Reconciling Cyberwarfare and Big Data Rights: Do International Human Rights and Humanitarian Laws apply?

As cyberattacks and data leaks increasingly become a part of daily news, their impact is more noticeable across every field of society. More importantly, cyberattacks with significant political and civil implications have begun affecting electoral systems—a serious threat to democracy and international human rights. Indeed, the increasing number of cyberattacks has direct implications for the rights laid out in the International Covenant on Civil and Political Rights (ICCPR) and the Universal Declaration on Human Rights (UDHR). For instance, the “Ghostwriter” attack of 2017 targeted elections of several European Union (EU) member states to foment distrust in the North Atlantic Treaty Organization (NATO). Following this series of attacks, the EU formally assigned responsibility to Russian operators in September 2021, implying undue external interference on political systems had occurred. Also in September 2021, a suspected internal cyberattack to Hungarian polling systems caused nationwide election interference, hindering free participation in public affairs, freedom of expression, and voting rights. [1] Thus, as data analytics can facilitate interference with civil and political liberties as well as enable armed attacks and military strategies, data and cybersecurity rights—the rights determining how to collect, process, use, or disclose personal and private data information—should be seen as a logical extension of human rights.

Human Rights Law at Stake: Data Protection and Privacy Rights

The aforementioned 2017 “Ghostwriter” attacks had political implications across EU Member States, as they fueled distrust and discontent towards the United States and NATO to undermine their influence and shift EU public opinion. [2] This example illustrates the ways in which data rights violations in socio-political contexts can hinder ICCPR and UDHR rights. Article 18 of the ICCPR establishes that “everyone shall have the right to freedom of thought, conscience, and religion,” and Article 25 sets forth that “every citizen shall have the right and the opportunity [...] to take part in the conduct of political affairs [and] to vote.” [3] As the “Ghostwriter” cyberattacks constituted a massive disinformation campaign meant to influence target voters’ opinions about NATO and the role of the United States in Eastern Europe, they limited the free development of voters’ thoughts regarding the election. [4] Whether it be interfering with candidates’ campaign platforms or altering the content of information accessible to voters, voters’ decisions and ability to form informed opinions are limited by external constraints. Foreign interference in domestic elections also hinders freedom of expression—a right protected both by treaty, in Article 19 of the ICCPR, and customary international law—since cyber interference in elections can impede on online expression through filtering, deleting, or labeling data posted on social media platforms. [5]

Moreover, these disinformation campaigns violate principles in the United Nations Charter. For instance, the EU officially accused Russia for the “Ghostwriter” attacks and unduly interfering with internal political matters, for external interference with elections and political systems can be considered as undermining a nation’s right to self-determination. Protecting elections from foreign interference has become a growing concern for many nations. In the United States, the Election Security Act of 2019 was introduced to enhance election security—namely, by requiring electronic voting software to be tested for cybersecurity. [6] In France, the Ministry of Armies established in 2018 that “it would treat any cyberattack against French digital systems or any effects produced on French territory by digital means that is attributable to a state as a breach of its sovereignty.” [7] As external interference in national elections becomes a widespread concern, cyberspace threats to a state’s right to self-determination must be contained.

Hence, due to the rising threat of data breaches and their contribution to foreign interference in elections, data rights seem to logically fall under the umbrella of international human rights treaty law. With the international community evidently acknowledging that legally binding international customs are threatened by cyberattacks, data rights should become a novel extension of human rights. Furthermore, due to the aforementioned political and civil implications, data has been classified by private entities—for instance, by Cambridge Analytica—for use as a “weapon.” Under this classification, international humanitarian law could also come into play to supplement the weaknesses of international human rights law.

Cyberattacks as Armed Conflict: Calling International Humanitarian Law

The very term “cyberattack” implies that certain actions and strategies within the cyberspace amount to the use of force or breach of security. To evaluate cyberattacks under an international humanitarian law framework, it is necessary to analyze those that occur within the context of an existing armed conflict. Indeed, as established by the 1986 International Court of Justice case Military and Paramilitary Activities in and against Nicaragua (Nicaragua v. United States of America), for a cyberattack to be considered an armed attack by itself, the attack must meet the defined threshold of “scale and effect.” Specifically, the Court distinguished between “lower-level uses of force and ‘the most grave forms of the use of force.’” [8] Only when a cyberattack meets the threshold for serious uses of force can it be analyzed under the frameworks of the laws of war and international humanitarian law. When formal international recognition of an armed conflict is ambiguous, this threshold becomes the measurement against which the Court determines the applicability of this international legal regime.

For example, the “Ghostwriter” cyberattacks did not occur within the context of an armed conflict, and hence did not automatically fall under the umbrella of international humanitarian law. The EU response to these foreign cyberattacks, nonetheless, implied a form of retaliation which has potentially military connotations. European executives are currently considering taking “further steps,” but have not yet clarified the nature of such future action. [9] Furthermore, the European Council has also issued a warning to the Russian Federation prior to the German elections of September 2021. [10] Even though there is no ongoing official armed conflict between the EU and the Russian Federation, the language being utilized hints at this dispute being an issue encompassed by international humanitarian law. Nevertheless, it is not clear whether a court would consider “Ghostwriter” and similar attacks as a grave enough use of force to meet the threshold for applicability of international humanitarian law.

It is thus vital to consider how to handle cyberattacks from an international humanitarian law perspective when the attack is not of sufficient scale and effect to automatically qualify as a formal armed conflict. What happens when there is external interference in domestic politics without a formal, official declaration of war? To answer this question, it is necessary to go back to the most basic and central pillars of international humanitarian law, as suggested by cyberwarfare and international humanitarian law expert Tilman Rodenhauser. [11] The three main principles of this international legal system are the principles of distinction, military necessity, and proportionality. Under the principle of distinction, targeting civilians and civilian objects is forbidden, as is using weapons and attacks that do not differentiate targets. The aforementioned cyberattacks directly impacted the rights, liberties, and ultimately the lives of civilians indiscriminately, because they impinge upon all citizens’ ability to freely participate in their country’s electoral system. Additionally, Rodenhauser asserts that these core principles apply equally to all forms of operations, including cyber events. [12]

Thus, if a cyber event is classified as a cyberattack, analyzing whether it violates the principles governing every offensive operation would allow one to determine whether the cyberattack can be classified as an armed attack. If an operation violates the three principles of international humanitarian law, then the attack is grave enough to pass the threshold of scale and effect. If international humanitarian law is violated at its very core, then the effects of the attack are grave enough to be considered a use of force. 

Furthermore, determining that a cyberattack constitutes an armed attack could be achieved by establishing that the instrument used for these operations is legally a weapon. As asserted by Rodenhauser, international humanitarian law applies to both current, traditional weapons and to weapons “of the future.” [13] For this reason, cyberweapons and cyber warfare have to be studied, especially given that this “future” is part of the present. [14] In the Tallinn Manual, a legal study on how international law applies in the cyber world, cyberweapons are defined as “cyber means of warfare that are used, designed, or intended to be used to cause injury to, or death of, persons or damage to, or destruction of, objects, that is, which result in the consequences required for qualification of a cyber operation as an attack.” [15] Thus, if data is intended to be used to threaten a person’s safety, damage core national and legal institutions, or to attack military targets, it would fall within the umbrella of cyberwarfare.

Yet, even given such a definition,  data analytics are not inherently weapons, as their function is not solely militaristic. Data analytics do not necessarily cause injury to people, as they can be used to enhance business practices and improve communication. Nonetheless, they can also be used in harmful, intrusive ways, as has been previously established. When mishandled, inappropriately disclosed, or incorrectly gathered, even outside of the context of an armed conflict, data can threaten human rights, life, and liberty. If this tool is used to disproportionately target certain individuals, it violates the three aforementioned principles of international humanitarian law. Thus, the overall consensus under the Tallinn Manual is that, while data does not per se qualify as a weapon, whenever it is used to gather information on and target a civilian object resulting in potential physical consequences, then this attack on data is in violation of the Geneva Conventions. [16] For instance, targeting civilian data to surveil and plan an attack to a civilian-used facility, such as a school or hospital, will result in physical consequences to civilian objects and will amount to an attack on data. Thus, utilizing a lens of humanitarian law and armed conflict reveals the human rights abuses stemming from data rights violations.

Thus, as big data facilitates thought manipulation through targeted messaging, legal frameworks protecting individual freedom of thought, conscience, and speech—core freedoms in the human rights framework—can only be preserved by incorporating data rights within human rights doctrines. Moreover, in the case of violations of data rights that result in the violation of core international humanitarian law principles, especially through cyberattacks that directly lead to casualties, data can be clearly classified a weapon in a legal sense. Since its collection, use, or disclosure can be intentionally employed to injure persons, property, and institutions, data—as a cyberweapon—can have resulting damages of similar scale and effect as traditional weapons. As the unjustified, inappropriate use of weapons translates into a potential armed conflict, upholding big data rights requires treating cyberattacks as armed conflicts. Ultimately, beyond integrating data rights and usage within the frameworks of international humanitarian law, data analytics warrant their own consolidated international human rights legal framework. 

Edited by Animesh Joshi

Sources: 

[1] Significant Cyber Incidents, Center for Strategic and International Studies (2021), online at https://www.csis.org/programs/strategic-technologies-program/significant-cyber-incidents  (visited December 1, 2021).

[2] Ibid.

[3] “International Covenant on Civil and Political rights,” opened for signature December 16, 1966, United Nations Treaty Series vol. 999, https://www.ohchr.org/Documents/ProfessionalInterest/ccpr.pdf 

[4] Deutsche Welle, EU Accuses Russia of Involvement in 'Ghostwriter' Cyberattacks,  Deutsche Welle (2021), online at https://www.dw.com/en/eu-accuses-russia-of-involvement-in-ghostwriter-cyberattacks/a-59296733 (visited December 1, 2021). 

[5] Michael Schmitt, Foreign Cyber Interference in Elections: An International Law Primer, Part II, EJIL Talk (2020), online at https://www.ejiltalk.org/foreign-cyber-interference-in-elections-an-international-law-primer-part-ii/ (visited December 1, 2021).  

[6] Foreign Interference in US Elections: Laws, Findlaw (2020), online at https://www.findlaw.com/voting/how-do-i-protect-my-right-to-vote-/foreign-interference-in-us-elections—laws.html (visited December 1, 2021). 

[7] Schmitt, Foreign Cyber Interference. 

[8] Catherine Lotrionte, “Cyber Operations: Conflict Under International Law.” Georgetown Journal of International Affairs, 15-24 (2012).

[9] Carly Page, Eu Warns Russia over 'Ghostwriter' Hacking Ahead of German Elections TechCrunch (2021), online at https://techcrunch.com/2021/09/24/european-council-russia-ghostwriter/ (visited December 1, 2021).  

[10] Ibid.

[11] International Committee of the Red Cross, Cyber Warfare: Does International Humanitarian Law Apply?, International Committee of the Red Cross (2021), online at https://www.icrc.org/en/document/cyber-warfare-and-international-humanitarian-law (visited December 1, 2021).

[12] Ibid.

[13] Ibid.

[14] Samuele De Tomas Colatin and Ann Väljataga, Data as a Weapon: Refined Cyber Capabilities Under Weapon Reviews and International Human Rights Law, CCDCOE - NATO Cooperative Cyber Defense Centre of Excellence (2021), online at https://www.ccdcoe.org/uploads/2020/05/Data_as_a_weapon_-_reviews_and_oversight_FINAL_PDF.pdf (visited December 1, 2021).  

[15] Michael N. Schmitt, Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations 452 (Cambridge University Press 2017).
[16] Navneeta Shankar, “Attack on Civilian Data and International Humanitarian Law.” International Law and Policy Society, 8 July 2020, https://www.ilpsnluo.com/articles/attack-on-civilian-data-and-international-humanitarian-law/.