Abstract: The United Nations Convention Against Cybercrime stipulates two types of technical investigation measures: real-time collection of traffic data and interception of content data. It differentiates between real-time investigation measures and retrospective investigation measures, content data and traffic data, as well as law enforcement agencies and network service providers, reflecting the characteristics of differentiated regulation. However, China's technical investigation provisions exhibit the features of general regulation in terms of substantive scope, data types, and procedural requirements, leaving room for improvement with the requirements of the principle of proportionality. In this regard, it is necessary to align domestic technical investigation provisions with the norms of the Convention. Firstly, "technical investigation measures" should be revised to "covert investigation measures" and distinguished from other investigation measures. Secondly, content data and traffic data should be used as data classification rules, and sensitive personal information and general personal information as data grading rules. Thirdly, high-intervention technical investigation measures and low-intervention technical investigation measures should be distinguished, and different procedural requirements should be matched accordingly.