Scenario 26: Export licensing of intrusion tools

Two different States licensed exports of intrusion tools and related items to a third State. That State then used it to spy on human rights defenders, lawyers, journalists, activists, opposition politicians, and dissidents. While one of the licensing States is a member of the Wassenaar Arrangement, the other is not but had declared to follow it unilaterally. The legal analysis considers the attribution of the relevant acts and omissions by the States and examines possible breaches of international export control law and international human rights law.

Keywords
Complicity, due diligence, international export control law, international human rights law, surveillance, unilateral declarations

Facts
[F1] Private technology firms incorporated in States A and B develop smartphone intrusion tools and sell those tools to foreign governments. The tools can be installed silently on smartphones of specific target persons. The intrusion happens without the affected person’s knowledge, using so-called zero-touch zero-day vulnerabilities. After successful intrusion, the tools can be used to access and copy the smartphone’s data, communications, and photos and turn on the microphone, camera, and GPS tracking. In addition, they can be used to detect with whom the target person has met.

[F2] The domestic laws of States A and B required a prior export licence for the export of such tools and related items. Accordingly, the export control agencies of States A and B licensed each export of the tool to State C’s government, as well as each export of related items (incident 1). Within the licensing process, domestic law required the agencies to assess the human rights risks associated with such exports, which they did.

[F3] Once licensed, the firms transferred the tools and related items to State C’s government (incident 2).

[F4] The law enforcement and security agencies of State C used the tool not only to fight crime and terrorism but also to domestically spy on human rights defenders, lawyers, journalists, activists, opposition politicians, and dissidents (incident 3). This was revealed by an investigative research project conducted by multiple news outlets and NGOs.

[F5] After the export control agencies in States A and B became aware of these facts, they immediately revoked all export licences for the tools and related items to State C.

[F6] States A, B, and C are United Nations member States and parties to the International Covenant on Civil and Political Rights (ICCPR). Moreover, State A is a participating State in the Wassenaar Arrangement (WA) and incorporated it into its domestic law and policies. State B is not a participating State. However, in a public written statement, the president and head of government of State B had expressly pledged that State B would comply with the WA and the related documents. Moreover, the statement calls on other States to hold State B accountable for its pledge. Following the announcement, State B aligned its laws and export control policies with the WA and the related documents.

Examples

 * The Hacking Team Hack (2015)
 * Ethiopian surveillance of journalists abroad (2017)
 * Pegasus Project revelations (2021)

Legal analysis
For a general overview of the structure of analysis in this section, see Note on the structure of articles.

[L1] The legal analysis in this scenario first considers which relevant conduct is attributable to the States concerned. Then in examines whether that conduct amounts to a breach of international obligations incumbent on those States.

Attribution
[L2] Incident 1 (licensing the export of the surveillance tools): State A’s and State B’s export control agencies approved and licensed each export. They are State organs of States A and B, respectively. Therefore, issuing the export licences can be attributed to States A and B.

[L3] Incident 3 (use of tools against human rights activists and opposition): State organs of State C used the intrusion tool domestically against human rights defenders, lawyers, journalists, activists, opposition politicians, and dissidents. Thus, the use of the tool can be attributed to State C.

[L4] By contrast, State C’s use of the tool cannot be attributed to States A and B as their own conduct, as it was not carried out by their State organs. However, it is debatable whether States A and B may have aided and assisted importing State C by granting the export licences, to which the analysis now turns.

[L5] There is no indication that State A’s or State B’s export control agency, or any other organ of those States, knew how State C would use the tool when they issued the export licences. Moreover, there is no indication that the export control agencies did so with a view to assisting other States in the commission of a wrongful act by using the tool. Constructive knowledge (“should have known”) on State A’s or State B’s side does not suffice to hold those States responsible for aiding and assisting.

[L6] Incident 2 (sale of the tools by the companies): Under certain circumstances, the conduct of non-State actors is attributable to States. Thus, the question arises whether the actual transfer of the tools and related items by the private companies to State C is attributable to States A and B. [L7] Although each export required a prior licence by States A and B, respectively, that does not suffice to bring the respective companies under the direction or control of the licensing States. Instead, it must be considered whether the companies acted with the authorization of their respective States in the sense of Article 5 ARSIWA. Article 5 ARSIWA applies to the authorization of the exercise of governmental authority by non-State actors. The export licensing, which is an exercise of governmental authority, was done by the organs of States A and B and not by the private companies. The latter engaged only in sale and transfer, which is not an exercise of governmental authority. Moreover, the companies were not acting in the name or on behalf of their States of incorporation. Hence, the companies’ sale and transfer of the tools are not attributable to State A or State B.

Export control obligations of State A
[L8] Since the WA is non-binding, non-compliance by a participating State does not constitute a breach of an international obligation. Thus, State A did not breach any international law obligation in this respect.

Export control obligations of State B
[L9] State B might have breached its international export control obligations. Although State B is not a participating State in the WA, it has declared to follow the WA unilaterally. Therefore, the question arises whether the WA’s requirements have become binding on State B by means of its unilateral declaration.

[L10] Firstly, State B’s declaration must meet the criteria of a binding unilateral declaration. State B made the unilateral declaration publicly and addressed it to the international community as a whole. It was made by the president and head of government of State B. Moreover, it expressly stated that State B would comply with the WA, and that other States may hold State B accountable. Thus, the phrasing of the unilateral declaration expresses the will of State B to be bound by its declaration. Therefore, the unilateral declaration can be considered binding.

[L11] Secondly, the binding content of the declaration must be determined. The declaration transforms the non-binding requirements of the WA into binding international law obligations for State B. Consequently, State B is, among other duties, obliged to establish export controls for the items listed on the WA’s lists, probe whether a licence needs to be denied to prevent destabilizing accumulations, and follow the relevant best practices.

[L12] Thirdly, State B must have breached one of the obligations just set out. Intrusion tools themselves are not among the items listed, but exports of items related to the intrusion tools are and, therefore, must be controlled by State B. Accordingly, State B’s export control legislation required a prior licence for each export of such items. In fact, State B licensed each export of the tools and related items by its companies. Furthermore, there is no indication that its export control system was not in compliance with the best practices of the WA regarding transfers of intangible items.

[L13] Finally, State B was obliged to consider for each export licence application whether the export would contribute to destabilizing accumulations and, on that basis, would not be eligible for an export licence. However, this decision always remains within the sole discretion of State B. By issuing the export licences, State B apparently concluded that the exports would not contribute to destabilizing accumulations. Thus, even as the WA’s requirements have become binding on State B through its unilateral declaration, State B did not breach any of these international law obligations.

Human rights obligations of State C
[L14] State C’s law enforcement and security agencies used the tool domestically against human rights defenders, lawyers, journalists, activists, opposition politicians, and dissidents. By intruding into their devices, accessing their data, and monitoring them, State C interfered with their right to privacy and freedom of opinion and expression. Whereas any interference can, in theory, be justified, it is doubtful that the conduct of State C satisfied the necessity and proportionality requirements under the given circumstances. This is particularly the case taking into account the broad range of categories of people who were subjected to these measures and the apparent absence of any safeguards against abuses of the intercepted information.

Human rights obligations of State A and B
[L15] States A and B issued export licences to the respective companies for the export of the intrusion tools and related items to State C. The “action” of issuing an export licence did not breach any negative human rights obligations. Only State C’s conduct did, which is not attributable to States A and B (see section 2.1 above).

[L16] However, the conduct of a State leading to an internationally wrongful act can consist of an action or an omission. A failure of States A and B to comply with their positive human rights obligations would be a relevant omission.

[L17] Part of the positive human rights obligations is arguably the due diligence obligation to not knowingly allow acts contrary to international human rights, whereby constructive knowledge suffices. It is, thus, similar to the due diligence obligation in general international law as employed in the cyber context. Therefore, the same cumulative elements should be applied, however, only with respect to individuals’ human rights. Consequently, States A and B would potentially violate their human rights due diligence obligation if they did not put in place a sufficient export control framework, although they knew or should have known of the general risk to human rights associated with the export of such tools; or if they issued export licences, although they knew or should have known that State C would use the tools in breach of its human rights obligations.

[L18] However, it is debatable whether human rights due diligence obligations are exclusively applicable if an individual is in a State’s territory and subject to its jurisdiction; and, if so, whether “jurisdiction” can be construed to include situations of extraterritorial harm. Either way, it can be argued that extraterritorial human rights due diligence obligations exist.

[L19] In any case, States A and B did not breach their human rights due diligence obligations. There is no indication that States A or B were aware of any human rights violations perpetrated by State C at the time of issuing the licences. Furthermore, there is no indication that they should have known of such violations. States A and B had incorporated the WA into their domestic law and policies. Consequently, their export control agencies had to assess an importing State’s human rights record in the licensing process as part of preventing destabilizing accumulations. There is no indication that the agencies failed to do so sufficiently in the present case. On the contrary, they immediately revoked all licences after becoming aware of the relevant facts. Therefore, States A and B did not breach their human rights due diligence obligations.

Checklist

 * Attribution:
 * Is the “export control agency” a State organ?
 * Did the State aid or assist another State’s internationally wrongful act, such as human rights violations, by licensing an export of a cyber tool?
 * What kind of conduct by private companies, thus, non-state actors, can be attributed to States?


 * International export control law:
 * Is the State a participating State in the Wassenaar Arrangement (WA)?
 * Is the item in question listed either on the Dual-Use List or the Munitions List of the WA?
 * If the item is listed, did the State apply export controls?
 * What is the consequence of being in non-compliance with the non-binding WA?
 * Did the State declare to follow the WA unilaterally?
 * Is the declaration legally binding or merely political?


 * International human rights law and Due diligence:
 * Does the State have an obligation not to knowingly allow companies situated in its territory to export malicious cyber tools to a State that will use the tool for internationally wrongful acts, such as human rights violations?
 * Is the importing State violating the international human rights of individuals in its territory or abroad using the tools?
 * Did the exporting State have actual or constructive knowledge that the importing State would use the intrusion tool contrary to the rights of and resulting in serious adverse consequences for the human rights of individuals?
 * Did the exporting State take all feasible measures to prevent misuse of the intrusion tool?

Bibliography and further reading

 * Baade B, ‘Due Diligence and the Duty to Protect Human Rights’ in H Krieger, A Peters and L Kreuzer (eds), Due Diligence in the International Legal Order (OUP 2020).
 * Besson S, ‘Due Diligence and Extraterritorial Human Rights Obligations - Mind the Gap!’ (2020) 9(1) ESIL Reflections 1.
 * Brehm M, ‘The Arms Trade and States’ Duty to Ensure Respect for Humanitarian and Human Rights Law’ (2007) 12(3) Journal of Conflict and Security Law 359.
 * Bromley M and Maletta G, ‘The Challenge of Software and Technology Transfers to Non-proliferation Efforts: Implementing and Complying with Export Controls’ (Stockholm April 2018)  accessed 14 February 2020.
 * Bruin E de, ‘Export Control Regimes—Present-Day Challenges and Opportunities’ in R Beeres and others (eds), NL ARMS Netherlands Annual Review of Military Studies 2021: Compliance and Integrity in International Military Trade (T.M.C. Asser Press; Springer 2021).
 * Cedeño VR and Cazorla MIT, ‘Unilateral Acts of States in International Law’ in A Peters (ed), Max Planck Encyclopedias of International Law (OUP Online).
 * Chircop L, ‘A Due Diligence Standard of Attribution in Cyberspace’ (2018) 67(3) International and Comparative Law Quarterly 643.
 * Crawford J, State Responsibility: The General Part (CUP 2013).
 * Dominicé C, ‘Attribution of Conduct to Multiple States and the Implication of a State in the Act of Another State’ in J Crawford, A Pellet and S Olleson (eds), The Law of International Responsibility (OUP 2010).
 * Dörr O, ‘Declaration’ in A Peters (ed), Max Planck Encyclopedias of International Law (OUP Online).
 * Fidler M, ‘Anarchy or Regulation: Controlling the Global Trade in Zero-Day Vulnerabilities’ (Dissertation, Stanford University Mai 2014).
 * Joyner DH (ed), Non-proliferation export controls: Origins, challenges, and proposals for strengthening (Ashgate 2006).
 * Kanetake M, ‘Controlling the Export of Digital and Emerging Technologies: Security and Human Rights Perspectives’ (2021) 31(1-4) Security and Human Rights 1.
 * Kim H, ‘Global Export Controls of Cyber Surveillance Technology and the Disrupted Triangular Dialogue’ (2021) 70(2) International and Comparative Law Quarterly 379.
 * Klein R, ‘Trimming Pegasus’ Wings: International Export Control Law and ‘Cyberweapons’’ (27 October 2021)  accessed 10 January 2022.
 * Koivurova T, ‘Due Diligence’ in A Peters (ed), Max Planck Encyclopedias of International Law (OUP Online).
 * Korzak E, ‘Export Controls: The Wassenaar experience and its lessons for international regulation of cyber tools’ in E Tikk and M Kerttunen (eds), Routledge Handbook of International Cybersecurity (Routledge 2020).
 * Krieger H, Peters A and Kreuzer L (eds), Due Diligence in the International Legal Order (OUP 2020).
 * Lin H and Trachtman J, ‘Diagonal Export Controls to Counter Diagonal Transnational Attacks on Civil Society’ (2020) 31(3) European Journal of International Law 917.
 * Mačák K, ‘Decoding Article 8 of the International Law Commission’s Articles on State Responsibility: Attribution of Cyber Operations by Non-State Actors’ (2016) 21(3) Journal of Conflict and Security Law 405.
 * Marauhn T, ‘Global governance of dual-use trade: the contribution of international law’ in O Meier (ed), Technology Transfers and Non-Proliferation: Between control and cooperation (Routledge 2013).
 * Monnheimer M, Due Diligence Obligations in International Human Rights Law (CUP 2021).
 * Mulbry E, ‘Arms Control 2.0: Updating the Cyberweapon Arms Control Framework’ (2021) 28(1) Michigan Technology Law Review 175.
 * Schmitt MN (ed), Tallinn manual 2.0 on the international law applicable to cyber operations (CUP 2017).
 * Ollino A, Due Diligence Obligations in International Law (CUP 2022).
 * Tamada D and Achilleas P (eds), Theory and Practice of Export Control: Balancing International Security and International Economic Relations (Springer 2017).
 * Tzevelekos VP, ‘Reconstructing the Effective Control Criterion in Extraterritorial Human Rights Breaches: Direct attribution of Wrongfulness, Due Diligence, and Concurrent Responsibility’ (2014) 36(1) Michigan Journal of International Law 129.
 * Violi F, ‘The function of the triad ‘territory’, ‘jurisdiction’, and ‘control’ in due diligence obligations’ in H Krieger, A Peters and L Kreuzer (eds), Due Diligence in the International Legal Order (OUP 2020).
 * Voetelink J, ‘International Export Control Law—Mapping the Field’ in R Beeres and others (eds), NL ARMS Netherlands Annual Review of Military Studies 2021: Compliance and Integrity in International Military Trade (T.M.C. Asser Press; Springer 2021).
 * Wolfrum R, ‘Obligation of Result Versus Obligation of Conduct: Some Thoughts About the Implementation of International Obligations’ in MH Arsanjani and others (eds), Looking to the Future: Essays on International Law in Honor of W. Michael Reisman (Brill 2010).

Contributions

 * Scenario by: Roland Klein
 * Analysis by: Roland Klein
 * Reviewed by: Marjolein Busstra, François Delerue and Asaf Lubin