement, and prevention. The resulting landscape reveals both the promise and the limits of international cybercrime frameworks, and it underscores the political and economic stakes of aligning domain policy with global security agendas.

The Budapest Convention, formally known as the Convention on Cybercrime, was the first international treaty dedicated to addressing crimes committed via the internet and other computer networks. Drafted by the Council of Europe and opened for signature in 2001, it set out harmonized legal standards for defining cybercrimes, procedural powers for investigating them, and mechanisms for international cooperation. Although drafted by European institutions, the convention quickly attracted signatories beyond Europe, including the United States, Canada, Japan, and several Latin American countries. One of the treaty’s enduring contributions has been its attempt to create a shared baseline of cybercrime definitions, from illegal access and data interference to computer-related fraud and intellectual property violations.

Domains are not explicitly the focus of the Budapest Convention, but the treaty’s provisions have had major implications for domain policy. Article 18, for instance, establishes the power of authorities to compel the disclosure of subscriber information from service providers. In practice, this has meant that registrars and registries, as intermediaries in domain registrations, can be required to provide registration data to investigators. Article 32, which deals with transborder access to stored computer data, raises further implications for cross-border requests involving domain data, particularly in the WHOIS system. Although originally designed as a technical directory, WHOIS became central to investigations under Budapest-era enforcement, serving as a quasi-law enforcement resource for identifying registrants. This reliance on WHOIS created tension with privacy frameworks such as the GDPR, highlighting the difficulty of reconciling international cybercrime cooperation with evolving standards of data protection.

The Budapest Convention also encouraged the idea that the DNS is critical infrastructure for security, not merely a marketplace. This framing has influenced how national governments approach registries and registrars, increasingly treating them as points of control in fighting cybercrime. Some states have enacted domestic legislation requiring registries to maintain accurate registrant information, establish abuse reporting mechanisms, and respond promptly to law enforcement requests. Others have implemented national frameworks where domain suspensions or takedowns are mandated for domains linked to criminal activity. These policy tools, though rooted in domestic law, are legitimized by the broader spirit of Budapest, which stresses that cross-border cybercrime requires harmonized obligations for digital intermediaries.

At the same time, the Budapest Convention has been a site of political controversy. Not all states have embraced it, with Russia, China, and several other countries rejecting the treaty on the grounds that it infringes on sovereignty by allowing cross-border access to data without sufficient safeguards. Moscow and Beijing have instead championed alternative models of cyber governance, culminating in efforts at the United Nations to develop a rival global cybercrime treaty. From their perspective, Budapest reflects Western priorities and imposes obligations that could be used to justify extraterritorial reach into their digital infrastructures. For domain policy, this divide has real consequences: while Western-aligned states emphasize transparency, cooperation, and access to registration data, others prioritize state sovereignty, national control over DNS operations, and restrictions on cross-border data flows. The result is an increasingly fragmented landscape, where the norms established by Budapest are influential but far from universal.

The role of domains in cybercrime enforcement has expanded further with the rise of ransomware, online fraud, and disinformation. Domains are often the first and most visible infrastructure of malicious campaigns, making their suspension or seizure an attractive enforcement tool. Inspired by Budapest’s framework for expedited preservation and disclosure of data, many governments have developed streamlined procedures for domain-related enforcement actions. U.S. agencies such as the FBI and Department of Justice have conducted sweeping domain seizures against platforms accused of distributing malware or hosting fraudulent schemes. European states have similarly pursued domain suspensions in collaboration with registrars, often facilitated by Computer Emergency Response Teams (CERTs). These practices draw legitimacy from the cooperative ethos of Budapest, even if the treaty itself predates many of the threats now dominating the landscape.

However, the use of domains as enforcement targets raises questions about safeguards. While Budapest promotes due process, the actual mechanisms for domain takedowns vary widely across jurisdictions. In some countries, law enforcement can compel a registrar to disable a domain with minimal judicial oversight, while in others more rigorous procedures are required. Critics argue that the lack of harmonized safeguards risks abuse, with governments using cybercrime as a pretext for silencing dissent or restricting political opposition. Civil society organizations have raised alarms that domain suspensions, justified in the name of cybersecurity, can easily slide into censorship when not accompanied by strong oversight. These concerns echo the broader criticisms of Budapest, which some argue grants too much discretion to states without sufficiently constraining potential misuse.

The “beyond” in the Budapest story lies in ongoing efforts to adapt or replace the treaty in light of new realities. In 2021, the Council of Europe adopted the Second Additional Protocol to the Budapest Convention, addressing challenges of cross-border access to electronic evidence. This protocol created new tools for direct cooperation between law enforcement and service providers across borders, streamlining requests for domain data among other categories of information. For registrars and registries, this means growing pressure to respond to foreign law enforcement requests even without the mediation of domestic authorities. While this increases efficiency for cybercrime investigations, it also raises sovereignty and privacy concerns, as private companies are drawn into quasi-diplomatic functions by responding to extraterritorial demands.

Meanwhile, the United Nations has launched negotiations on a new global cybercrime treaty, led by countries that have resisted Budapest. The draft texts debated in this forum suggest a broader scope, encompassing not only traditional cybercrimes but also information content offenses. For domain policy, this could mean the codification of norms where domains associated with “extremism,” “terrorism,” or “false information” are subject to takedowns under treaty obligations. Western states fear that such provisions would legitimize censorship under the guise of cybercrime enforcement, giving authoritarian regimes treaty-based justification to seize or suspend politically sensitive domains. The contrast between the Budapest framework and the UN-led negotiations underscores how domain policy has become entangled in competing visions of internet governance, with one emphasizing cross-border evidence access and another emphasizing state sovereignty and content control.

For investors and businesses, the intersection of cybercrime treaties and domain policy creates both risks and obligations. Registrars must navigate an increasingly complex compliance environment, where demands for accurate registrant data, timely response to abuse complaints, and cooperation with foreign law enforcement continue to grow. Portfolio managers must account for the possibility that domains could be suspended or seized under broad cybercrime justifications, affecting asset value and liquidity. Companies offering services in multiple jurisdictions face the challenge of reconciling conflicting treaty obligations, privacy laws, and domestic requirements. The edge lies in anticipating regulatory shifts, ensuring robust compliance mechanisms, and recognizing that domains are no longer neutral identifiers but contested instruments of law and diplomacy.

The Budapest Convention and its successors demonstrate how cybercrime treaties have reshaped the global approach to domain names. What began as a technical layer of the internet has become a frontline in the struggle against crime, fraud, and disinformation. Yet as treaties proliferate and diverge, the safeguards needed to protect due process, privacy, and free expression remain uneven. The politics of cybercrime cooperation now play out directly in domain policy, where registrars and registrants are subject not only to market dynamics but also to the competing imperatives of law enforcement, state sovereignty, and human rights. The future of domain governance will hinge on how these treaties evolve, whether they converge toward a balanced global framework or fracture along geopolitical lines. In either scenario, the Budapest Convention will remain the reference point, both as a pioneer and as a contested symbol, in the ongoing struggle to reconcile international security with the openness and universality of the domain name system.

The governance of domain names has long been a technical and commercial matter, but the rise of cybercrime has pulled the DNS into the orbit of international law and diplomacy. Domains are not only the addresses of legitimate businesses, nonprofits, and individuals but also the infrastructure exploited by criminals for phishing, botnet control, ransomware distribution,…