Editing Scenario 08: Certificate authority hack

Jump to navigation Jump to search

Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then save the changes below to finish undoing the edit.

Latest revision Your text
Line 60: Line 60:
 
'''[L12]''' (1) Does the obligation of State B to respect the right to privacy pursuant to Article 17 ICCPR apply to its cyber operations against individuals in State A? The owners and presumably also the content of the intercepted email accounts were located in State A. State B, whose State organ commissioned the preparation of the interception and then executed it itself, would be obligated to respect the human rights of those natural persons if they were under its jurisdiction or control.
 
'''[L12]''' (1) Does the obligation of State B to respect the right to privacy pursuant to Article 17 ICCPR apply to its cyber operations against individuals in State A? The owners and presumably also the content of the intercepted email accounts were located in State A. State B, whose State organ commissioned the preparation of the interception and then executed it itself, would be obligated to respect the human rights of those natural persons if they were under its jurisdiction or control.
   
'''[L13]''' According to one line of thought, if an organ of State B can, in the exercise of its jurisdiction, secretly interfere with the human rights of individuals anywhere in the world without the knowledge of the territorial State (in this case, State A), then it is logically the acting State (here, State B), which must ensure that its conduct is in accordance with the requirements of the ICCPR.<ref>Marko Milanovic, ‘[http://www.harvardilj.org/wp-content/uploads/561Milanovic.pdf Human Rights Treaties and Foreign Surveillance: Privacy in the Digital Age]’ (2015) 56/1 HarvIntlLJ , pages 118-119</ref><!-- 1. Is mere interception of communications 'interference'? The US holds that the mere collection of information is not interference with privacy until it has been 'read'. Indeed, even if information is read by algorithms, the US holds that this isn't interference. See post-Snowden statement by NSA director. 2. Is it only metadata intercepted or also content data? US says metadata isn't protected by the right to privacy. But this is patently wrong - see various case law from ECtHR (Malone) and HRC. KM: THIS IS MISPLACED HERE - THE CONCEPT OF INTERFERENCE IS ADDRESSED IN L15 BELOW. -->
+
'''[L13]''' According to one line of thought, if an organ of State B can, in the exercise of its jurisdiction, secretly interfere with the human rights of individuals anywhere in the world without the knowledge of the territorial State (in this case, State A), then it is logically State B which must make sure that this interference is conducted in accordance with the requirements of the ICCPR.<ref>Marko Milanovic, ‘[http://www.harvardilj.org/wp-content/uploads/561Milanovic.pdf Human Rights Treaties and Foreign Surveillance: Privacy in the Digital Age]’ (2015) 56/1 HarvIntlLJ , pages 118-119</ref><!-- 1. Is mere interception of communications 'interference'? The US holds that the mere collection of information is not interference with privacy until it has been 'read'. Indeed, even if information is read by algorithms, the US holds that this isn't interference. See post-Snowden statement by NSA director. 2. Is it only metadata intercepted or also content data? US says metadata isn't protected by the right to privacy. But this is patently wrong - see various case law from ECtHR (Malone) and HRC. -->
   
'''[L14]''' By contrast, the counterargument is that extraterritorial measures—such as interception of communications abroad—which do not involve an exercise of physical control over a person or a location fall outside of the jurisdiction and control of the acting State for the purposes of IHRL.<ref>[https://doi.org/10.1017/9781316822524 Tallinn Manual 2.0], commentary to rule 34, para 9 (noting the majority view that “physical control over territory or the individual is required before human rights law obligations are triggered”).</ref> On this view, State B could therefore not be held responsible for violating human rights of the individuals concerned.<!-- This discussion of jurisdiction needs developing. Jurisdiction in cyberspace is complicated and there are various approaches depending upon whose views are being consulted - states (US, for example), UNGA, Sp Rapp on Right to Privacy, HRC General Comment, Inter-American Commission. KM: TEXT HAS BEEN REWRITTEN ACCORDINGLY; FURTHER REFERENCES TO POSSIBLE VIEWS ARE IN FOOTNOTES -->
+
'''[L14]''' The counterargument is that there is a lack of consensus whether interfering with cyber infrastructure abroad can amount to exerting effective control.<ref>[https://doi.org/10.1017/9781316822524 Tallinn Manual 2.0], commentary to rule 36, para 6.</ref> In the present state of the law, State B therefore cannot be held responsible for violating human rights of the individuals concerned.<!-- This discussion of jurisdiction needs developing. Jurisdiction in cyberspace is complicated and there are various approaches depending upon whose views are being consulted - states (US, for example), UNGA, Sp Rapp on Right to Privacy, HRC General Comment, Inter-American Commission. -->
   
'''[L15]''' (2) Assuming that the ICCPR applies, a surreptitious interception of emails between individuals is an interference with their right to privacy pursuant to Article 17 ICCPR (specifically, interference with their correspondence).<ref>See, eg, ''[http://hudoc.echr.coe.int/eng?i=001-186048 Case of Big Brother Watch and Others v United Kingdom]'' app no. 58170/13, 62322/14 and 24960/15 (ECtHR 13th September 2018) [303] (the notion of “interference” includes “the interception of the content of communications [and] the interception or obtaining of communications data”).</ref> Depending on the goal of State B, the interception might also implicate Article 19 ICCPR (right to freedom of expression).
+
'''[L15]''' (2) Assuming that the ICCPR applies, a surreptitious interception of emails between individuals is an interference with their right to privacy pursuant to Article 17 ICCPR (specifically, interference with their correspondence). Depending on the goal of State B, the interception might also implicate Article 19 ICCPR (right to freedom of expression).
   
 
'''[L16]''' (3) The scenario does not contain any information about State B’s domestic law. If there is a domestic law regulating extraterritorial surveillance or criminal investigation, which is compliant with the requirements of the international obligation (legality, legitimacy of the objective, necessity to achieve the goal, and proportionality), and the email interception is done in accordance with that law, then State B’s activity would be in accordance with the ICCPR.
 
'''[L16]''' (3) The scenario does not contain any information about State B’s domestic law. If there is a domestic law regulating extraterritorial surveillance or criminal investigation, which is compliant with the requirements of the international obligation (legality, legitimacy of the objective, necessity to achieve the goal, and proportionality), and the email interception is done in accordance with that law, then State B’s activity would be in accordance with the ICCPR.

Please note that all contributions to International cyber law: interactive toolkit are considered to be released under the Creative Commons Attribution-ShareAlike 4.0 International (CC BY-SA 4.0) (see International cyber law: interactive toolkit:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

Cancel Editing help (opens in new window)