Editing Scenario 08: Certificate authority hack

__NUMBEREDHEADINGS__
[[File:20121020200412!Basel 2012-10-06 Batch Part 5 (36).JPG|alt=|thumb|300x300px|Seal, Basel University. Photo by User:Mattes (CC-BY-SA 2.5).]]
The scenario analyses a cyber operation against a certificate authority that provides services to private and public entities, with indications that the operation was commissioned or exploited by a State. What are the relevant human rights obligations in cyberspace? What other international obligations may have been breached?

== Scenario ==

=== Keywords ===
Attribution, sovereignty, prohibition of intervention, mass surveillance, international human rights law

=== Facts ===
'''[F1]''' A company based in State A provides certificate authority services, including for government departments and agencies of State A. It has now been hacked by intruders, who assume control of the company’s certificate-issuing servers and, for several weeks, proceed to issue fraudulent certificates for private sector services, such as email or VoIP based telephony, but also for services related to the company register in State A (<b>incident 1</b>). Indicators of compromise (IoCs) point to the use of proxies (an unaffiliated group) in incident 1.

'''[F2]''' The fraudulent certificates are later used in a massive man-in-the-middle attack to intercept free email communication of several hundreds of thousands of individuals in State A (<b>incident 2</b>). Available evidence shows that State B’s intelligence service ordered and paid the above-mentioned group to issue some of the fraudulent certificates, including to the company register in State A. State B's intelligence service then used the certificates in conducting its mass surveillance operation.

'''[F3]''' Eventually, all of the certificates issued by the company are blacklisted by the major internet browsers, the attack is contained, and the company files for bankruptcy.

'''[F4]''' State A and State B are State parties to the International Covenant on Civil and Political Rights (ICCPR).<ref>International Covenant on Civil and Political Rights (adopted 16 December 1966, entered into force 23 March 1976) 999 UNTS 171 ([https://www.ohchr.org/en/professionalinterest/pages/ccpr.aspx ICCPR]).</ref>

=== Examples ===
* [[DigiNotar (2011)]]

== Legal analysis ==
<i>For a general overview of the structure of analysis in this section, see [[Note on the structure of articles]].</i>

'''[L1]''' The legal analysis first briefly deals with the attribution of incidents 1 and 2 to State B, then continues with the breach of State B’s obligations to respect the sovereignty of other States, prohibition of intervention, and the obligations arising from international human rights law.

=== Attribution ===
==== Non-State actors ====
{{#lst:Attribution|Non-State actors}}
'''[L2]''' In the present scenario, it is crucial that State B ordered and paid the group to issue some of the fraudulent certificates in incident 1. The fact of accepting this order confirms the existence of a factually subordinate relationship at the relevant time, and thus the conduct of the non-State group is attributable to State B under the “instruction” standard of Article 8 of ILC’s Articles on State Responsibility.<ref>See Kubo Mačák, ‘[https://doi.org/10.1093/jcsl/krw014 Decoding Article 8 of the International Law Commission’s Articles on State Responsibility: Attribution of Cyber Operations by Non-State Actors]’ (2016) 21 JCSL 405, 415 (“the non-State entity must be factually subordinate to the State at the moment when the State decides to commit the acts in question”).</ref>

==== State organs ====
{{#lst:Attribution|State organs}}
'''[L3]''' The intelligence service of State B is an organ of that State; therefore, its conduct is attributable to State B. In the present scenario, this covers the mass interception of emails in State A (incident 2).

=== Breach of an international obligation ===

==== Obligation to respect the sovereignty of other States ====
{{#lst:Sovereignty|Definition}}
'''[L4]''' There is no evidence that options 1 or 2 would be of relevance in this scenario.

'''[L5]''' With respect to option 3, the fact that the company’s certificates were blacklisted implies that the services using the certificates had to change to a different certificate authority. In the meantime, the trust in these services could not be guaranteed. Some websites using the blacklisted certificates would function, but browsers would issue security alerts, leading to economic losses for the respective businesses, as customers would be afraid to continue to their websites. Other services had lost functionality until they installed new certificates – especially online payment systems and mobile banking apps would stop working completely.

'''[L6]''' The precise threshold of the loss of functionality is difficult to determine. If the loss is only temporary, does not lead to significant disruptions, and can be easily fixed, then it would likely not qualify.<ref>Compare T[https://doi.org/10.1017/9781316822524 allinn Manual 2.0], commentary to rule 4, para 14, wherein some of the experts were willing to characterise as a violation of sovereignty “causing a temporary, but significant, loss of functionality, as in the case of a major DDoS operation”.</ref> However, assuming that the threshold was reached, State B is responsible to the extent that it had ordered the non-State actor to issue some of the fraudulent certificates (incident 1).

'''[L7]''' As for option 4, some of the affected systems were providing secure access to State A’s company register. Running this register is State A’s inherently governmental function, and if the function could not be provided due to the interference by State B (incident 1), then State B’s conduct had amounted to a violation of State A’s sovereignty.

'''[L8]''' The relevance of Option 5 depends on the legal qualification of the mass interception operation conducted by State B against individuals located in State A’s territory (incident 2). On one view, this is merely surveillance targeted against private persons which, as such, does not interfere with State A’s governmental functions. By contrast, another view is that if the operation in question was conducted in order to collect evidence for criminal proceedings without the consent of State A, then it qualified as a non-consensual exercise of law enforcement functions in State A’s territory. Because law enforcement is exclusively reserved to the territorial State under international law, on this view State B’s conduct would have violated State A’s sovereignty.<ref>Compare [https://doi.org/10.1017/9781316822524 Tallinn Manual 2.0], commentary to rule 4, para 18: “if one State conducts a law enforcement operation against a botnet in order to obtain evidence for criminal prosecution by taking over its command and control servers located in another State without that State’s consent, the former has violated the latter’s sovereignty because the operation usurps an inherently governmental function exclusively reserved to the territorial State under international law.”</ref>

'''[L9]''' On the basis of the foregoing, it can be summarized that in the context of incident 1, State B violated the sovereignty of State A insofar the actions of the non-state actor can be attributed to State B. As for incident 2, the answer is unsettled in the present state of international law and depends primarily on the interpretation of the actual nature of State B’s conduct.

==== Prohibition of intervention ====
{{#lst:Prohibition of intervention|Definition}}
'''[L10]''' In incident 1, State B interfered with the internal affairs of State A by having a non-State actor issue fraudulent certificates, thereby undermining the security of online government services. However, proving the coercive nature of the act can be difficult. It depends on the ultimate goal of State B, and whether the act can be causally linked to the goal. If State B merely wanted to cause nuisance and economic loss to State A without any particular goal, the act does not qualify as prohibited intervention (even though it does qualify as a violation of sovereignty: see above).

'''[L11]''' In incident 2, the analysis again depends on the goal of State B. If State B wanted to engage in cyber espionage against the Internet users in State A’s territory, or even if it wanted to conduct law enforcement activities in State A’s territory, without any intent to influence State A’s decisions on its internal or external affairs, the prohibition of intervention would not have been breached.

==== Obligations arising from international human rights law ====
{{#lst:International human rights law|Definition}}
'''[L12]''' (1) Does the obligation of State B to respect the right to privacy pursuant to Article 17 ICCPR apply to its cyber operations against individuals in State A? The owners and presumably also the content of the intercepted email accounts were located in State A. State B, whose State organ commissioned the preparation of the interception and then executed it itself, would be obligated to respect the human rights of those natural persons if they were under its jurisdiction or control. 

'''[L13]''' According to one line of thought, if an organ of State B can, in the exercise of its jurisdiction, secretly interfere with the human rights of individuals anywhere in the world without the knowledge of the territorial State (in this case, State A), then it is logically State B which must make sure that this interference is conducted in accordance with the requirements of the ICCPR.<ref>Marko Milanovic, ‘[http://www.harvardilj.org/wp-content/uploads/561Milanovic.pdf Human Rights Treaties and Foreign Surveillance: Privacy in the Digital Age]’ (2015) 56/1 HarvIntlLJ , pages 118-119</ref><!-- 1. Is mere interception of communications 'interference'? The US holds that the mere collection of information is not interference with privacy until it has been 'read'. Indeed, even if information is read by algorithms, the US holds that this isn't interference. See post-Snowden statement by NSA director. 2. Is it only metadata intercepted or also content data? US says metadata isn't protected by the right to privacy. But this is patently wrong - see various case law from ECtHR (Malone) and HRC.   -->

'''[L14]''' The counterargument is that there is a lack of consensus whether interfering with cyber infrastructure abroad can amount to exerting effective control.<ref>[https://doi.org/10.1017/9781316822524 Tallinn Manual 2.0], commentary to rule 36, para 6.</ref> In the present state of the law, State B therefore cannot be held responsible for violating human rights of the individuals concerned.<!-- This discussion of jurisdiction needs developing. Jurisdiction in cyberspace is complicated and there are various approaches depending upon whose views are being consulted - states (US, for example), UNGA, Sp Rapp on Right to Privacy, HRC General Comment, Inter-American Commission.     -->

'''[L15]''' (2) Assuming that the ICCPR applies, a surreptitious interception of emails between individuals is an interference with their right to privacy pursuant to Article 17 ICCPR (specifically, interference with their correspondence). Depending on the goal of State B, the interception might also implicate Article 19 ICCPR (right to freedom of expression).

'''[L16]''' (3) The scenario does not contain any information about State B’s domestic law. If there is a domestic law regulating extraterritorial surveillance or criminal investigation, which is compliant with the requirements of the international obligation (legality, legitimacy of the objective, necessity to achieve the goal, and proportionality), and the email interception is done in accordance with that law, then State B’s activity would be in accordance with the ICCPR.

'''[L17]''' With regard to the number of affected individuals (“several hundreds of thousands”), it should be noted that the Court of Justice of the European Union (CJEU) ruled that it would be extremely difficult for bulk online surveillance to be compatible with the EUCFR;<ref>CJEU, the judgments in [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62012CJ0293 C-293/12 ''Digital Rights Ireland Ltd v Minister for Communications, Marine and Natural Resources, Minister for Justice, Equality and Law Reform''] [2014] (ECLI:EU:C:2014:238); [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62012CJ0293 C‑203/15 ''Tele2 Sverige AB v Post- och Telestyrelsen''] [2016] (ECLI:EU:C:2016:970).</ref> however, as of October 2018, the case-law of the ECtHR seems to be developing in a less strict direction.<ref>ECtHR, the Chamber judgments in ''[http://hudoc.echr.coe.int/eng?i=001-183863 Centrum för Rättvisa v Sweden]'' app no. 35252/08 (ECtHR 19th June 2018); ''[http://hudoc.echr.coe.int/eng?i=001-186048 Case of Big Brother Watch and Others v United Kingdom]'' app no. 58170/13, 62322/14 and 24960/15 (ECtHR 13th September 2018).</ref> Although these rulings do not directly apply to States not members of the relevant treaty regimes, they may nonetheless carry persuasive value for the further development of the law in this area.

'''[L18]''' To sum up the three steps of the test, it cannot be concluded that the interception of emails by itself amounts to a violation of international human rights law. Although such conduct would most certainly interfere with several human rights of the affected individuals, its compatibility with IHRL would fall to be determined by the justification proffered by the acting State.

'''[L19]''' The positive obligation of State A (to take all reasonable measures to protect the human rights of persons in its territory who have been targeted by State B's operation) encompasses protecting the persons from further abuse of their rights, taking appropriate measures against the perpetrators of the abuse, but also measures to prevent an abuse if there are grounds to believe that such abuse will occur. In the situation at hand, the obligation would likely include the duty of State A to rapidly investigate incident 1 and to prevent or reduce the impact of incident 2 by immediately informing the international cyber security community about the fraudulent certificates.

== Checklist ==
* [[Attribution]]:
** Did State B provide instructions or exercise direction or control over the non-State actor?
** Is an intelligence agency a State organ of State B?
* [[Sovereignty]]:
** Did State B’s operation cause a loss of functionality of another State’s cyber infrastructure?
** Did State B usurp State A’s inherently governmental functions by its cyber operation in State A’s territory?
* [[Prohibition of intervention]]:
** Did State B try to coerce State A by its cyber operation?
* [[International human rights law]]:
** Does the ICCPR apply to State B’s cyber operation abroad?
** Which human rights are implicated by State B’s cyber operation?
** Is State B’s cyber operation justified from the perspective of international human rights law?

== Appendixes ==

=== See also ===

* [[Attribution]]
* [[Sovereignty]]
* [[Prohibition of intervention]]
* [[International human rights law]]

=== Notes and references ===
<references />

=== Bibliography and further reading ===
* James Crawford, ''Brownlie's Principles of Public International Law'' (OUP 2012).
*Gary P. Corn and Robert Taylor, ‘[https://doi.org/10.1017/aju.2017.57 Sovereignty in the Age of Cyber]’ (2017) 111 AJIL Unbound 207.
*Wolff Heintschel von Heinegg, '[https://digital-commons.usnwc.edu/cgi/viewcontent.cgi?referer=https://www.google.ee/&httpsredir=1&article=1027&context=ils Territorial Sovereignty and Neutrality in Cyberspace]' (2013) 89 Int’l L. Stud. 123.
*Kubo Mačák, ‘[https://doi.org/10.1093/jcsl/krw014 Decoding Article 8 of the International Law Commission’s Articles on State Responsibility: Attribution of Cyber Operations by Non-State Actors]’ (2016) 21 JCSL 405.
*Marko Milanovic, ‘[http://www.harvardilj.org/wp-content/uploads/561Milanovic.pdf Human Rights Treaties and Foreign Surveillance: Privacy in the Digital Age]’ (2015) 56/1 HarvIntlLJ 81.
*Michael N Schmitt (ed), ''[https://doi.org/10.1017/9781316822524 Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations]'' (CUP 2017).
*Michael N Schmitt, '[https://heinonline.org/HOL/P?h=hein.journals/cjil19&i=36 Virtual Disenfranchisement: Cyber Election Meddling in the Grey Zones of International Law]' (2018) 19 ChiJIntlL 30.
*Michael N Schmitt and Liis Vihul, ‘[https://texaslawreview.org/respect-sovereignty-cyberspace/ Respect for Sovereignty in Cyberspace]’ (2017) 95 Tex L Rev. 1639.
*Sean Watts & Theodore Richard, '[https://law.lclark.edu/live/files/26902-lcb223article3wattspdf Baseline Territorial Sovereignty and Cyberspace]' (2018) 22 Lewis & Clark L. Rev. 771.
*Katja Ziegler, “[http://opil.ouplaw.com/view/10.1093/law:epil/9780199231690/law-9780199231690-e1398 Domaine Réservé]”, in Rudiger Wolfrum (ed), ''Max Planck Encyclopedia of Public International Law'' (OUP 2008).

=== Contributions ===
* Scenario by: [[People#Editorial_board|Taťána Jančárková]] & [[People#Editorial_board|Tomáš Minárik]]
* Analysis by: [[People#Editorial_board|Tomáš Minárik]]
* Reviewed by: [[People#Peer_reviewers|Russell Buchan]]; [[People#Peer_reviewers|Jakub Harašta]]; [[People#Peer_reviewers|Tomáš Morochovič]]

{| class="wikitable"
|+
|Previous: [[Scenario 07: Leak of State-developed hacking tools|Scenario 07: Hacking tools]]
|Next: [[Scenario 09: Economic cyber espionage|Scenario 09: Economic espionage]]
|}
[[Category:Attribution]]
[[Category:Sovereignty]]
[[Category:Prohibition of intervention]]
[[Category:Mass surveillance]]
[[Category:International human rights law]]
[[Category:Scenario]]