September 2017

Cyberspace: The Final Frontier of Extra-Territoriality in Human Rights Law

By: Yuval Shany.

Read More
(Lecture delivered in ESIL Annual Conference, Naples, Sept. 2017).

The tension between universality and state-centrism in international human rights law

International human rights law has always suffered from a split personality as far as its relationship to the state system goes. The idea of human rights is inherently universal, it emanates from a moral conviction about justified claims that individuals and groups of individuals have vis-à-vis the rest of the world, and such “rights” have been described as inalienable,[i] pre-political[ii] and as “trumps”.[iii] At the same time, international law is state-based, highly influenced by political developments, and a field of constant contestation. Hence, international human rights law is at its essence a legal hybrid): It is a system of norms and institutions that channels universal norms through the apparatus of the state system. Human rights obligations are imposed on states, and their enforcement is invested in states. As long as the world was neatly divided into states – in the sense that each state controlled more or less exclusively a slice of the planet – and as long as states were reasonably viewed as a dominant source of power, authority and control exercised over individuals and groups of individuals – international human rights law could be regarded at some level to be both universal and state-centered, at the same time: This idea is captured in article 2 of the UDHR:  

“Everyone is entitled to all the rights and freedoms set forth in this Declaration, without distinction of any kind.  Furthermore, no distinction shall be made on the basis of the political, jurisdictional or international status of the country or territory to which a person belongs, whether it be independent, trust, non-self-governing or under any other limitation of sovereignty.”

Under this worldview, human rights are universal because everyone belongs to a “country or territory”, in which his or her rights are to be implemented.

Two vexing questions have challenged over time this "individual rights- state obligations-universal norms" structure: (1) The extra-territorial exercise of government authority; and (2) the exercise of power and control over individuals by non-states actors. With respect to the first one, the projection of state power outside state territory has created the risk of regulatory overlaps and gaps – including, that some individuals would be harmed by a “country or territory” to which they do not belong in a physical sense. We have seen, in response, a gradual move by the ECHR and the UN HRC to address this concern by expanding the applicability of state-centered IHRL to the extra-territorial exercise of governmental power, through expanding construction of the key term of ‘jurisdiction’ – which triggers the extra-territorial applicability of the ECHR and the ICCPR (as construed by the HRC). There are, however, different spheres of power and control, which could conceivably implicate the extra-territorial protection of human rights (and the resulting degree of overlap between the obligations of the territorial and the extra-territorial state) and different approaches by different human rights bodies to the question of where do state obligations under IHRL end. Ultimately, all approaches limit the scope of extra-territorial application of state authority, leaving some individuals under protected.


Extra-territorial obligations

Due to space constraints, I will not go into discussion of the very interesting history of the development of the extra-territorial jurisprudence across the different treaty regimes and regional sub-systems. Suffice it mention that the ECHR approach – elaborated recently in Al Skeini (2011),[iv] Catan (2012),[v] Chiragov (2015)[vi] and Sargsyan (2015)[vii] has tended to require a high degree of control over persons and territory, which tries to approximate the level of control a state exercises over individuals in its own territory – including, situations of physical custody and situations of effective control over territory due to military occupation or “decisive influence” over a separatist regime. In cases, where a state lost effective control over its territory, the Court has accepted the continued application of the Convention, but emphasized that the level of positive obligations imposed on the state would be reduced so as to reflect its limited ability to influence the human rights situation on the ground, leaving multiple protection gaps.

The HRC has taken a more sweeping approach, construing “jurisdiction” as covering both effective control and exercise of power. General Comment 31(2004) which codifies previous practice, stated that – “a State party must respect and ensure the rights laid down in the Covenant to anyone within the power or effective control of that State Party, even if not situated within the territory of the State Party”. This standard has been regarded by the Committee as applicable, for instance, to drone attacks (USA COB 2014;[viii] cf. Bankovic ECtHR 2001([ix] which is compatible with the Nuclear weapons AO which regarded the (presumably extra-territorial) use of nuclear weapons as potentially contradictory to the ICCPR.[x] It has also been applied (USA COB 2014)[xi] to the surveillance of mobile phones of foreign subjects in foreign territory (alluding to the US wiretapping operation directed against German President, Angela Merkel) – under the theory that extra-territorial surveillance operations brought targets of surveillance and their ability to enjoy privacy rights sufficiently under the power  of the US.

Para. 26 of draft General Comment 36 – the most recent attempt to codify the relevant practice of the Committee (adopted last July by the Committee), emphasizes the protective obligations of states. It reads that: “States parties must take appropriate measures to protect individuals against deprivations of life by other States operating within their territory or in other areas subject to their jurisdiction. They must also ensure that all activities taking place in whole or in part within their territory and in other areas subject to their jurisdiction, but having a [direct], significant and foreseeable impact on the right to life of individuals outside their territory, including activities taken by corporate entities, are consistent with article 6, taking due account of related international standards of corporate social responsibility”. As will be explained below, the combination of extra-territorial responsibility of states over operations of companies abroad raises specific issues, implicating a particularly thorny area where protection gaps exist.

It may also be noted that the recent General Comment 24 of the Committee on Economic, Social and Cultural Rights in the Context of Business Activities goes beyond the control approach of the ECHR, and control or power approach of the HRC. The most relevant paragraph of the General Comment – para. 29 - reads:

The extraterritorial obligation to respect requires States parties to refrain from interfering directly or indirectly with the enjoyment of the Covenant rights by persons outside their territories. As part of that obligation, States parties must ensure that they do not obstruct another State from complying with its obligations under the Covenant. This duty is particularly relevant to the negotiation and conclusion of trade and investment agreements or of financial and tax treaties, as well as to judicial cooperation.

The key here is “interference” – that is direct or indirect impact on right enjoyment, which does amount to a “cause and effect” type of attribution. If accepted, this approach could minimize the existing extra-territorial protection gaps. It is doubtful, however, whether states would adhere to such an open-ended standard.


Preventing violations by private actors

The other challenge facing the traditional state-centered IHRL framework when applying universal human rights derives from the decreased role of state in economic life – due to economic liberalization, deregulation and the collapse of centralized economy states, on the one hand, and the rise of MNCs as dominant economic actors on the other hand. Such economic changes coincide with a conceptual change in IHRL theory, which significantly expands the list of protected rights – including therein many economic and social rights, putting more emphasis on the needs of victims (for whom private torture in the context of domestic violence may be, for example, as terrible as “public torture” by the police), and moving gradually from dealing exclusively with the symptoms of failure to respect IHRL – the violations themselves – to root causes – the structural reasons, which enable and perpetuate the violates – including by private actors.

This challenge has been met with the development of "positive obligation" doctrines – which read the "duty to secure" in article 1 of the ECHR and the "duty to respect and to ensure" in article 2(1) the ICCPR as including negative and positive "due diligence" obligations. Again, space does not allow to discuss the multiple developments in jurisprudence in this vast field. Suffice it to mention at this stage that the ECtHR has since the late 1970s required states to take positive measures to ensure effective enjoyment of rights (Airey, 1979)[xii] and to afford effective protection for the rights of individuals from violations by other individuals (X and Y v Netherlands, 1985).[xiii] The HRC General Comment 31 has also taken a similar view on the matter, holding that:

The positive obligations on States Parties to ensure Covenant rights will only be fully discharged if individuals are protected by the State, not just against violations of Covenant rights by its agents, but also against acts committed by private persons or entities that would impair the enjoyment of Covenant rights in so far as they are amenable to application between private persons or entities. There may be circumstances in which a failure to ensure Covenant rights as required by article 2 would give rise to violations by States Parties of those rights, as a result of States Parties’ permitting or failing to take appropriate measures or to exercise due diligence to prevent, punish, investigate or redress the harm caused by such acts by private persons or entities. 

This standard has been reaffirmed in draft General Comment 36 on the right to life:

States parties are thus under a due diligence obligation to undertake reasonable positive measures, which do not impose on them impossible or disproportionate burdens, in response to foreseeable threats to life originating from private persons and entities, whose conduct is not attributable to the State


The combined extra-territorial challenge

What we have been seeing more and more in the practice of the HRC and other treaty bodies – not yet at the regional human rights level - are cases involving a combination of the two aforementioned predicaments – situations involving private actors – typically, MNCs - based in the territory of one state but active in the territory of another state in ways which raise concerns about the applicability of universal human rights standards. For example, the HRC has been confronted with complaints involving the forced evictions caused due to the operations of a German company in a plantation in Uganda,[xiv] with Canadian mining and construction companies operating in multiple countries [xv] and with Italian companies selling surveillance technology to repressive governments.[xvi] Essentially, the approach of the Committee has been, as indicated before with respect to Draft General Comment 36 – is to apply the [direct], significant and foreseeable impact standard with respect to extra-territorial operations of “corporate entities” based in their territory, “while taking due account of related international standards of corporate social responsibility”. Indeed – the dialogue with States has alluded to standards such as Guiding Principles on Business and Human Rights and the OECD Guidelines for Multinational Enterprises.

The recent CESCR General Comment is particularly expansive on the issue of state responsibility over extra-territorial corporate activities, specifying that:[xvii]

  • The duty to regulate companies under the control of the State covers corporations that are domiciled in their territory and/or jurisdiction. This includes corporations incorporated under their laws, or which have their statutory seat, central administration or principal place of business on their national territory.
  • The State is required to “take reasonable measures that could have prevented the occurrence of the event”
  • The duty applies “even if other causes have also contributed to the occurrence of the violation, and even if the State had not foreseen that a violation would occur, provided such a violation was reasonably foreseeable”
  • States are required to pressurize companies to influence and exercise themselves due diligence vis-à-vis their subsidiaries or business partners
  • “Appropriate monitoring and accountability procedures must be put in place to ensure effective prevention and enforcement”

Cyberspace: The additional twist of detetrritorialization and decentralization

The applicability of IHRL to cyberspace may first appear to involve a combination of the extra-territoriality and private actor protection challenges: Activity on cyberspace traverses routinely national boundaries, and private actors – including, some very powerful IT companies – enjoy a dominant position in influencing on-line interactions. It is questionable however whether, in applying the combined existing standards for extra-territoriality and positive obligations to regulate the activities of private actors, (a) it is reasonable to expect the host state to regulate activities of foreign IT companies, which may have a profound impact on important human rights of local residents – as such regulation may be hard to implement and could require a high degree of state intervention in on-line activities; (b) it is reasonable for home states to restrict the operations of local IT companies operating abroad, just because their on-line platforms may foreseeably be misused or abused by third parties? While CESCR General Comment 24 may lean in the direction of imposing such obligations, Draft HRC General Comment 36, which requires a more direct impact appears to lean in the other direction. I may say that at least with respect to the second set of issues – regulation of home-based companies - General Comment 24 may have gone too far: It is reasonably foreseeable that many useful goods and services could be abused in ways that constitute human rights violations – cars, may result in loss of life, cameras may be used to violate privacy, and banking services may be used to fund illegal activities. However, it would be difficult and probably undesirable for the home country to regulate these activities extra-territorially – as it would may interfere considerably in the regulatory regimes of host countries, and create an impossibly complex maze of regulations.        

But at a more fundamental level we need to concede further degrees of legal complication, putting in question the very suitability of human rights law to effectively regulate cyberspace. A first tension involves application of the very notions of territoriality and extra-territoriality: Some elements of interactions on cyberspace have a territorial dimension – for example, an IT company which operate a social media platform may be incorporated in the territory of one state, a cybercriminal using that platform and some of the physical infrastructure they use may be physically located in the territory of a second state, and the end user – the victim – and his computer may be based in a third state. The data also flows over cables and fibers which traverse the territory of various states. However, many of these territorial attributes are random, and the extent to which states can and should exercise control over them – without resorting to radical repressive measures – is very small. Hence, cyberspace should be described as a largely deterritorialized space, in which on-line communities – which only partly correspond to physical communities – exist. Moreover, individuals interacting in cyberspace often do so by way of developing a virtual or digital persona, which exists only in that space. In this regard too, the fit between a territory-driven state-centric legal framework based on physical presence and the actual dynamics of virtual social interactions on cyberspace is very limited.

In addition, the chief attribute that makes cyberspace such a useful and powerful vehicle for communication and access to data and ideas – including data and ideas promoting IHRL - is its universality: It is a space shared by all and freely accessible to all under more or less equal terms pursuant to the net neutrality principle. An IHRL framework that require states to renationalize segments of cyberspace and to fragment it to overlapping territorial zones of influence and regulation, cuts against the logic of creating such a space, and may result in ‘throwing the baby with the bath water’.

Thus, I do not think US regulation of Facebook would be a practical answer to hate speech in Italy, nor would Chinese regulation of cyber-security software installed on Lenovo computers be the answer to the challenges of privacy protection in cyberspace. At the same time, I realize that host states are often ill-positioned to impose standards of conduct on foreign companies operating in their territory – the Apples, Googles, and Intels of this world – and have great difficulties in handling violations originating outside their territory, such as hacking into sensitive personal identity information or distribution of child pornography.

So, confronting the challenge before us may require a reboot of IHRL – developing beside the state-centric branch of IHRL, which emanated from the UDHR, a new branch of universal law, which should apply to all stakeholders in cyberspace – IT companies, on-line users, regulators, states and IGOs. Some initial indications for the development of such a lex cybernetica already exists in the shape of states company policies, such as the Facebook notify/remove policy elaborated in its “community standards”, Google privacy policies detailed in its “terms of service”, the commitment not to cause physical harm in the Internet Society’s code of conduct and human rights by coding technological practices. “Traditional” IHRL can serve an ancillary role vis-à-vis such developments with a view to promote new standards: For example, to push home countries to encourage companies based in their territory to adopt generally acceptable standards of corporate responsibility, and relevant IHRL-lex cybernetica standards, which include effective remedies. Although existing IHRL cannot effectively regulate directly cyber-space, it can support and oversee self-regulation, private ordering and coding by the industry and support hybrid norms and institutions that apply globally, not extra-territorially.


[i] Universal Declaration of Human Rights, preamble

[ii] See e.g., Martha Nussbaum, Frontiers of Justice: Disability, Nationality, Species Membership

(Cambridge: Harvard University Press, 2006) 285

[iii] See e.g., Ronald Dworkin, Taking Rights Seriously (London: Bloomsbury Publishing, 1977) 6.

[iv] Al Skeini v UK, ECtHR Judgment of 7 July 2011.

[v] Catan v Moldova and Russia, ECtHR Judgment of 19 Oct. 2012.

[vi] Chiragov v Armenia, ECtHR Judgment of 16 June 2015.

[vii] Sargsyan v Azerbaijan, ECtHR Judgment of 16 June 2015.

[viii] UN HRC, Concluding Observations: USA (2014), para. 9.

[ix] Bankovic v Belgium, ECtHR Judgment of 19 December 2001.

[x] Legality of the Threat or Use of Nuclear Weapons, 1996 ICJ 226, 240.

[xi] UN HRC, Concluding Observations: USA (2014), para. 22.

[xii] Airey v Ireland, ECtHR Judgment of 9 Oct. 1979

[xiii] X and Y v Netherlands, ECtHR Judgment of 26 March 1985.

[xiv] UN HRC, Concluding Observations: Germany (2012), para. 16: “The State party is encouraged to set out clearly the expectation that all business enterprises domiciled in its territory and/or its jurisdiction respect human rights standards in accordance with the Covenant throughout their operations. It is also encouraged to take appropriate measures to strengthen the remedies provided to protect people who have been victims of activities of such business enterprises operating abroad”.

[xv] UN HRC, Concluding Observations: Canada (2015), para. 6: “The State party should (a) enhance the effectiveness of existing mechanisms to ensure that all Canadian corporations under its jurisdiction , in particular mining corporations, respect human rights standards when operating abroad; ( b) consider establishing an independent mechanism with powers to investigate human rights abuses by such corporations abroad; and ( c) develop a legal framework that affords legal remedies to people who have been victims of activities of such corporations operating abroad”.

[xvi] UN HRC, Concluding Observations: Italy (2017), para. 37:“… that measures are taken to ensure that all corporations under its jurisdiction, in particular technology corporations, respect human rights standards when engaging in operations abroad”.

[xvii] General Comment 24 of the Committee on Economic, Social and Cultural Rights in the Context of Business Activities (2017), part 2. 

Read Less

A Roadmap for the Cross-Border Data Transfers Debate

ByAsaf Lubin.

Read More
Jon Doe commits a crime in country A. Digital evidence pertaining to the investigation of that crime is stored on the perpetrators electronic devices, which are located in Country B. Some additional evidence is stored in servers owned by an email service provider (ESP). While the ESP is registered in Country D, its servers are physically located in Country E. In the age of digital communications and cloud computing, law enforcement agencies are called to delicately maneuver this web of jurisdictions in order to obtain necessary evidence and run effective investigations.

The traditional approach has also been to rely on mutual legal assistance arrangements (MLAs) namely concluded through bilateral and multilateral treaties. These agreements lay the foundations for the gathering and exchanging of information in the enforcement of public or criminal laws. For example of a multilateral arrangement consider the 2003 Agreement on Mutual Legal Assistance between the European Union and the United States of America. For a bilateral example consider the Treaty between the Government of the Republic of India and the Government of Canada on Mutual Assistance in Criminal Matters which was signed in 1994.

The 21st century’s move towards digital communications, online services, and cloud computing has complicated traditional legal cooperation in this space. The slow pace of the current MLA process for cross-border data requests has frustrated criminal investigators in many countries. Consider for example a typical process for legal assistance between the UK and the US as it currently stands. The UK Foreign Office sends a request for communications content data by a US company to the US Department of Justice Office of International Affairs (OIA). OIA works with the UK Foreign Office to ensure the request satisfies US legal standards and then works with a US Attorney to send the request to the District Court either in the D.C. area or in the jurisdiction where the evidence is held. The judge reviews the request and grants its, or sends it back to OIA for further iterations with the UK Foreign Office. If granted the request goes to the company, which sends a response to OIA, which checks the response and in turn sends the response to the UK (see graph A below).

The inability of companies to respond directly to the requesting country, even though the request has been judicially approved, significantly slows down the process. Moreover the need of the requesting Country to comply with the criminal standards in the requested State adds further frustration. As the European Commission noted in a recent “inception impact assessment” report on the issue:

“While a national request to service providers takes in general a few days at most, MLA requests to the U.S. as the main recipient take around 10 months on average and require significant resources. In such cases, the evidence transmitted is often outdated or comes too late... Through direct cooperation between authorities in EU Member States and service providers in the U.S., which is possible under U.S. law for non-content data, the latter receives more than 100,000 requests per year, compared to about 4,000 requests under the E.U.-U.S. MLA Convention”.

asaf lubin

To this one needs to add the opacity that is the result of the storage practices of ESPs. The U.S. National Institute of Standards and Technology (NIST) of the U.S. Department of Commerce, identifies Cloud Computing as a “model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction”. At the heart of the model thus stands the idea that the physical storage of data may span multiple servers and thus multiple jurisdictions. The hosting company may not even be aware where a particular email is stored at a particular time. The (un)territoriality of data thus introduces a new challenge to traditional conceptualizations of jurisdiction. See in this regards the comments raised by the Group of Experts that drafted Tallinn Manual 2.0 (p.68):

“The experts noted that it sometimes may be impossible or difficult to reliably identify the State in which the digital evidence or other data subject to extraterritorial enforcement jurisdiction resides. They agreed that international law does not address this situation with clarity. Therefore no consensus could be achieved as to whether a state may exercise extraterritorial enforcement jurisdiction in such cases by taking law enforcement measures regarding that evidence or data.”[1]

In this short blog post I wish not to tackle this complex issue of jurisdiction. Instead I hope to map out recent developments in States’ practice to provide scholars entering the field with some broad background into the current state of affairs.

  1. The United States:
    1. The Aftermath of the Microsoft Ireland Case- This past May the Senate Judiciary Committee ran a live-streamed hearing on Cross-Border Access to Data (good summaries of the debates are available here and here). The interest in running these hearings was sparked, in part, due to a unanimous decision from the Second Circuit’s in the Microsoft Ireland case (July 2016). The Second Circuit found that the US warrant authority pursuant to the Electronics Communications Privacy Act only extended to data that is physically located in the US. In that particular case the U.S. Government sought emails as part of a narcotics investigations from users whose accounts were located on Microsoft servers in Ireland. On 13 October 2016, the U.S. Government filed a petition for an en banc rehearing by the Second Circuit but it was denied on a 4-4 vote. On 23 June 2017, the U.S. Government filed a petition for a writ of certiorari with the Supreme Court. On 2 August 2017 the AGs of 33 States plus Puerto Rico filed a bipartisan amicus urging the Court to grant the cert. Since the Second Circuit decision, at least 10 different magistrate judges issued opinions rejecting the Second Circuit’s position. These include decisions from the Eastern District of Pennsylvania (February 2017), the Eastern District of Wisconsin (February 2017), and the Middle District of Florida (April 2017). More importantly is an August decision from the Northern District of California (NDCA) concerning a similar application from Google. This decision is noteworthy given the fact that most of the tech companies are located within the jurisdiction of NDCA. Senator Garssley (R, Iowa) of the Judiciary Committee has said that a legislative fix to the Microsoft Ireland case is coming up the pipeline, and will hopefully be put to a vote before the end of the year. In the meanwhile this split in court decisions is making it more likely that the Supreme Court will approve the writ and grant the cert.
    2. Rule 41 and Hacking as an Alternative to Cross Border Requests- Another development in the U.S. context concerns the Amendment to Rule 41 of the Rules of Criminal Procedure and Evidence, which authorizes a magistrate judge to issue warrants for remote searches (or the acking of devices) outside their district (all over the Country, and indeed the world) in cases where the media or information was concealed (i.e. in the context of user anonymizing technologies, such as ToR) (see more information here and here). This amendment follows a controversial hacking operation launched by the FBI in 2015 known as the “Playpen Investigation” and relates to a crackdown on consumers and producers of child pornography. The global investigation ended up hacking 8,700 computers in 120 countries, without the latter’s consent or knoweldge. There has been an academic skirmish on the Stanford Law Review, concerning hacking as an alternative to cross border data transfers - with Ahmed Ghappour writing “Searching Places Unknown: Law Enforcement Jurisdiction on the Dark Web” and Sean Murphy and Orin Kerr responding with “Government Hacking to Light the Dark Web: What Risks to International Relations and International Law”.
    3. The USA-UK Agreement- The US and the UK have been negotiating a bilateral agreement, the text of which has not been made public, that would allow the two governments to request for communications content data directly from the ESPs without having to go through State authorities or Courts. This is what some coin an “expedited MLA”. The Blogs Lawfare and Just Security have recently hosted a debate over the adequacy of the agreement and the extent to which it will protect the data privacy of the citizens of both countries (see herehere, and here).
  2. The European Continent:
    1. Mutual Recognition: The European Investigation Order of 2014, which entered in force this past June, puts an emphasis on the principle of mutual recognition for judicial decisions when it comes to obtaining evidence for use in criminal proceedings. This directive applies to all EU countries except Denmark and Ireland, which are not taking part. The United Kingdom decided to participate in the proposed Directive. It replaces the Convention on Mutual Assistance in Criminal Matters (MLAC), which was adopted as a European Council Act on 29 May 2000. As part of the move towards “mutual recognition” Commissioner Jourová announced her intention to put forward proposed legislative measures for adoption by the Commission in early 2018 which will ease the way by which European law enforcement authorities may directly request tech companies to provide them with electronic evidence. The Commission is considering one of three options: (1) the least intrusive option involves allowing law enforcement authorities in one member state to ask an IT provider in another member state to turn over electronic evidence, without having to ask that member state first. The decision to cooperate would be left to the companies’ discretion; (2) the second option would see the companies obliged to turn over data if requested by law enforcement authorities in other member countries; (3) the most intrusive option concerns situations where authorities do not know the location of the server hosting the data or there is a risk of the data being lost. In such scenarios the Commission is contemplating the power to compel companies to identify the relevant server and the owner of the data (including by breaking encryption, anonymization, and other privacy-enhancing tools).
    2. Additional Protocol to the Cybercrime Convention- the Budapest Convention on Cybercrime was the first treaty to address computer crimes by harmonizing national laws and increasing cooperation amongst nations. It was signed on 23 November 2001 and became effective on 1 July 2004. It was drawn up by the Council of Europe and as of today 55 countries have ratified it (with additional four signing but not ratifying). The Convention is open for accession by non Council members, though key countries such as India, Russia, and Brazil have refused to adopt it. In November 2016 in a meeting of the Cyber Crime Convection Committee a set of recommendations were adopted as part of discussions concerning effective responses to the challenge of “cloud computing”. One of the recommendations included the launching of negotiation for an additional protocol to the Budapest Convention to cover “solutions on criminal justice access to evidence stored on servers in the cloud and in foreign jurisdictions, including through mutual legal assistance”. The Cloud Evidence Group is now discussing the content of such a protocol and additional information is available here.
    3. THE CJEU NPR Decision: another alternative to the MLA problem has been the signing of particular subject matter agreements for the transfer of data and cooperation in particular areas. One such example is in the field of Passenger Name Record (PNR) data, which concerns data collected by air carriers through their automated reservation systems and departure control systems. In July the Grand Chamber Court of Justice of the European Union issued opinion 1/15 which concerned an agreement between Canada and the European Union on the transfer and processing of Passenger Name Record (PNR) data signed on 25 June 2014. The Court found the agreement incompatible with Articles 7 and 8 of the Charter of Fundamental Rights and Freedoms (concerning the rights of individuals for protection of their personal data). The judgment lays the foundations for any future automated sharing of such bulk datasets between individuals and agencies within the EU and the authorities of non-EU member States. For further reading see here.
  3. Non-Western Responses to the MLAT Problem: As we have witnessed, the western response to the MLAT problem has been to suggest reforms to the existing framework, such as “expedited MLA” and “mutual recognition” (for more proposals see e.g. hereherehere, and here) or extraterritorial enforcement (such as remote hacking and corporate backdoors). Outside of the Western hemisphere, however, the solution has been data localization. By compelling any company operating in your territory to also store data locally, the Country both increases its capacity to enforce its jurisdiction on the evidence those companies store, as well as protect its citizens from non-consensual transfer of their data. China adopted a new cybersecurity law, which included data localization measures, in April (more information is available herehere, and here). Indonesia, Russia, Brazil, India and Iran have all taken similar legislative measures (see this 2014 piece on the “Growth of Data Localization Post-Snowden”). Some even suggest that the EU General Data Protection Regulation is a “data localization” regulation in disguise. There has been significant criticism by lawyers, human rights advocates, and technologists on the impacts of data localization on the internet (see herehereherehere, and here).
  4. The United Nations: The U.N. Security Council adopted Resolution 2322 on December 2016. The Resolution in operative clauses 3, 4 and 9 calls on all member States to cooperate in intelligence sharing and data transfers between law enforcement in the fight against terrorism, including through amendments to national legislation. Operative clause 13 is specifically devoted to the “review and update” of the MLA regime “in light of the substantial increase in the volume of requests for digital data” across borders. The UNSC subcommittee on counter terrorism (CTED) is in charge of submitting a report by the end of this year on the ways by which countries may implement this resolution. CTED has solicited information form Member States and civil society and in June held a two day technical consultation at the UN Headquarters on good practices for cross border data transfers.

For those interested in the topic Georgia Tech runs a “Cross Border Requests for Data” Project. In May the University ran four panels at an event titled “Surveillance, Privacy, and Data Across Borders: Trans-Atlantic Perspectives” (the panels were all live-streamed and the videos are available online). The topics discussed ranged from how to reform MLAs, the pending US-UK agreement, international law and cross border data requests and hacking operations. The May sessions were then turned into a symposium on the LAWFARE Blog, which is highly recommended. Earlier in January Georgia Tech ran a smaller event in Brussels, which was then used to launch a series of academic papers on cross-border access to user data.


[1] Note that the Tallinn Manual experts nonetheless go on to “adjudicate the territoriality and extraterritoriality of several situations where the data storage location is known”. For an analysis and criticism of the Tallinn Manual’s approach in this regard see the fascinating recent article by Kristen E. Eichensehr, Data Extraterritoriality, 95 Texas L. Rev. 145 (2017).


Read Less

Sharing is Caring

ByDavid Maimon and Eric Chapman.

Read More
In October of 2010, the Securities and Exchange Commission issued a detailed guidance for publically-traded companies regarding their obligation to disclose information about their cybercrime victimization incidents. The stated goal of the guidance is to allow investors an opportunity to consider the risks associated with investing their money in the relevant company. Unfortunately, though, numerous reports suggest that major U.S. companies choose to ignore the guidance and refrain from reporting their digital security breaches to the public. Related to this, numerous public and private companies are uncomfortable about sharing their cybercrime victimization experiences with cyber security professionals and scholars. The tendency for companies to conceal this information is due to their fear that admitting digital breaches will scare away potential investors and current customers.

By keeping this valuable information to themselves, companies and governmental agencies exacerbate the magnitude of cybercrime and expose themselves to future attacks on their systems. Moreover, by preventing the scientific analysis of this valuable information, public and private companies sabotage experts’ efforts to develop a comprehensive understanding of cybercrime. Indeed, few public companies make cybercrime attacks data available to the public, so that only a small portion of cybercrime incidents can be analyzed. When allowing access to their records, companies insist that data are analyzed and observed out of context. Specifically, the information provided by these companies is given without any mention of the timing and patterns of the attacks or the type of activities network users were engaged in at the time. This makes the task of studying cybercrime and security breaches extremely difficult and inefficient, since while it may permit the development of technical knowledge, it prevents the accumulation of scientific understanding concerning social predictors of this phenomenon.

This is probably the place to remind readers that despite its heavy reliance on technical tools, cybercrime is nevertheless a human phenomenon! It is true that computers and electronic systems (for instance bot-nets) are employed for hacking, spamming, and web defacement, among other activities. However, in all cases, human players (including hackers, innocent network-users, and information technology managers) bear some responsibility for the success of this crime. Thus, alongside the work of criminologists who analyze crime incidents and data in specific social contexts (such as schools and neighborhoods), any investigation and analysis of cybercrime data should take place within the context of the victims’ social environment. The fact that we still do not know much about cyber criminals and victims is directly related to the resistance on the part of companies (both publicly and privately owned) and governmental agencies to report digital security breaches and allow access to their records (as they would following any other crime against them or their employees).

We encourage public and private companies, as well as governmental agencies, to support cybercrime prevention efforts by reporting data breaches and allowing cyber-security experts access to this valuable information. We believe that nowadays, everyone – including investors, customers, and trustee boards – must recognize the importance of studying cybercrime and the risks associated with failing to do so. (This is reminiscent of the common understanding among policy makers and social scientists 100 years ago that it was crucial to compile data on neighborhoods’ demographic and social characteristics in order to allow a comprehensive understanding of the underlying causes of crime).

In order to generate a better understanding of this problem, something needs to change. Sharing is caring!



Read Less