Scenario 24: Internet blockage

In response to widespread protests, a State takes measures to isolate its domestic internet networks from connecting with the global internet. These actions also lead to a massive internet outage in the neighbouring State, whose internet access was contingent on interconnection with a large network in the former State. The analysis considers whether the first State’s actions amount to violations of international law, in particular with respect to the principle of sovereignty, international human rights law, international telecommunication law and the responsibility to prevent transboundary harm.

Keywords
Sovereignty, international human rights law, transboundary harm, international telecommunication law, internet access

Facts
[F1] In an attempt to curb growing citizen protests that have been receiving global attention, the government of State A takes several measures, including ordering a complete internet shutdown in its territory. This disrupts daily life of State A’s citizens, seriously impeding their communications and economic activity.

[F2] As a part of the shutdown, networks and internet service providers in State A are ordered to halt the exchange of all internet traffic with networks in other countries. State A takes these measures without taking any advance steps to inform other States that it is about to suspend its international internet traffic. State A is aware that the measures will hinder internet connectivity in the neighbouring State B, and the negative consequences this will have on State B. It takes no mitigating measures to reduce the impact.

[F3] State B has only one internet service provider (ISP), and its international connectivity is largely contingent on the exchange of traffic with a leading ISP in State A. Since the latter has been subjected to the government-imposed requirement to isolate its internet network from connections outside of State A, State B has suffered a sudden and widespread internet outage, which lasts for the entire duration of State A’s internet shutdown. A major part of the population of State B has thus been cut off from the internet, while the rest of State B suffers from extremely slow connections.

[F4] The inhabitants of State B rely on connectivity with global networks to carry out day-to-day activities, including economic activities integral to their livelihood. Due to the outage, State B’s government offices and essential services such as hospitals, banks and law enforcement are significantly limited in the performance of their tasks. Other critical infrastructure in State B, including the electricity grid, military and satellite installations, and air traffic control is internally interconnected, and continues to operate normally throughout the period.

Examples
''This scenario explores a circumstance where a domestic internet shutdown/isolation order from a State to ISPs under its jurisdiction has effects outside its borders because of network infrastructure interconnection and interdependencies. While there are no known incidents to date that would comprehensively match the facts of this scenario, several real-life examples including those below illustrate how internet access in a country can be contingent on a single network or a component of physical infrastructure that lies outside its jurisdiction, and can be effectively restricted by measures taken by States or other actors abroad.''
 * Bangladesh internet outage (2008)
 * Caucasus internet outage (2011)
 * Iranian internet blackout (2019)
 * Russia's sovereign internet (2019 onward)

Legal analysis
For a general overview of the structure of analysis in this section, see Note on the structure of articles.

[L1] The legal analysis considers the relevant obligations of State A with respect to international human rights law (IHRL), the principle of sovereignty, the law on transboundary harm, and international telecommunication law.

State A’s obligation to respect human rights
[L2] Article 19 of the ICCPR establishes the right of every individual to hold opinions without interference and to seek, receive and impart information “regardless of frontiers”, through any media of their choice. In the present case, denying access to inhabitants of State A to seek, receive or impart information internationally (via the internet) interferes with this right. Paragraph 3 of Article 19 states that the right to free speech may be limited by implementing measures necessary “for respect of the rights or the reputations of others” or “for the protection of national security or public order”. The UN Special Rapporteur on Freedom of Speech and Expression has categorically stated in a report that “network shutdowns invariably fail to meet the standard of necessity”. The UN Special Rapporteur's report further argues that shutdowns are generally disproportionate, even though the duration and geographic scope may vary. Such measures rarely attain their stated purpose of national security or public order as network shutdowns rather accentuate panic and disorder. It is questionable, in the present case, whether and how the internet shutdown would contribute to maintaining public order in State A. Instead, the measures imposed appear to aim at preventing domestic protests from receiving external support and spreading information. Therefore, the conditions under Article 19 to restrict this right have not been met. The measures undertaken by State A violated the right to freedom of expression and opinion of the individuals within its territory, thus breaching an international legal obligation.

[L3] For similar reasons, State A’s measures may also have violated its inhabitants’ right to peaceful assembly, provided for in Article 21 of the ICCPR. As the UN Special Rapporteur on the Freedom of Peaceful Assembly and Association noted, such internet shutdowns “can never be considered a lawful restriction of this fundamental freedom”.

[L4] To determine whether the human rights of the inhabitants of State B were also violated, an evaluation of the extra-territorial application of international human rights law (IHRL) is needed. As summarized in the box above, the prevailing opinion at present is that human rights obligations do apply to some acts of a State outside its territory. In our view, States owe a duty to refrain from violating the human rights of individuals abroad who are within those States’ power or effective control. First, this is because the interpretation of Article 2(1) of the ICCPR hinges on the significance of the word ‘respect’ in that provision, which would be redundant if one were to adopt the view that human rights obligations do not apply extraterritorially at all. A technically correct reading, it is submitted, implies the following points: (1) each State must respect the rights recognized in the present Covenant, and (2) it must ensure to all individuals within its territory and subject to its jurisdiction the rights recognised in the present Covenant.

[L5] Second, as held by the European Court of Human Rights (ECtHR), human rights treaties “cannot be interpreted so as to allow a State party to perpetrate violations of [such treaties] on the territory of another State, which it could not perpetrate on its own territory”. While it may not be possible for a State to mobilize State institutions in order to fulfil the human rights of individuals outside their territorial control, they can do so to ensure that their actions do not violate the rights of individuals within their effective control.

[L6] The International Group of Experts (IGE) drafting the Tallinn Manual did not agree on the jurisdictional threshold of effective control that needs to be exercised for the invocation of IHRL. The majority of experts considered that physical control over territory or the individual was required before human rights obligations come into play, whereas others argued that if “exercise or enjoyment of a human right in question by the individual concerned is within the power or effective control of a State, that State has power or effective control over the individual with respect to the right concerned”.

[L7] By cutting off international internet traffic between State A and State B, State A deprived State B’s residents of access to the Internet, causing disruption to their livelihoods. Whether these persons were within the jurisdiction of State A depends on the interpretation of the threshold of effective control. Under the majority opinion of the IGE, State A did not exercise effective control as it was never in physical control of any portion of State B’s territory nor of any of its inhabitants. By contrast, following the minority approach – which, it is submitted, better reflects the current geopolitical realities given the various technological routes available to States to violate human rights extraterritorially – because the residents of State B were deprived of their ability to enjoy their relevant rights as a result of State A’s actions, State A was in effective control of these individuals. This means that they were within State A’s jurisdiction for the purposes of IHRL. Accordingly, for the reasons detailed above (see paras L2–L3), State A’s measures violated those persons’ human rights, including the right to freedom of expression and opinion and the right to peaceful assembly.

Obligation to respect the sovereignty of other States
[L8] While there has been no physical intrusion on State B’s territory, nor damage caused to physical cyber infrastructure that supports internet connectivity, State A’s actions have led to a loss of government functionality and a hampered exercise of certain internet-dependent governmental and private sector services in State B.

[L9] The IGE drafting the Tallinn Manual identified that interference with the inherently governmental functions of another State can occur even if there is no infringement upon the territorial integrity of that State. Moreover, intent is not a constitutive element of breach of sovereignty. The IGE specifically noted that if a cyber operation by a State precludes internet access to another State, it is a breach of the latter’s sovereignty “to the extent it usurps or interferes with inherently governmental functions”. In the present case, government services in State B that rely on internet access (e.g. the delivery of medical and social services, communication of law enforcement agencies, etc.) were severely impeded. Due to the interference caused by State A’s actions with the performance of inherently governmental functions in State B, State A would have thus violated State B’s sovereignty.

Liability for transboundary harm
[L10] Even if we assume that State A did not commit an internationally wrongful act by blocking internet connections to State B (inter alia), there is an additional analysis to be carried out regarding the issue of State A’s liability for causing transboundary harm to State B, irrespective of the actual means by which the harm was caused. There is a substantial socio-economic impact on State B as the financial sector, government services and law enforcement have been restricted in their operations, particularly if the internet outage lasts for an extended period of time.

[L11] As noted in the box above, the view of the Tallinn Manual group of experts was that there is no requirement for a cyber operation causing transboundary harm to result in physical damage to objects or injuries to individuals. It is submitted that this is a reasonable interpretation. After all, many (if not most) acts in cyberspace, including the internet blockage in this scenario, do not have any tangible physical impact.

[L12] Nevertheless, until now, due to a lack of State practice and opinio juris, the question of liability for transboundary harm caused by cyber means, as well as the applicable threshold of harm under international law, have remained highly contested. In any case, the required parameters for determination of a transboundary harm caused by cyber means, as well as the criteria for its quantification, are still developing.

International telecommunication law
[L13] International telecommunication law recognises the sovereign authority of each State to govern telecommunication infrastructure under its jurisdiction. Specifically, Article 35 of the ITU Constitution recognises the power of States to suspend their international telecommunications services, i.e., those communications that involve the transmission of data across State borders. Discussing the ITU Articles, the Tallinn Manual 2.0 refers to the example of the internet suspension enacted by Egypt in 2011: even though Egypt did not comply with the obligation to inform other States of its action, the Manual notes that the “the suspension was within [Egypt’s] rights under international telecommunication law.” It may thus be argued that State A did not violate ITU treaty norms solely by instituting its domestic internet blockage.

[L14] However, Article 35 of the ITU Constitution also mandates States taking any such action to inform “other Member States through the Secretary-General” of the ITU. In the present scenario, State A did not inform other States nor the Secretary General of the ITU, and therefore it violated its obligation under Article 35 of the ITU Constitution.

[L15] Article 36 of the ITU Constitution exempts States from responsibility towards individual users of international telecommunications services. While State A cannot be held responsible under the ITU regime for any harm arising out of its actions to citizens of State B, it is still responsible towards other States and the ITU for not having taken any measures to inform other States of its decision to suspend international internet connection.

[L16] Through Article 38(5) of the ITU Constitution, States recognise the importance of taking measures to prevent disruption of telecommunication services in other jurisdictions. While this Article does not create any binding obligations, the facts make it clear that State A knew that its actions would have an effect on internet connectivity in State B. State A could also have explored ways to enact the network isolation in a way that would not have affected the internet connectivity in State B.

Checklist

 * International human rights law
 * Do States owe an obligation to comply with international human rights law extraterritorially?
 * Do internet shutdowns violate the right to freedom of speech and expression, or the right to peaceful assembly? Are internet shutdowns ever permissible under international human rights law?
 * Could the State enacting the internet shutdown implement it in a restrictive way to mitigate the infringement of the rights of persons abroad?
 * Sovereignty
 * Did the acting State interfere with inherently governmental functions of another State?
 * Could the internet outage have been implemented in a manner that caused less disruption to the networks abroad?
 * Liability for transboundary harm
 * Does the law on the prevention of transboundary harm apply only when there are physical consequences?
 * International telecommunication law
 * Did the State enacting an internet shutdown immediately inform other States (or the Secretary General of the ITU) of such action?

Bibliography and further reading

 * AS Rank, ‘A Ranking of the Largest Autonomous Systems (AS) in the Internet’ (AS Rank, Center for Applied Internet Data Analysis, 2021)


 * Russell Buchan, ‘Cyberspace, Non-State Actors and the Obligation to Prevent Transboundary Harm’ (2016) 21(3) JCSL 429.


 * KC Claffy, ‘Congestion - Mapping Interconnection in the Internet: Colocation, Connectivity and Congestion’ (Center for Applied Internet Data Analysis 2014).


 * François Delerue, Cyber Operations and International Law (CUP 2020).


 * Alexander Gamero-Garrido and others, ‘Inferring Country-Level Transit Influence of Autonomous Systems’ (on Active Internet Measurement Systems Conference, San Diego April 2019)


 * Internet Society, ‘Policy brief: Internet Shutdowns’ (Internet Society, 18 December 2019).


 * Vinit Jain and Brad Edgeworth, Troubleshooting BGP: A Practical Guide to Understanding and Troubleshooting BGP, (Cisco Press 2017).


 * Ido Kilovaty, ‘An extra-territorial human right to cybersecurity’ (2020) 10 Notre Dame Journal of International and Comparative Law 35.


 * Peter Margulies, ‘Surveillance by Algorithm: The NSA, Computerized Intelligence Collection and Human Rights’ (2016) 68 Fla. L. Rev. 1084.


 * Marko Milanovic, ‘Human Rights Treaties and Foreign Surveillance: Privacy in the Digital Age’ (2015) 56 Harv Int'l LJ 81.


 * Michael N. Schmitt (ed), Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations, CUP 2017.


 * Beth Van Schaack, ‘The United States' position on the extra-territorial application of human rights obligations: Now is the time for change’ (2014) 90 Int’l L Stud 20.


 * Sabine Von Schorlemer, ‘Telecommunications, international regulation’ in Rüdiger Wolfrum (ed), Max Planck Encyclopedia of Public International Law (OUP 2008, updated March 2009)


 * Beatrice A. Walton, ‘Duties Owed: Low-Intensity Cyber Attacks and Liability for Transboundary Torts in International Law’ (2017) 126 YaleLJ 1460.


 * Rolf Weber, ‘A Legal Lens into Internet Governance’, in Laura DeNardis and others (eds), Researching Internet Governance: Methods, Frameworks, Futures (MIT Press 2020) 105–122.

Contributions

 * Scenario by: Gurshabad Grover & Arindrajit Basu
 * Analysis by: Gurshabad Grover & Arindrajit Basu
 * Reviewed by: Deborah Housen-Couriel; Asaf Lubin; Marko Milanovic; Maria Tolppa

The authors would like to thank Anna Liz Thomas and Rajat Misra for their assistance.