Talk:Scenario 08: Certificate authority hack
Comments of reviewer[edit source]
Executive summary - clear, concise
Keywords - reflect the content of scenario
Factual Narrative - very clear
Legal Analysis - I have nothing substantive to add; one surprising information for me was the mention of automatic prohibition of bulk surveillance in EU (fn 56) - I have to admit I have read these two decisions many times and never noticed any such ruling. CJEU admits it would be extremely difficult to pass the test of proportionality with any bulk scenario without specific and credible threat (not "general" such as crime or terrorism), but never read it such an extreme way that authors of scenario mention.
Re: Enforcement jurisdiction[edit source]
(text of [L8]): Option 5, the usurpation of inherently governmental functions by State B, poses an interesting problem: was State B exercising its law enforcement functions in State A’s territory by the interception of emails of several hundred thousands of people in State A’s territory (incident 2)? If its intelligence service was collecting evidence for criminal proceedings abroad without the consent of State A, then it was exercising law enforcement functions and hence violating State A’s sovereignty; if it was merely engaging in cyber espionage for national security purposes, then according to this option, it was not usurping inherently governmental functions of State A.
Comment: We are unsure as to how incident 2 can be regarded as a usurpation of an inherently governmental function. The man in the middle attack is directed against individuals (not the state or one of its governmental functions) in order to intercept communications - this isn't enforcement jurisdiction, it is surveillance.
- Reply: In my opinion, enforcement jurisdiction includes the investigation of criminal offences, https://www.irwinlaw.com/cold/enforcement_jurisdiction. See also para 18 of commentary to rule 4 of TM 2.0.
(Text of [L9]): On the basis of the foregoing, it can be summarized that in the context of incident 1, State B violated the sovereignty of State A insofar the actions of the non-state actor can be attributed to State B. As for incident 2, the answer depends on the actual goal of State B’s conduct.
Comment: In light of our previous comment, this sentence [As for incident 2, the answer depends on the actual goal of State B’s conduct.] needs revising. It is our view that violations of state sovereignty do not turn on the intention or goal of the offending state.
- Reply: This requires further thought, since para 25 of commentary to rule 4 of TM 2.0 says that "The Experts concurred that intent is not a constitutive element of a breach of sovereignty."
- Compare Tallinn Manual 2.0, commentary to rule 4, para 18: “if one State conducts a law enforcement operation against a botnet in order to obtain evidence for criminal prosecution by taking over its command and control servers located in another State without that State’s consent, the former has violated the latter’s sovereignty because the operation usurps an inherently governmental function exclusively reserved to the territorial State under international law.”