Scenario 24: Internet blockage

From International cyber law: interactive toolkit
Jump to navigation Jump to search
© Rom Chek. Licensed from Shutterstock.

In response to widespread protests, a State takes measures to isolate its domestic internet networks from connecting with the global internet. These actions also lead to a massive internet outage in the neighbouring State, whose internet access was contingent on interconnection with a large network in the former State. The analysis considers whether the first State’s actions amount to violations of international law, in particular with respect to the principle of sovereignty, international human rights law, international telecommunication law and the responsibility to prevent transboundary harm.

1 Scenario[edit | edit source]

1.1 Keywords[edit | edit source]

Sovereignty, international human rights law, transboundary harm, international telecommunication law, internet access

1.2 Facts[edit | edit source]

[F1] In an attempt to curb growing citizen protests that have been receiving global attention, the government of State A takes several measures, including ordering a complete internet shutdown in its territory. This disrupts daily life of State A’s citizens, seriously impeding their communications and economic activity.

[F2] As a part of the shutdown, networks and internet service providers in State A are ordered to halt the exchange of all internet traffic with networks in other countries. State A takes these measures without taking any advance steps to inform other States that it is about to suspend its international internet traffic. State A is aware that the measures will hinder internet connectivity in the neighbouring State B, and the negative consequences this will have on State B. It takes no mitigating measures to reduce the impact.

[F3] State B has only one internet service provider (ISP), and its international connectivity is largely contingent on the exchange of traffic with a leading ISP in State A.[1] Since the latter has been subjected to the government-imposed requirement to isolate its internet network from connections outside of State A, State B has suffered a sudden and widespread internet outage, which lasts for the entire duration of State A’s internet shutdown. A major part of the population of State B has thus been cut off from the internet, while the rest of State B suffers from extremely slow connections.

[F4] The inhabitants of State B rely on connectivity with global networks to carry out day-to-day activities, including economic activities integral to their livelihood. Due to the outage, State B’s government offices and essential services such as hospitals, banks and law enforcement are significantly limited in the performance of their tasks. Other critical infrastructure in State B, including the electricity grid, military and satellite installations, and air traffic control is internally interconnected, and continues to operate normally throughout the period.

1.3 Examples[edit | edit source]

This scenario explores a circumstance where a domestic internet shutdown/isolation order from a State to ISPs under its jurisdiction has effects outside its borders because of network infrastructure interconnection and interdependencies. While there are no known incidents to date that would comprehensively match the facts of this scenario, several real-life examples including those below illustrate how internet access in a country can be contingent on a single network or a component of physical infrastructure that lies outside its jurisdiction, and can be effectively restricted by measures taken by States or other actors abroad.

2 Legal analysis[edit | edit source]

For a general overview of the structure of analysis in this section, see Note on the structure of articles.

[L1] The legal analysis considers the relevant obligations of State A with respect to international human rights law (IHRL), the principle of sovereignty, the law on transboundary harm, and international telecommunication law.

2.1 State A’s obligation to respect human rights[edit | edit source]

International human rights law
International human rights law applies in cyberspace; individuals enjoy the same human rights online as they enjoy offline.[2] States are therefore bound by their human rights obligations to both respect and ensure human rights in cyberspace. States also bear international responsibility for the violation of human rights obligations that are attributable to them.[3]

The source of these obligations is primarily treaty law. The two key global treaties are the International Covenant on Civil and Political Rights (ICCPR) and the International Covenant on Economic, Social and Cultural Rights (ICESCR);[4] many of these treaties’ provisions, along with the provisions of the Universal Declaration of Human Rights, are regarded as reflective of customary international human rights law, even though there is no universally accepted codification. Apart from the ICCPR and ICESCR, there exist important regional human rights treaty systems, especially for Europe (European Convention on Human Rights – ECHR)[5], the European Union (Charter of Fundamental Rights of the European Union – EUCFR),[6] and America (American Convention on Human Rights – ACHR)[7], which provide for adjudicatory mechanisms by which individuals can assert their human rights against States and which have generated a considerable amount of case-law as a result.

In order to determine whether a State has breached its human rights obligations, the following steps of analysis should be conducted:

  1. Since cyber operations often take place in the cyber infrastructure of multiple States, the issue of jurisdiction must be addressed. Each human rights treaty has its own bespoke jurisdictional requirements and scope. In this regard, every State party to the ICCPR has undertaken “to respect and to ensure to all individuals within its territory and subject to its jurisdiction the rights recognized in the [ICCPR]”.[8] The UN Human Rights Committee has understood this provision to mean that the human rights obligations recognized within the ICCPR apply not only to persons physically located within a State’s territory, but also to situations where the State exercises “power or effective control” either over the territory on which an individual is located (the spatial model of jurisdiction) or over the individual (the personal model of jurisdiction).[9] The International Court of Justice (ICJ) has gone even further by stating that the ICCPR “is applicable in respect of acts done by a State in the exercise of its jurisdiction outside its own territory”.[10] A few States (such as the US and Israel) have adopted the contrary view and maintain that human rights obligations do not apply extraterritorially. To date, however, these States remain in the minority.[11] As such, although the exact criteria for the applicability of human rights obligations to extraterritorial activities of States are not settled and are subject to ongoing academic and political debate,[12] the prevailing opinion at present is that human rights obligations do apply to some acts of a State outside its territory.
  2. If an international human rights regime is applicable, the second question is whether a cyber operation attributable to a State constitutes an interference with a particular human right. The human rights that are often implicated by cyber operations include the right to privacy[13] and the right to freedom of opinion and expression.[14]
  3. Not every State interference with a human right is also a violation of international human rights law. For an interference to be legal, it must be justified, namely:
    1. in accordance with an accessible and foreseeable domestic law (“legality”),
    2. pursuing a legitimate objective of public interest (such as national security, public order, public health, or morals) or for the protection of rights of others,
    3. necessary to achieve that objective, and
    4. proportionate in balancing the means and the end.[15]

Apart from the responsibility for human rights violations attributed to it, a State can also be held responsible for its failure to take all reasonable measures to protect the human rights of individuals in its territory and subject to its jurisdiction (for instance, if it unlawfully allows non-State actors to violate human rights).[16]

Publicly available national positions that address this issue include: National position of Australia (2020) (2020), National position of the Czech Republic (2020) (2020), National position of Estonia (2021) (2021), National position of Finland (2020) (2020), National position of the Italian Republic (2021) (2021), National position of Japan (2021) (2021), National position of Kazakhstan (2021) (2021), National position of Kenya (2021) (2021), National position of the Netherlands (2019) (2019), National position of New Zealand (2020) (2020), National position of Norway (2021) (2021), National position of Romania (2021) (2021), National position of Switzerland (2021) (2021), National position of the United Kingdom (2021) (2021), National position of the United States of America (2012) (2012), National position of the United States of America (2016) (2016), National position of the United States of America (2021) (2021).

[L2] Article 19 of the ICCPR establishes the right of every individual to hold opinions without interference and to seek, receive and impart information “regardless of frontiers”, through any media of their choice.[17] In the present case, denying access to inhabitants of State A to seek, receive or impart information internationally (via the internet) implicates this right. Paragraph 3 of Article 19 states that the right to free speech may be limited by implementing measures necessary “for respect of the rights or the reputations of others” or “for the protection of national security or public order”.[18] The UN Special Rapporteur on Freedom of Speech and Expression has categorically stated in a report that “network shutdowns invariably fail to meet the standard of necessity.”[19] The UN Special Rapporteur's report further argues that shutdowns are generally disproportionate, even though the duration and geographic scope may vary.[20] Such measures rarely attain their stated purpose of national security or public order as network shutdowns rather accentuate panic and disorder.[21] It is questionable, in the present case, whether and how the internet shutdown would contribute to maintaining public order in State A. Instead, the measures imposed appear to aim at preventing domestic protests from receiving external support and spreading information. Therefore, the conditions under Article 19 to impose restrictions have not been met. The measures undertaken by State A violated the right to freedom of expression and opinion, thus breaching an international legal obligation.

[L3] For similar reasons, State A’s measures may also have violated its inhabitants’ right to peaceful assembly, provided for in Article 21 of the ICCPR. As the UN Special Rapporteur on the Freedom of Peaceful Assembly and Association noted, such internet shutdowns “can never be considered a lawful restriction of this fundamental freedom”.[22]

[L4] To determine whether the human rights of inhabitants of State B were also violated, an evaluation of the extra-territorial application of international human rights law (IHRL) is needed. As summarized in the box above, the prevailing opinion at present is that human rights obligations do apply to some acts of a State outside its territory. In our view, States owe a duty to refrain from violating the human rights of individuals abroad who are within those States’ power or effective control. First, this is because the interpretation of Article 2(1) of the ICCPR hinges on the significance of the word ‘respect’ in that provision,[23] which would be redundant if one were to adopt the view that human rights obligations do not apply extraterritorially at all.[24] A technically correct reading, it is submitted, implies the following points: (1) each State must respect the rights recognized in the present Covenant, and (2) it must ensure to all individuals within its territory and subject to its jurisdiction the rights recognised in the present Covenant.[25]

[L5] Second, as held by the European Court of Human Rights (ECtHR), human rights treaties “cannot be interpreted so as to allow a State party to perpetrate violations of [such treaties] on the territory of another State, which it could not perpetrate on its own territory.”[26] While it may not be possible for a State to mobilize State institutions in order to fulfil the human rights of individuals outside their territorial control,[27] they can do so to ensure that their actions do not violate the rights of individuals within their effective control.[28]

[L6] The IGE drafting the Tallinn Manual did not agree on the threshold of effective control that needs to be exercised for the invocation of IHRL. The majority of experts considered that physical control over territory or the individual was required before human rights obligations come into play, whereas others argued that if “exercise or enjoyment of a human right in question by the individual concerned is within the power or effective control of a State, that State has power or effective control over the individual with respect to the right concerned.”[29]

[L7] By cutting off international internet traffic between State A and State B, State A deprived State B’s residents of access to the Internet, causing disruption to their livelihoods. Whether these persons were within the jurisdiction of State A depends on the interpretation of the threshold of effective control. Under the majority opinion of the IGE, State A did not exercise effective control as it was never in physical control of any portion of State B’s territory nor of any of its inhabitants. By contrast, following the minority approach – which, it is submitted, better reflects the current geopolitical realities given the various technological routes available to States to violate human rights extraterritorially – because the residents of State B were deprived of their ability to enjoy their relevant rights as a result of State A’s actions, State A was in effective control of these individuals. This means that they were within State A’s jurisdiction for the purposes of IHRL. Accordingly, for reasons detailed above (see paras L2–L3), State A’s measures violated those persons’ human rights, including the right to freedom of expression and opinion and the right to peaceful assembly.

2.2 Obligation to respect the sovereignty of other States[edit | edit source]

Sovereignty
Sovereignty is a core principle of international law. According to a widely accepted definition of the term in the 1928 Island of Palmas arbitral award,
[s]overeignty in the relations between States signifies independence. Independence in regard to a portion of the globe is the right to exercise therein, to the exclusion of any other State, the functions of a State.[30]
Multiple declarations by the UN,[31] NATO,[32] OSCE,[33] the European Union,[34] and individual States have confirmed that international law applies in cyberspace. Accordingly, so too does the principle of sovereignty. However, there is some debate as to whether this principle operates as a standalone rule of international law, the breach of which gives rise to state responsibility.
  • For the proponents of this view, the prohibition on violating the sovereignty of other States is a substantive primary rule of international law, the breach of which is an internationally wrongful act. This view was unanimously accepted by the experts who prepared the Tallinn Manual 2.0.[35] It has also been adopted by several States including Austria,[36] the Czech Republic,[37] Finland,[38] France,[39] Germany,[40] Iran,[41] and the Netherlands.[42]
  • By contrast, the opposing view is that sovereignty is a principle of international law that may guide State interactions, but it does not amount to a standalone primary rule.[43] This view has now been adopted by one State, the United Kingdom,[44] and has been endorsed by the U.S. Department of Defense General Counsel.[45] By this approach, cyber operations cannot violate sovereignty as a rule of international law, although they may constitute prohibited intervention, use of force, or other internationally wrongful acts.

The remainder of this section proceeds on the basis of the former “sovereignty-as-rule” approach. Those espousing the latter “sovereignty-as-principle” approach should refer to other relevant sections of the legal analysis (such as that on the prohibition of intervention).

It is understood that sovereignty has both an internal and an external component.[46] In the cyber context, the “internal” facet of sovereignty entails that “[a] State enjoys sovereign authority with regard to the cyber infrastructure, persons, and cyber activities located within its territory, subject to its international legal obligations.”[47][48]

As a general rule, each State must respect the sovereignty of other States.[49] It is clear that a cyber operation with severe destructive effects, comparable to a “non-cyber” armed attack or a use of force against a State, constitutes a violation of its sovereignty; however, with more subtle cyber operations, the question is far from settled.[50]

The following modalities, highlighted in the Tallinn Manual 2.0, represent different ways of determining what a “sovereignty violation” might mean in the context of cyber operations:

  1. A State organ conducting cyber operations against a target State or entities or persons located there while physically present in the target State's territory violates the target State's sovereignty.[51] This was agreed by all Experts drafting the Manual; however, “a few” of the Experts thought that the extensive State practice carved out an exception for espionage operations.[52]
  2. Causation of physical damage or injury by remote means;[53] again, “a few” Experts took the position that this is a relevant but not a determinative factor by itself.[54]
  3. Causation of a loss of functionality of cyber infrastructure: although the Tallinn Manual 2.0 experts agreed that a loss of functionality constituted “damage” and thus a breach of sovereignty, no consensus could be achieved as on the precise threshold for a loss of functionality (the necessity of reinstallation of operating system or other software was proposed but not universally accepted);[55] Below this threshold, there was no agreement among the Experts whether operations that do not cause physical consequences or a loss of functionality qualify as a violation of sovereignty.[56]
  4. Interference with data or services that are necessary for the exercise of "inherently governmental functions";[57] although the Experts could not conclusively define the term "inherently governmental functions", they agreed that, for example, the conduct of elections would so qualify.[58]
  5. Usurpation of "inherently governmental functions", such as exercise of law enforcement functions in another State’s territory without justification.[59]

The Tallinn Manual’s view of what constitutes a violation of sovereignty has been expressly endorsed by several States including Germany[60] and the Netherlands.[61] An alternative test has been proposed by France, which argues that a breach of sovereignty occurs already when there is “any unauthorised penetration by a State of [the victim State’s] systems”.[62]

Attributing the relevant cyber operation to a State different from the target State is a necessary prerequisite for qualifying the cyber operation as a violation of the target State's sovereignty.

Whether non-State actors can violate territorial sovereignty on their own is a matter of disagreement.[63]

Publicly available national positions that address this issue include: National position of Australia (2020) (2020), National position of Brazil (2021) (2021), National position of the People's Republic of China (2021) (2021), National position of the Czech Republic (2020) (2020), National position of Estonia (2019) (2019), National position of Estonia (2021) (2021), National position of Finland (2020) (2020), National position of France (2019) (2019), National position of Germany (2021) (2021), National position of Iran (2020) (2020), National position of Israel (2020) (2020), National position of the Italian Republic (2021) (2021), National position of Japan (2021) (2021), National position of Kenya (2021) (2021), National position of the Netherlands (2019) (2019), National position of New Zealand (2020) (2020), National position of Norway (2021) (2021), National position of Romania (2021) (2021), National position of Singapore (2021) (2021), National position of Switzerland (2021) (2021), National position of the United Kingdom (2018) (2018), National position of the United Kingdom (2021) (2021), National position of the United States of America (2012) (2012), National position of the United States of America (2016) (2016), National position of the United States of America (2020) (2020), National position of the United States of America (2021) (2021).

[L8] While there has been no physical intrusion on State B’s territory, nor damage caused to physical cyber infrastructure that supports internet connectivity, State A’s actions have led to a loss of government functionality and a hampered exercise of certain internet-dependent governmental and private sector services in State B.

[L9] The IGE identified that interference with the inherently governmental functions of another State can occur even if there is no infringement upon the territorial integrity of that State. Moreover, intent is not a constitutive element of breach of sovereignty.[64] The IGE specifically noted that if a cyber operation by a State precludes internet access to another State, it is a breach of the latter’s sovereignty “to the extent it usurps or interferes with inherently governmental functions”.[65] In the present case, government services in State B that rely on internet access (delivery of medical and social services, communication of law enforcement agencies, etc.) were severely impeded.[66] Due to the interference caused by State A’s actions with the performance of inherently governmental functions in State B, State A would have thus violated State B’s sovereignty.

2.3 Liability for transboundary harm[edit | edit source]

Transboundary harm
The basis of liability for transboundary harm is sine delicto stricto sensu, which means that States may be liable for causing transboundary harm in the absence of fault or negligence on their part. This form of liability stems from the customary duty to prevent and redress transboundary harm articulated in the Roman law maxim of sic utere tuo ut alienum non laedas, which means that one cannot use their property in a manner that causes injury to others.[67] While liability for transboundary harm has been most commonly applied in the environmental realm,[68] it is also relevant for a broader range of legal issues, including international water law,[69] and international space law.[70] Liability is different from the concept of State responsibility. A State is responsible when an act (or omission) is attributable to the State, and it is wrongful under international law. An act is wrongful only if a State violates a primary rule of international law. Liability, however, does not require a wrongful act to be committed but it is instead linked to the harm caused by the act.[71] This means that a State may be liable for causing transboundary harm even if the act causing the harm was not a violation of international law.

The most significant case in international law proclaiming liability for failure to discharge the duty to prevent and redress transboundary harm is the 1941 Trail Smelter arbitration between the United States and Canada.[72] When evaluating damages caused to the United States by a Canadian smelter, the tribunal held that “no State has the right to use or permit the use of its territory in such a manner to as to cause injury by fumes in or to the territory of another or the persons or properties therein.”[73] Since then, the International Court of Justice (ICJ) has also invoked this duty of States to “ensure that activities within their jurisdiction and control respect the environment of other States or of areas beyond national control.”[74] While liability for transboundary harm has been applied in the environmental context, some publicists have stated that it can be extended to the cyber realm, as well.[75]

In 2001, the International Law Commission (ILC) produced the Draft Articles on Prevention of Transboundary Harm from Hazardous Activities.Its conclusions with regard to liability remain relevant even though the document has not been formally adopted by States. The ILC’s commentary on these Articles states that “the significant transboundary harm must have been caused by the physical consequences of such activities”.[76] Therefore, the ILC excluded transboundary harm caused by monetary, socio-economic or similar fields.[77]

However, the experts participating in the Tallinn Manual process were in consensus that there is no requirement for a cyber operation causing transboundary harm to result in physical damage to objects or injuries to individuals.[78] Certain publicists agree with this position, arguing that transboundary harm need not be limited to instances of physical damage.[79]

[L10] Even if we assume that State A did not commit an internationally wrongful act by blocking internet connections to State B (inter alia), there is an additional analysis to be carried out regarding the issue of State A’s liability for causing transboundary harm to State B, irrespective of the actual means by which the harm was caused. There is a substantial socio-economic impact on State B as the financial sector, government services and law enforcement have been restricted in their operations, particularly if the internet outage lasts for an extended period of time.

[L11] As noted in the box above, the view of the Tallinn Manual group of experts was that there is no requirement for a cyber operation causing transboundary harm to result in physical damage to objects or injuries to individuals.[80] It is submitted that this is a reasonable interpretation. After all, many (if not most) acts in cyberspace, including the internet blockage in this scenario, do not have any tangible physical impact.

[L12] Nevertheless, until now, due to a lack of State practice and opinio juris, the question of liability for transboundary harm caused by cyber means, as well as the applicable threshold of harm under international law, have remained highly contested.[81] In any case, the required parameters for determination of a transboundary harm caused by cyber means, as well as the criteria for its quantification, are still developing.

2.4 International telecommunication law[edit | edit source]

International telecommunication law
International telecommunication law is a specialised regime of international law, primarily concerned with ensuring the operation of telecommunication networks and their interoperability. These networks are components of domestic and global cyber infrastructure that include both wired communication grids and wireless communication networks (and their hybrid systems). Examples of telecommunication networks include cellular telephone systems, satellite systems, undersea cables, and global positioning systems.

International telecommunication law has its foundation in the treaty regime of the International Telecommunication Union (ITU).[82] The ITU has operated since 1865 as an intergovernmental organization carrying out the principal responsibilities of international cooperation and technical regulation for telecommunication networks, subject to a detailed treaty regime. While the International Group of Experts drafting the Tallinn Manual 2.0 did not conclude whether this regime necessarily reflects customary international law, they did agree that it constitutes a longstanding enabling regime for the international telecommunication of nearly all States, as parties to the ITU treaties.[83]

There are three binding documents of the ITU: the Constitution, the Convention, and the Administrative Regulations.[84] Under their provisions, the ITU is the sole intergovernmental organisation that has been authorized to allocate frequency bands in the electromagnetic spectrum, on which wireless telecommunication services depend. The ITU is also responsible for ensuring optimal use of the global spectrum resource by member States, as well as for the development and standardisation of other telecommunication activities. The ITU Constitution lays down the specific powers of the ITU, and certain powers and duties of member States in relation to the coordinated operation of telecommunication infrastructure.

In the context of general international law, of particular relevance are the Articles in the ITU Constitution, Convention, and Administrative Regulations that relate to trans-border telecommunication, which includes any cyber communications involving data transmission across State borders or through extraterritorial regions. The obligation of States to avoid harmful interference with one another’s wireless communications is also critical to cyber operations and activities at the international level. Additional obligations include the stipulation that States establish, maintain and safeguard their telecommunication networks in order to support the exchange of international telecommunications; as well as the sovereign authority of States to suspend or stop international telecommunication under certain circumstances.

The ITU Constitution provides for negotiations, agreements and arbitration in cases of disputes in interpretation or application of the Constitution, Convention or Administrative Regulations.[85] However, “no enforcement mechanism exists in the case of non-compliance” of decisions stemming from these procedures.[86]

[L13] International telecommunication law recognises the sovereign authority of each State to govern telecommunication infrastructure under its jurisdiction. Specifically, Article 35 of the ITU Constitution recognises the power of States to suspend their international telecommunications services, i.e., those communications that involve the transmission of data across State borders.[87] Discussing the ITU Articles, the Tallinn Manual 2.0 refers to the example of the internet suspension enacted by Egypt in 2011: even though Egypt did not comply with the obligation to inform other States of its action, the Manual notes that the “the suspension was within [Egypt’s] rights under international telecommunication law.”[88] It may thus be argued that State A did not violate ITU treaty norms solely by instituting its domestic internet blockage.

[L14] However, Article 35 of the ITU Constitution also mandates States taking any such action to inform “other Member States through the Secretary-General” of the ITU. In the present scenario, State A did not inform other States nor the Secretary General of the ITU, and therefore it violated its obligation under Article 35 of the ITU Constitution.

[L15] Article 36 of the ITU Constitution exempts States from responsibility towards individual users of international telecommunications services.[89] While State A cannot be held responsible under the ITU regime for any harm arising out of its actions to citizens of State B, it is still responsible towards other States and the ITU for not having taken any measures to inform other States of its decision to suspend international internet connection.

[L16] Through Article 38(5) of the ITU Constitution, States recognise the importance of taking measures to prevent disruption of telecommunication services in other jurisdictions. While this Article does not create any binding obligations, the facts make it clear that State A knew that its actions would have an effect on internet connectivity in State B. State A could also have explored ways to enact the network isolation in a way that would not have affected the internet connectivity in State B.[90]

3 Checklist[edit | edit source]

  • International human rights law
    • Do States owe an obligation to comply with international human rights law extraterritorially?
    • Do internet shutdowns violate the right to freedom of speech and expression, or the right to peaceful assembly? Are internet shutdowns ever permissible under international human rights law?
    • Could the State enacting the internet shutdown implement it in a restrictive way to mitigate the infringement of the rights of persons abroad?
  • Sovereignty
    • Did the acting State interfere with inherently governmental functions of another State?
    • Could the internet outage have been implemented in a manner that caused less disruption to the networks abroad?
  • Liability for transboundary harm
    • Does the law on the prevention of transboundary harm apply only when there are physical consequences?
  • International telecommunication law
    • Did the State enacting an internet shutdown immediately inform other States (or the Secretary General of the ITU) of such action?

4 Appendixes[edit | edit source]

4.1 See also[edit | edit source]

4.2 Notes and references[edit | edit source]

  1. Transboundary internet network connectivity is a basic attribute of the internet’s global range and scope: see, eg, Rolf Weber, ‘A Legal Lens into Internet Governance’, in Laura DeNardis, Derrick Cogburn, Nanette Levinson and Francesca Musiani (eds) Researching Internet Governance: Methods, Frameworks, Futures (MIT Press 2020) 105–122. Certain key networks may be critical to providing global network address reachability to their neighbouring networks, i.e. they are placed such that their failure (or a sudden decision by them to not coordinate with one or more networks they connect to) could have an adverse impact on internet traffic in another region. For further information, see AS Rank, ‘A Ranking of the Largest Autonomous Systems (AS) in the Internet’ (AS Rank, Center for Applied Internet Data Analysis, 2021); kc claffy, ‘Congestion - Mapping Interconnection in the Internet: Colocation, Connectivity and Congestion’ (Center for Applied Internet Data Analysis, 2014); Alexander Gamero-Garrido, Esteban Carisimo, Shuai Hao, Bradley Huffaker, kc claffy, Alex.C.Snoeren, Alberto Dainotti,and Amogh Dhamdhere ‘Inferring Country-Level Transit Influence of Autonomous Systems’ (Active Internet Measurement Systems Conference, San Diego, April 2019) 3; Internet Society, ‘Policy brief: Internet Shutdowns’ (Internet Society, 18 December 2019)
  2. See, for example, United Nations Human Rights Council, The promotion, protection and enjoyment of human rights on the Internet, Resolution A/HRC/RES/32/13 (1 July 2016), para 1; NATO, Warsaw Summit Communiqué (9 July 2016), para 70; G8 Summit of Deauville, Declaration: Renewed Commitment for Freedom and Democracy (27 May 2011), para II/11.
  3. See, Application of the Convention on the Prevention and Punishment of the Crime of Genocide (Bosnia and Herzegovina v. Serbia and Montenegro) (Judgment) [2007] ICJ Rep 43, para 170.
  4. International Covenant on Civil and Political Rights (adopted 16 December 1966, entered into force 23 March 1976) 999 UNTS 171 (ICCPR); International Covenant on Economic, Social and Cultural Rights (adopted 16 December 1966, entered into force 3 January 1976) 993 UNTS 3 (ICESCR).
  5. Formal title: Convention for the Protection of Human Rights and Fundamental Freedoms (opened to the signature in Rome on 4 November 1950, entered into force 3 September 1953), ETS 5 (ECHR); there are several protocols which significantly expand and amend the obligations of the original Convention.
  6. Charter of Fundamental Rights of the European Union, proclaimed on 7 December 2000 (EUCFR).
  7. American Convention on Human Rights (open for signature from 22 November 1969, entered into force 18 July 1978), 1144 UNTS 123 (ACHR).
  8. Article 2(1) ICCPR.
  9. UN HRC, ‘General Comment No. 31 (80): The Nature of the General Legal Obligation Imposed on States Parties to the Covenant’ (adopted on 29 March 2004, 2187th meeting), para 10.
  10. Cf, Legal Consequences of the Construction of a Wall in the Occupied Palestinian Territories (Advisory Opinion) [2004] ICJ Rep 136, para 111.
  11. See, Legal Consequences of the Construction of a Wall in the Occupied Palestinian Territories (Advisory Opinion) [2004] ICJ 136, para 110; UN HRC, Summary Record of the 1405th Meeting, CCPR/C/SR.1405 (31 March 1995) 6 [20].
  12. See, for example, Marko Milanovic, ‘Human Rights Treaties and Foreign Surveillance: Privacy in the Digital Age’ (2015) 56 Harvard International Law Journal 81.
  13. Article 17 ICCPR; Article 8 ECHR; Article 7 EUCFR; Article 11 ACHR. The exact titles and scopes of the provisions vary.
  14. Article 19 ICCPR; Article 10 ECHR; Article 11 EUCFR; Article 13 ACHR. The exact titles and scopes of the provisions vary.
  15. UN Human Rights Committee, ICCPR General Comment No. 34 (12 September 2011), paras 21-36; See also ICCPR General Comment No. 27 (1 November 1999), paras 14-16.
  16. See, Velásquez Rodríguez v. Honduras, (Merits) IACrtHR (Ser. C) No. 4 (29 July 1988) [177].
  17. Article 19(1)–(2) ICCPR.
  18. Article 19(3) ICCPR.
  19. United Nations Commission on Human Rights ‘Report of the Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression’ (30 March 2017) UN Doc A/HRC/35/22.
  20. United Nations Commission on Human Rights ‘Report of the Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression’ (30 March 2017) UN Doc A/HRC/35/22.
  21. See Internet Society, ‘Policy brief: Internet Shutdowns’ (Internet Society, 18 December 2019)
  22. Human Rights Council, Report of the special rapporteur on the rights to freedom of peaceful assembly and association, UN Doc A/HRC/47/24/Add.2 (15 June 2021), para 2.
  23. See Article 2(1) ICCPR (“Each State Party to the present Covenant undertakes to respect and to ensure to all individuals within its territory and subject to its jurisdiction the rights recognized in the present Covenant, without distinction of any kind, such as race, colour, sex, language, religion, political or other opinion, national or social origin, property, birth or other status.”) (emphasis added).
  24. Peter Margulies, ‘Surveillance by Algorithm: The NSA, Computerized Intelligence Collection and Human Rights’(2016) 68 Fl. Law Rev 1084.
  25. Peter Margulies, ‘Surveillance by Algorithm: The NSA, Computerized Intelligence Collection and Human Rights’(2016) 68 Fl. Law Rev 1084.
  26. ECtHR, Issa and others v Turkey, App No 31821/96, Judgment, 16 November 2004, para 71.
  27. Beth Van Schaack, ‘The United States' position on the extra-territorial application of human rights obligations: Now is the time for change’ (2014) 90 Int’l Law Studies 20, 62.
  28. Ibid.
  29. Tallinn Manual 2.0, commentary to rule 34, paras 9-10.
  30. Island of Palmas (Neth. v. U.S.), 2 RIAA 829, 838 (Perm. Ct. Arb. 1928).
  31. UNGA Res 71/237 (30 December 2015) UN Doc A/RES/20/237.
  32. North Atlantic Treaty Organization, 'Wales Summit Declaration' (issued by the Head of State and Government participating in the meeting of the North Atlantic Council in Wales (5 September 2015) para 72.
  33. Organization for Security and Cooperation in Europe, Decision No. 1202, OSCE Confidence-Building Measures to Reduce the Risks of Conflict Stemming from the Use of Information and Communication Technologies (Permanent Council, 10 March 2016) PC.DEC/1202.
  34. Council of the European Union,"Council Conclusions on the Joint Communication to the European Parliament and the Council: Resilience, Deterrence and Defence: Building strong cybersecurity for the EU" (Council conclusions, 20 November 2017).
  35. Michael N Schmitt, 'Virtual Disenfranchisement: Cyber Election Meddling in the Grey Zones of International Law' (2018) 19 ChiJIntlL 30,40; Tallinn Manual 2.0, commentary to rule 4, para 2 (‘States shoulder an obligation to respect the sovereignty of other States as a matter of international law’).
  36. Austria, Pre-Draft Report of the OEWG - ICT: Comments by Austria (31 March 2020), stating that ‘a violation of the principle of State sovereignty constitutes an internationally wrongful act – if attributable to a State – for which a target State may seek reparation under the law of State responsibility’.
  37. Czech Republic, Statement by Mr. Richard Kadlčák, Special Envoy for Cyberspace, 2nd substantive session of the Open-ended Working Group on developments in the field of information and telecommunications in the context of international security (11 February 2020), stating that ‘[t]he Czech Republic concurs with those considering the principle of sovereignty as an independent right and the respect to sovereignty as an independent obligation.’
  38. Finland, ‘International law and cyberspace: Finland’s national positions’ (15 October 2020), 3, stating that ‘Finland sees sovereignty as a primary rule of international law, a breach of which amounts to an internationally wrongful act and triggers State responsibility. This rule is fully applicable in cyberspace.’
  39. French Ministry of the Armies, ‘International Law Applied to Operations in Cyberspace’, 9 September 2019, stating that ‘Any unauthorised penetration by a State of French systems or any production of effects on French territory via a digital vector may constitute, at the least, a breach of sovereignty’.
  40. Germany, ‘On the Application of International Law in Cyberspace: Position Paper’ (March 2021), p. 3, noting that ‘Germany agrees with the view that cyber operations attributable to States which violate the sovereignty of another State are contrary to international law’.
  41. Iran, ‘Declaration of General Staff of the Armed Forces of the Islamic Republic of Iran Regarding International Law Applicable to the Cyberspace’ (July 2020), para 4 (‘Any utilization of cyberspace if and when involves unlawful intrusion to the (public or private) cyber structures which is under the control of another state, maybe constituted as the violation of the sovereignty of the targeted state.’).
  42. Dutch Ministry of Foreign Affairs, ‘Letter to the parliament on the international legal order in cyberspace’ (5 July 2019), stating that ‘countries may not conduct cyber operations that violate the sovereignty of another country’.
  43. Gary P. Corn and Robert Taylor, ‘Sovereignty in the Age of Cyber’ (2017) 111 AJIL Unbound 207, 208 (arguing that sovereignty is ‘a principle of international law that guides state interactions’).
  44. Jeremy Wright, ‘Cyber and International Law in the 21st Century’ (23 May 2018) (stating that he was ‘not persuaded that we can currently extrapolate from that general principle a specific rule or additional prohibition for cyber activity beyond that of a prohibited intervention. The UK Government’s position is therefore that there is no such rule as a matter of current international law’); see also Memorandum from JM O’Connor, General Counsel of the Department of Defense, ‘International Law Framework for Employing Cyber Capabilities in Military Operations’ (19 January 2017) (considering that sovereignty is not ‘a binding legal norm, proscribing cyber actions by one State that result in effects occurring on the infrastructure located in another State, or that are manifest in another State’), as cited by Sean Watts & Theodore Richard, 'Baseline Territorial Sovereignty and Cyberspace' (2018) 22 Lewis & Clark L. Rev. 771, 829.
  45. Paul C. Ney, DOD General Counsel Remarks at U.S. Cyber Command Legal Conference, 2 March 2020, arguing that ‘the Department believes there is not sufficiently widespread and consistent State practice resulting from a sense of legal obligation to conclude that customary international law generally prohibits such non-consensual cyber operations in another State’s territory’.
  46. Cf. James Crawford, Brownlie's Principles of Public International Law (OUP 2012) 448.
  47. Tallinn Manual 2.0, rule 2.
  48. Sovereignty over cyber infrastructure derives from the traditional concept of sovereignty, independent of the use of cyberspace. See Wolff Heintschel von Heinegg, 'Territorial Sovereignty and Neutrality in Cyberspace' (2013) 89 Int’l L. Stud. 123 (noting that '[t]erritorial sovereignty [..] implies that, subject to applicable customary or conventional rules of international law, the State alone is entitled to exercise jurisdiction, especially by subjecting objects and persons within its territory to domestic legislation and to enforce these rules.')
  49. UN GA Res 2625 (XXV) (24 October 1970) (Friendly Relations Declaration), preamble (emphasizing “that the purposes of the United Nations can be implemented only if States enjoy sovereign equality and comply fully with the requirements of this principle in their international relations”); Tallinn Manual 2.0, rule 4.
  50. Tallinn Manual 2.0, commentary to rule 4, para 5 and 12.
  51. See, eg, Certain Activities Carried Out by Nicaragua in the Border Area (Costa Rica v Nicaragua) and Construction of a Road in Costa Rica along the San Juan River (Nicaragua v Costa Rica) (Judgment) [2015] ICJ Rep 665, 704–05, paras 97–99 (holding that the presence of Nicaragua’s military personnel in the territory under Costa Rica’s sovereignty amounted to a violation of Costa Rica’s territorial sovereignty); see also Tallinn Manual 2.0, commentary to rule 4, para 6.
  52. Tallinn Manual 2.0, commentary to rule 4, para 7; commentary to rule 32, para 9.
  53. Tallinn Manual 2.0, commentary to rule 4, para 11.
  54. Tallinn Manual 2.0, commentary to rule 4, para 12.
  55. Tallinn Manual 2.0, commentary to rule 4, para 13.
  56. Tallinn Manual 2.0, commentary to rule 4, para 14.
  57. Tallinn Manual 2.0, commentary to rule 4, para 15.
  58. Tallinn Manual 2.0, commentary to rule 4, para 16.
  59. Tallinn Manual 2.0, commentary to rule 4, para 18.
  60. Germany, ‘On the Application of International Law in Cyberspace: Position Paper’ (March 2021), p. 4.
  61. Dutch Ministry of Foreign Affairs, ‘Letter to the parliament on the international legal order in cyberspace’ (5 July 2019), p. 3.
  62. French Ministry of the Armies, International Law Applied to Operations in Cyberspace, p. 6.
  63. In favour: see, eg, Theodore Christakis, ‘The ICJ Advisory Opinion on Kosovo: Has International Law Something to Say about Secession?’ (2011) 24 LJIL 73, 84; Marcelo Kohen, ‘The Court’s Contribution to Determining the Content of Fundamental Principles of International Law’ in Giorgio Gaja and Jenny Grote Stoutenburg (eds), Enhancing the Rule of Law through the International Court of Justice (Brill 2012) 145. Against: see, eg, Tallinn Manual 2.0, commentary to rule 4, para 3.
  64. Tallinn Manual 2.0, commentary to rule 4, para 19
  65. Tallinn Manual 2.0, commentary to rule 4, para 19
  66. While the IGE could not define “inherently governmental functions” concretely, examples mentioned in the Tallinn Manual included delivery of social services and law enforcement.
  67. Beatrice A. Walton, ‘Duties Owed: Low-Intensity Cyber Attacks and Liability for Transboundary Torts in International Law’ (2017) 126 Yale Law Journal 1460, 1505.
  68. Xue Hanqin, Transboundary Damage in International Law (CUP 2003).
  69. Lake Lanoux Arbitration (France v. Spain), Arbitral Tribunal, 16 Nov. 1957, (1957) 12 Reports of International Arbitral Awards, p. 281.
  70. Joel A Dennerley, ‘State liability for space object collisions: The proper interpretation of 'fault' for the purposes of international space law’, (2018) 29 European Journal of International Law 1, 281
  71. Draft Articles on Prevention of Transboundary Harm from Hazardous Activities,commentary to Article 1, para 6
  72. Trail Smelter Arbitration (U.S. v. Can.), ; R.I.A.A. (Trail Smelter Arb. Trib. 1941).
  73. Trail Smelter Arbitration (U.S. v. Can.), ; R.I.A.A. (Trail Smelter Arb. Trib. 1941).
  74. Legality of the Threat or Use of Nuclear Weapons (Advisory Opinion) [1996] ICJ Reports 226.
  75. Beatrice A. Walton, ‘Duties Owed: Low-Intensity Cyber Attacks and Liability for Transboundary Torts in International Law’ (2017) 126 Yale Law Journal 1460; Russell Buchan, ‘Cyberspace, Non-State Actors and the Obligation to Prevent Transboundary Harm’ (2016) 21(3) Journal of Conflict & Security Law 429. François Delerue, Cyber Operations and International Law (CUP 2020) .
  76. Draft Articles on Prevention of Transboundary Harm from Hazardous Activities, commentary to Article 1, para 6
  77. Draft Articles on Prevention of Transboundary Harm from Hazardous Activities, commentary to Article 1, para 6
  78. Tallinn Manual 2.0, commentary to rule 6,paras 25-28
  79. Beatrice A. Walton, ‘Duties Owed: Low-Intensity Cyber Attacks and Liability for Transboundary Torts in International Law’ (2017) 126 Yale Law Journal 1460, 1505.
  80. Tallinn Manual 2.0, commentary to rule 6, paras 25-28.
  81. François Delerue, Cyber Operations and International Law (CUP 2020) 371.
  82. Tallinn Manual 2.0, 284. Sabine Von Schorlemer, ‘Telecommunications, international regulation’, (2009) Max Planck Encyclopedias of International Law.
  83. Tallinn Manual 2.0, introduction to chapter 11, para 2
  84. Sabine Von Schorlemer, ‘Telecommunications, international regulation’, (2009) Max Planck Encyclopedias of International Law.
  85. Constitution and Convention of the International Telecommunication Union (concluded 22 December 1992, entered into force 1 July 1994) 1825 UNTS 330, art 56
  86. Sabine Von Schorlemer, ‘Telecommunications, international regulation’, (2009) Max Planck Encyclopedias of International Law.
  87. Constitution and Convention of the International Telecommunication Union (concluded 22 December 1992, entered into force 1 July 1994), 1825 UNTS 330 art. 35.
  88. Tallinn Manual 2.0, commentary to rule 62,para 4
  89. Constitution and Convention of the International Telecommunication Union (concluded 22 December 1992, entered into force 1 July 1994), 1825 UNTS 330 art. 35
  90. The exchange of traffic between autonomous systems is facilitated by the Border Gateway Protocol (BGP). BGP Filtering allows one to set particular rules on what traffic to let through. If State A had ordered its internet service providers to let through traffic flowing from international addresses to other international addresses, the impact on State B could have been partly avoided. See generally Vinit Jain and Brad Edgeworth, ‘Troubleshooting BGP: A Practical Guide to Understanding and Troubleshooting BGP’, (Cisco Press, 2017).

4.3 Bibliography and further reading[edit | edit source]

  • Rolf Weber, ‘A Legal Lens into Internet Governance’, in Laura DeNardis and others (eds), Researching Internet Governance: Methods, Frameworks, Futures (MIT Press 2020) 105–122.

4.4 Contributions[edit | edit source]

The authors would like to thank Anna Liz Thomas and Rajat Misra for their assistance.

Previous: Scenario 23: Vaccine research Next: Scenario 25: Humanitarian assistance