Does international law apply in cyberspace?
The meeting last June of the “2016-2017 UN Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security” (GGE) reached a dead end. The GGE failed to endorse even the simple premise that international law applies to cyberspace. The Group, which had been given the mandate by the UN General Assembly to study “how international law applies to the use of information and communications technologies by States” will not be able to fulfill its mission.
This disappointing development surfaces a debate that has been lurking for quite a while. Although a previous GGE (the 2012/2013 GGE) did endorse the premise that international law was applicable in cyberspace, and even acknowledged that international law was “essential to maintaining peace and stability and promoting an open, secure, peaceful and accessible [information and communication technology] environment,” other states, most notably China and Russia, have proposed an alternative approach. Together with several other states, they have twice proposed “codes of conduct” that implicitly denied the formal applicability of international law and instead invited “each state voluntarily subscribing to the code” to make certain “pledges.”
Does international law apply to cyberspace? Is it legitimate to extend existing customary and treaty norms to cover issues of cybersecurity, such as the free flow of information and free access to it, and the protection of users’ privacy? For many, a positive answer is self-evident. As the experts who produced the Tallinn Manuals on the International Law Applicable to Cyber Warfare (2013) and to Cyber Operations (2017) explained, “cyberspace” is not located in outer space or in an imaginary fifth dimension but in infrastructure located in states’ territories and operated by human beings subject to state authority and responsibility. As Martha Finnemore and Duncan Hollis recently noted, “States can and do control cyberspace when it suits them—and often with a heavy hand.” Cyber activity can produce harms that are similar in nature if not in magnitude to offline activity. What reason there is to deny the extension of international law to state action and inaction with respect to cyberspace?
For some die-hard positive lawyers, this almost self-evident proposition that international law governs cyberspace, might seem too hasty: cyberspace, they would say, is a unique dimension and not enough state practice has accumulated with respect to it, certainly no opinio juris. This response reminds me of the curious decision by the International Law Commission back in the early 1990s to exclude “confined aquifers” (underground lakes that have no access to an international river or a lake) from the definition of an “international watercourse” that is subject to international regulation (see the 1994 ILC Resolution on Confined Transboundary Groundwater). The reasoning behind the decision – the dearth of state practice with respect to such aquifers – left hydrologists and environmentalists puzzeled about the logic of international law.
Such a conservative position puts a severe damper on the evolution of international law and its ability to adapt to new challenges, particularly when the pace of technological change is so swift. Without resorting to abstract reasoning that extracts generalized principles from discrete cases, using analogies and distinctions to assess the compatibility of precedents, and moral conviction and economic insights as guides, the evolution of international law would not have been possible. Basic doctrines in international law, such as state responsibility for cross-boundary environmental harm (as in the momentous Trail Smelter arbitration), or indeed the doctrine of state responsibility in general, and even the principle of pacta sunt servanda would not have seen the light of day. This is also true for the Common Law. Every first-year student in a Tort Law class realizes the power of abstraction when reading how a suit by woman who drank from a bottle containing the remains of a snail was developed – inspired by the idea of good neighborliness – into a general theory of negligence (Donoghue v Stevenson, 1932).
How to conceptualize cyberspace?
However, it is not only a myopic legal perfection that animates this conservative position. The insistence on cyber-specific state practice that reflects an opinio juris touches upon a critical challenge for international regulation: how much of “cyberspace” is “international” and which parts of it are domestic? In fact, there is a fundamental disagreement as to the distinction between elements of or practices in cyberspace that are “international” and hence subject to international law, and those that remain within the internal affairs of states and therefore are subject to domestic jurisdiction.
For example, while in the American view, questions related to the architecture of communication protocols and their distributional consequences (e.g., the question of “net neutrality”), and the question of internet governance should remain a matter for US law or even for private regulation, other countries regard them as requiring collective decision-making and therefore are calling for “international governance of the Internet.” It is also not clear whose “internal” space is relevant. While the free flow of online information is a matter of constitutionally protected speech for the U.S., other countries, most notably China and Russia, insist on their sovereign discretion to protect their “internal affairs” against information that could “undermin[e] their political, economic and social stability.” (sect. 2(3) of the 2015 suggested code of conduct). Most states regard surveillance of on-line communications as subject only to domestic law constraints, with minimal protection for the privacy of foreigners. Private actors, including internet giants such as Facebook and Google, stake an even stronger claim. Invoking their private nature and their contractual relations with their users, they expect to be exempted from any public law discipline and endorse a private, lawless cyberspace.
But the interface between the international and the internal realms is not new for international law. And lawyers could confidently navigate this distinction even when addressing new technological challenges. Also here, a measured exercise in abstraction and analogy could find parallels between the law regulating the physical space and that which applies to cyberspace. For example, it is not too much of a stretch to regard the recently announced plan by the Chinese government to prohibit individual access to VPNs (that enables people in China to evade the “Great Chinese Firewall” and reach foreign contents and service providers without government interference) as an infringement of the internationally-protected freedom of information. Claims for an internationally protected right to privacy from foreign surveillance are asserted with much confidence. ICANN, the regime for internet governance, has acknowledged its public nature by adopting accountability disciplines and accommodating non-US stakeholders.
Cyberspace as a common resource?
Perhaps the most intriguing and momentous question relates to the conceptualization of the vast amounts of data that are generated by cyberspace communications and stored in private and public data banks, as an object of ownership and use: Should this data be treated as private property, as the property of communities and states, as the property of the individuals who volunteer the information, or as a type of global commons governed by international law? This is a question for domestic law – who owns the data, who has access to it – but at the same time, it is also a question of international law.
Much of the data is privately owned, much also resides in state-owned servers. But the data has also cross-country sources and effects. Again invoking the analogy from water resources law, the definition of ownership under domestic law, whether private or public, should not preclude the characterization of data as shared under international law, just as the private ownership of a well or a stream according to state law does not detract from the status of the entire international river of which the stream is part as shared under international law. What is important, from the point of view of international law, is that the state’s duties towards its neighbors are fulfilled.
From the perspective of international law, the question is therefore whether data generated or stored within a state’s territory should be regarded as a national resource to be freely disposed of by the state, or regarded as fully or partly shared, entitling other states and foreign actors to a fair opportunity to access it. The prevailing assumption seems to be that questions of ownership of and access to data are subject only to domestic regulation, and that international law is silent on these questions, just as was the case with respect to international rivers. Before issues of scarcity and pollution necessitated concerted regional efforts and international regulation, they used to be governed only by the riparians’ domestic laws. Have we reached a turning point which calls for global attention, if not regulation?
Data usage does not create a question of scarcity. It is like daylight, in that one user does not detract from others’ benefit. But access to data does raise questions of scarcity, both absolute and relative. Absolute scarcity is created when individuals have no access to crucial bits of information, for example about governmental policies affecting them, or about the sharing of their personal information with other users. Unlike access to sunlight, access to data banks is mediated by public and private actors and some users will remain blindfolded when they are denied full access. Relative scarcity results if the price of access is exorbitant leading to unequal opportunities or if certain providers enjoy shorter routes to reach users (e.g., the problem of net neutrality). Imagine that only the affluent could afford sunlight or could enjoy longer exposure to solar energy than others. Indeed, claims have already been made against Facebook and Google for acting as “the new colonial powers.”
Beyond scarcity, there is the challenge of maintaining data security against deliberate efforts to misuse or pollute the databases and undermine their utility, or to manipulate the distribution of information and thereby affect users’ preferences. The rise of “separate ideological bunkers” has unexpected consequences, such as the ubiquity of “fake news” which thrive when the global marketplace of ideas becomes fragmented.
It is by now clear that Big Data – raw digital information – has become the driver of economic growth, indeed the fuel of the future. Access to Big Data is already the key to economic success. For that very reason, the markets for data are already thriving. They are also subject to manipulation. The business model of Facebook and Google, for example, is based on selling users’ data to advertisers, and to maximize their gains, these giants might try to manipulate their services (see the recent announcement by the European Commission of the imposition of a €2.4bn fine on Google for exploiting its virtual monopoly to promote its shopping service). Big Data has also become a potent tool of governance, both domestic and international. Significant amounts of data are accumulated and stored by public authorities who use them for various public purposes. Questions of transparency, privacy and access arise here as well.
While some databases are purely local, containing, for example, information about the inhabitants of a specific municipality or the local fans of a soccer team, most databases are likely to consist of data collected from numerous local and foreign sources. Again, just as in the case of freshwater, there are local brooks and there are mighty international rivers. The private and public data banks are the vessels that store humanity’s data.
I can only briefly outline the case for treating data as a globally shared resource, akin to a giant global lake or river of knowledge. The data has accumulated over years by the input of billions of users, domestic and foreign alike. Each click, like each drop of rain filling up a reservoir, adds to immense reservoirs of human knowledge. Technology and innovation, no doubt spurred by the inspiration of individuals, is the product of the accumulated experience and wisdom of generations. The accumulated data not only provides insights to people’s preferences but it also holds the key for learning about our health and our nature, for ensuring equal access to local and global markets, for monitoring national and international public authorities, for participating in their decision-making processes, and for developing our personalities and our futures. Immense social benefits are likely to accrue from scientific research of this data, and discoveries await the tapping of these reservoirs of human knowledge. There will be ways to benefit from it all, even without undermining economic incentives, or risking the infringement of trade secrets, user privacy or national security.
Impeded or unequal access to data infringes our rights as individuals. It also undermines our ability to sustain our sense of community and our social cohesiveness. As John Stuart Mill presciently noted, “…it is from political discussion and collective political action that one whose daily occupations concentrate his interests in a small circle round himself learns to feel for and with his fellow-citizens, and becomes consciously a member of a great community.”(see here, pp. 10-11).
This is why questions of ownership under domestic law cannot detract from the overriding concern and applicability of international law. ln addition to international human rights law, it is also the general principle of good neighborliness, a principle that inspired the evolution of international water law during the previous century, that call upon states to acknowledge their responsibility toward humanity and treat the access to data, by citizens and foreigners alike, as a matter of international concern and governed by international law. The duties that arise include duties to ensure access (subject to certain restrictions on economic, privacy or security grounds) and the duty to correct new and old market failures and to combat deliberate efforts to pollute the data.