Various contemporary territorial conflicts have resulted in areas falling outside the effective control of the sovereign state (territorial state) – such as Transnistria (1992), Nagorno-Karabakh (1988–94), South Ossetia (1991–92, 2008) and Abkhazia (1992–93), Crimea (2014) and the separatist areas in Eastern Ukraine (2014 to date) – or vast territories controlled by extremist terrorist groups in the Middle East, such as the Islamic State (2014 to date).1 The state's lack of effective control over part of its territory raises multiple challenges for international law, which is traditionally based on the duties of the state that is presumed to have exclusive control over its sovereign territory.2 Once the territorial state loses effective control over part of its territory – for various reasons, such as an armed conflict or consent given by the state to have its territory administered by an another subject of international law3 – various norms of international law that bind the territorial state become ineffective. While each of those territorial situations gives rise to different legal regimes (such as the law of international armed conflict, the law of non-international armed conflict, the territorial lease agreement), a common element is an apparent legal lacuna in conventional human rights obligations of the international law subject that controls the territory. Furthermore, the actors controlling the area may be other states or even non-state actors (such as armed opposition groups, de facto regimes, international organisations), which may not be addressees of international law. Instead of the notion of ‘ungoverned spaces’, widely used in the literature,4 it is more accurate to recognise that various actors – which are often states other than the territorial state and non-state actors – exercise effective control over the territory.
This means that often several states control the same territory (such as through a multinational operation) or that the conduct of a non-state actor in directly controlling the territory is attributed to an outside state. Therefore, the above-mentioned legal lacuna can be filled by new, or newly interpreted rules applied to the subjects that are active in the area: solutions proposed include the human rights obligations of the subject controlling the territory under the de facto control theory,5 the acquired human rights doctrine,6 and the concurrent obligations of various actors (states, non-state actors) exercising powers in the given area.7 Furthermore, as this article will emphasise, even the territorial state has residual obligations under international human rights law (IHRL).
These areas are characterised by massive or repetitive human rights violations.8 In fact, the protection of human rights in these areas is a far more complicated issue than is the case in government-controlled areas. The reasons for the apparent lack of clarity in the legal regime are various. First, human rights treaties impose obligations only on states;9 second, they do not foresee a lack of effective control of the state over part of its territory; and, third, the obligations can hardly be enforced against other subjects that are de facto controlling the territory.
Furthermore, these areas are characterised by major human rights violations not only in the physical space, but also in cyberspace.10 Freedom of expression, privacy, freedom of opinion, due process and human dignity, in particular, have been restricted online by actors which control the territory. Such actors have recourse to practices that restrict human rights online through censorship, the threat and manipulation of online media, undue blocking of access to certain websites or the internet as a whole, and dissemination of racial hatred and terrorist propaganda.11
Territorial states have had difficulties in preventing, repressing and redressing these wrongful acts. Notwithstanding these deficiencies, IHRL obliges the territorial state to take all measures within its power to protect human rights in the area outside its effective control.12 The European Court of Human Rights (ECtHR), treaty monitoring bodies and organisations based on the UN Charter13 have identified certain positive obligations that territorial states are required to take vis-à-vis persons situated in the area.14 Specifically in the online context, those recommendations provide the basis for identifying various measures that any territorial state is required to strive to take with a view to restoring its ‘internet sovereignty’15 (control over cyberspace in the area outside its effective control). This article focuses accordingly on the territorial state's obligations in the context of cyberspace under IHRL. While other related topics – such as human rights obligations of non-state armed groups16 and occupying states,17 the duties of states in cyberspace,18 and their responsibility for the cyber conduct of non-state actors19 – have been researched extensively in recent years, nothing has been written on the substantive obligations of the territorial state in the cyberspace of an area out of governmental control. Through the example of the territorial state's obligations, the article also addresses extensively debated questions such as the applicability of sovereignty to cyberspace, the scope of application of IHRL20 and of the due diligence standard in cyberspace.
The article claims that the territorial state, while lacking the effective means to fully control its cyberspace as it does in government-controlled areas, has continuing jurisdiction and positive obligations to protect human rights in cyberspace from wrongful acts that originate, occur or have effect in the part of its territory outside its effective control. The article proceeds as follows. The following section (Section 2) demonstrates the challenges that loss of territorial control by the state poses for human rights in cyberspace. It will show that the absence of control over the physical space is closely associated with online human rights violations, on the one hand, and the state's restricted (but not necessarily non-existent) control over the cyberspace, on the other. Section 3 confirms that notwithstanding the lack of its effective territorial control, the territorial state continues to be entitled to exercise its sovereignty over both the territory and the cyberspace. Section 4 discusses the logical consequence of sovereignty in IHRL, the territorial state's jurisdiction based on so-called due diligence, considered as a corollary duty of the rights arising from sovereignty. Section 5 applies the rules of IHRL to the obligations of the territorial state in the context of cyberspace in areas outside its effective control. The conclusions provide some recommendations for enhancing human rights compliance of the territorial states concerned within the positive law framework of IHRL.
2. Cyberspace in Areas Outside the Effective Control of the Territorial State
‘[Cyberspace] is a world that is both everywhere and nowhere, but it is not where bodies live’.21 It is ‘a “borderless” world – computer-based communications cut across territorial borders creating a new realm of human activity’,22 and its innovative nature seems to provoke new problems in law, especially in international law.
The term ‘cyberspace’ can be defined as ‘[a] world-wide virtual space, different from real space, with many sub-communities unevenly distributed using a technical environment – first of all the internet – in which citizens and organizations utilize information and communication technology for their social and commercial interactions’.23
In other words, it is a fictional space (rather than having a tangible nature) used to describe the phenomenon of electronic signals transiting through the infrastructure of information and communications technology (ICT). It follows from the above definition that cyberspace has three layers: a physical layer (switches, routers, servers and cables), a software layer (logical network), and a third layer consisting of data packets and electronics – the people actually on the network (cyber-persona layer).24 Despite its virtual nature, cyberspace necessarily requires a physical architecture.25
‘Cyber activity’ is a process in which information technology systems (including, inter alia, telecommunications and computer systems) are the means of activity.26 This article focuses on those cyber activities that carry the risk of restricting human rights. While there is no internationally accepted list of human rights that can be affected in cyberspace, certain rights are more relevant than others in the cyber context. In this regard, the Tallinn Manual, a non-binding expert commentary on the international law applicable to cyber operations, is of guidance as it reflects an objective restatement of the lex lata by a group of experts.27 The Manual provides a non-exhaustive list of particularly important human rights in cyberspace, highlighting freedom of expression, privacy, freedom of opinion, and due process.28 One can also add the right to access information as part of freedom of expression29 and human dignity, because the latter can be violated by various forms of expression such as racial discrimination,30 incitement to terrorism31 and child pornography.32 This non-exhaustive list of the most affected human rights in cyberspace constitutes the focus of this article.
Because the ubiquitous and widely available character of cyberspace allows the carrying out of harmful cyber activities from any physical location, at first sight there is no correlation between an area outside the effective control of the state and online human rights violations. However, as this section will demonstrate, the territorial state's lack of control over the physical area is closely associated with online human rights violations, on the one hand, and the state's restricted (but not necessarily non-existent) control over the cyberspace, on the other.
Recent territorial conflicts have resulted in areas being outside the effective control of the territorial state. Examples are Transnistria, Nagorno-Karabakh, South-Ossetia and Abkhazia, Crimea and the separatist areas in Eastern Ukraine, as well as vast territories controlled by extremist terrorist groups in the Middle East, such as the Islamic State. As mentioned above, these areas are characterised not only by human rights violations in the physical territory but also those committed online. The violations in cyberspace have been committed by various actors, especially non-state de facto authorities, an outside state controlling the area and/or the territorial state.
First, de facto authorities often force online media to terminate or self-censor their activities,33 using threats and manipulation.34 In the areas controlled by the Islamic State in Iraq and the Levant (ISIL), the organisation's militants murdered digital activists and bloggers;35 internet access was subject to restrictive regulations;36 and internet users had to increase their self-censorship in order to avoid criticising the militants or Islam in general.37 Beyond the restriction of online media operating in the area, de facto authorities might block certain websites or media channels diffused from outside the area – a measure referred to generally as ‘information blockade’.38 By way of example, the de facto authorities in Transnistria blocked Moldovan channels39 and a dozen news portals and websites with anti-government content,40 and the ‘Donetsk People's Republic’ similarly shut down several internet-based media outlets.41
Second, outside states controlling an area as occupying powers are reported to have committed similar human rights violations. Censorship,42 physical harassment of online journalists,43 and information blockade have characterised recent occupations. During and following the Georgian-Russian war of 2008, Georgia and Russia mutually blocked Georgian and Russian internet sites and television channels.44 In Crimea, the Russian authorities block Ukrainian internet sites and force local web-based outlets to relocate to the Ukrainian government-controlled territories.45
Third, while addressing the territorial situation by military, intelligence or administrative means, even territorial states have restricted the online human rights of persons situated in the area outside their effective control. Invoking national security or the fight against terrorism, various territorial states have had recourse to extreme forms of information blockade, such as blocking websites without a proper investigation and a court decision,46 or shutting down the internet in the area outside their control47 or even nationwide.48 The said measures unduly restrict online communication in a given area, whereas freedom of expression should apply ‘regardless of frontiers’.49
While online human rights violations might be committed in normal circumstances in any state's government-controlled territory, the characteristic of the situations referred to above is the limited capacity of the territorial state to prevent, repress and redress those wrongful acts. In fact, the territorial states concerned have often reiterated their inability to implement their obligations with regard to human rights treaties50 in general, and with regard to a treaty that specifically imposes obligations in respect of cyberspace, the Budapest Convention on Cybercrimes,51 in particular. Once the state loses effective control over part of its territory, it loses its law enforcement capacity as well as physical access to victims and the actual authors of the online human rights violations.52 Furthermore, while cybercrimes and other online human rights violations can emanate from any place in the world, perpetrators are likely to find safe haven in areas outside the effective control of the territorial state where the latter cannot exercise its power of enforcement.53 Some pro-Russian hacker groups, for example, perpetrate their attacks from Eastern Ukrainian areas outside the effective control of the Ukrainian government ‘to bypass the territorial filters blocking IP addresses coming from Russia’.54 With regard to cyberspace, with the loss of territorial control the territorial state necessarily loses control over the physical layers of the internet located in that area, but retains control over the physical layers located in the government-controlled area that might affect information transfer in the area outside its control. Therefore, as far as the territorial state might control cyber activities from the government-administered area, it might retain limited power with regard to online human rights violations committed in the area outside its effective control.
The existence of areas that escape the effective control of the territorial state not only facilitates massive human rights violations, but may constitute a threat to international peace and security.55 The UN Security Council has expressed concern over the fact that ISIL used the internet and social media as promotional and recruitment tools for terrorist purposes56 and for the online sale of Iraqi and Syrian antiquities.57 Considering that the atrocities committed by ISIL may amount to crimes against humanity and possibly genocide,58 the concept of ‘responsibility to protect’ has been applied.59 Accordingly, the Security Council has underlined ‘the need for Member States to act cooperatively to prevent terrorists from exploiting technology, communications and resources to incite support for terrorist acts’60 and reiterated that ‘the primary responsibility to protect its population lies’ with the territorial state.61 There is no reason to doubt that the primary responsibility of the territorial state to protect applies equally to atrocities committed online.62
Generally, most states find it challenging ‘to exercise sovereignty over incidents of cyber-attacks, cyber-crimes as well as over cyber-related businesses within their territories’.63 This applies a fortiori to territorial states, which have to face not only numerous online human rights violations in their territory, but also their lack of control over the physical space. This double difficulty of control, over the online and offline spaces, raises the question of how far cyberspace is subject to the territorial state's sovereignty in an area outside its effective control.
3. State Sovereignty in Cyberspace
Because of its non-physical character, at first sight cyberspace hardly fits within the traditional principles of public international law such as sovereignty or territorial integrity,64 also enshrined in the UN Charter.65 A considerable group of libertarian scholars argue that cyberspace should not be regulated and subjected to state sovereignty, given its de-territorialised and, by definition, transboundary character.66 However, the debate over whether cyberspace can or should be regulated ‘has essentially waned and is largely a historical milestone’, as noted by the International Law Commission (ILC).67 Today it is widely recognised by states68 and international law scholars69 that state sovereignty is applicable to cyberspace. Moreover, the number of international treaties governing cyberspace has increased.70
The regulation of de-territorialised telecommunications activities, however, is not a novel domain of international law: from the very beginning of the invention of wireless telegraphy, states undertook to exercise their sovereignty over radiotelegraphic communications in their territory.71 Authors in the interwar period generally assumed that state control was necessary to regulate the international use of telecommunication techniques, and that a state incurs international responsibility for breaching the prohibition on interference in the internal affairs of other countries by propaganda hostile to another state through radio.72 To the extent that cyberspace is also a wireless form of telecommunication, the same principles apply.73
The application of the principle of state sovereignty in cyberspace has its main rationale in the supreme authority of the state to regulate any cyber infrastructure located within its territory,74 even though it may also exercise its sovereign prerogatives outside the territory.75 The physical layer of cyberspace is therefore subject to the sovereignty of the territorial state, whereas the virtual domain of cyberspace does not fall within the sovereignty of a specific state.76
State sovereignty is closely related to state jurisdiction: the latter notion refers to the state's ‘lawful power to act and hence to its power to decide whether and, if so, how to act, whether by legislative, executive, or judicial means’.77 In other words, it is the competence of a state to regulate persons, objects, and conduct under its domestic law, within the limits set by international law.78 The term ‘jurisdiction’ also expresses ‘the limits imposed under international law on the ability of a state to exercise prescriptive (or legislative) and enforcement jurisdiction’ – that is, the circumstances in which the state is entitled to exercise its legal authority.79 No state can perform enforcement functions in the territory of another state without the consent of the latter state.80 This means that as long as the state is recognised by the international community as the sovereign of the area, it has jurisdiction over it, despite its lack of effective power to exercise its sovereignty in that area.81
Jurisdiction under general international law is primarily territorial – that is, the state enjoys full prescriptive, adjudicatory and enforcement jurisdiction over persons and objects situated in its internationally recognized territory, as well as over activity occurring there.82 In the event of loss of effective territorial control, some authors consider the sovereignty of the territorial state as ‘suspended’83 or limited to ‘nudum jus’.84 Because of its lack of effectiveness in the area, the state is indeed unable to exercise its enforcement jurisdiction, but is not necessarily unable to regulate and adjudicate activities occurring in the area.85 It could be said that the laws and judicial decisions of the state concerning the area outside its control would have validity as far as the state can enforce them in the government-controlled area, or through international cooperation.86 Consequently, the state, while unable to exercise its effective control over an area of its territory and thus enforce its laws there, can exercise its prescriptive and adjudicatory jurisdiction over the area.
The overwhelming majority of states do not contest the sovereignty and jurisdiction under general international law of the territorial states concerned. The Republic of Moldova, Azerbaijan, Georgia, Ukraine, the Republic of Cyprus, Iraq and Syria are all internationally recognised as sovereign over the disputed areas. Whether they have jurisdiction over the cyberspace in areas outside their effective control depends on the jurisdictional bases recognised in cyberspace.
Specifically in the context of online activities, the International Group of Experts in elaborating the Tallinn Manual 2.0 foresaw three major bases on which the state may exercise jurisdiction over cyber activities related to its territory. Rule 9 of the Manual allows the state to exercise jurisdiction over ‘cyber infrastructure and persons engaged in cyber activities on its territory’; ‘cyber activities originating in, or completed on, its territory’; and ‘cyber activities having a substantial effect in its territory’.87 As mentioned above, the Manual is intended to be an objective restatement of the lex lata and,88 as it will be shown, the relevant rule on territorial jurisdiction reflects the existing (positive) international law as accepted by states.
The first of these three bases for jurisdiction relies on the fact that the physical presence of a person or an object in the territory of the state provides a sufficient basis for the exercise of jurisdiction by that state.89 Since information and communication technologies require some physical infrastructure, states have jurisdiction over those objects and the persons engaged in cyber activities in their national territory.90
For example, it is recognised that states may exercise regulatory authority over the telecommunications or internet service providers that physically control the data in the territory of the state.91 The territorial state's jurisdiction over cyber activities in areas outside its effective control is thus recognised when the persons engaging in cyber activities, or the cyber infrastructure (such as cable infrastructures, servers, computers, media production infrastructure or data storage facilities) are located in the area concerned.
The second basis for jurisdiction – cyber activities initiated or completed in the state's territory – relies on a principle of international law that has been recognised since the Lotus judgment, namely the subjective (activity originating in the state's territory) and objective (activity completed in the state's territory) territorial jurisdiction.92 In cyberspace, the principle is also recognised as a basis for jurisdiction by conventions governing cybercrimes.93 While online activities might cross over the jurisdiction of many states, it might be difficult to establish where a cyber activity started and ended. Therefore, the current tendency of state practice is to interpret territorial jurisdiction broadly, where any substantial connection between the cyber activity and state territory might serve as a sufficient basis for jurisdiction.94
Related to an area outside the state's effective control, this type of jurisdiction might lead to various scenarios. Under ‘objective jurisdiction’, the cyber activity originates abroad, but is completed in the area concerned95 and the territorial state would be entitled, for instance, to exercise its criminal jurisdiction over the perpetrators of the cybercrime by way of mutual legal assistance. Under ‘subjective territorial jurisdiction’, the state can exercise jurisdiction over any cyber activity originating from the area outside its effective control, such as online recruitment of terrorist fighters or hate speech diffused from the area concerned. Such cyber activities might result in the violation of human rights of victims in the same area, in the government-controlled area, or even in another state.96
The third jurisdictional basis proposed by the Tallinn Manual relies on the ‘effects doctrine’, a jurisdictional link accepted to reflect customary international law:97 where an activity does not emanate from or end in the state's territory but has effects therein, the state has jurisdiction. While certain domestic courts have applied the effects doctrine to cyberspace,98 some scholars contest its applicability as it may lead to assertions of jurisdiction in virtually every state by virtue of the accessibility of websites in all countries.99 The majority doctrine and the International Group of Experts accept its applicability to cyberspace if states use it reasonably, setting a higher threshold of a genuine link between the state and the cyber activity than is applied in the offline world.100 Accordingly, the territorial state will have jurisdiction over cyber activities that have a substantial effect on the given area, such as the diffusion of online propaganda addressed to the population of the area in their language from abroad.
In other words, the territorial state has jurisdiction under general international law over cyber activities that constitute human rights violations that originate, occur or have an effect in the part of its territory outside its effective control. The next section examines how the state exercises its jurisdiction in cyberspace under IHRL, where the term ‘jurisdiction’ has an autonomous meaning.
4. The State's Jurisdiction under IHRL
As cyberspace is subject to the sovereignty of the state under the jurisdiction rules of general international law referred to above, it is logical to argue that the state is bound by IHRL in cyberspace as it is bound in the offline context. Indeed, states101 and international organisations102 have recognised that the rights that people have offline must also be protected online, thus accepting that IHRL applies equally to conduct in cyberspace.103 While the state has obligations to respect and protect human rights in the cyberspace, it is not clear to what extent it has the same obligations in an area outside its effective control. The two spaces, the online and the physical space, are not completely unrelated, as is shown by the bases of territorial jurisdiction referred to above. In other words, in order to examine how far a state has obligations under IHRL in cyberspace in an area outside its effective control (discussed in Section 5), the preliminary question of how far IHRL applies – through the notion of ‘jurisdiction’ – to the physical offline space in that area must be clarified.
‘Jurisdiction’ in IHRL has an entirely different meaning from that of general international law: it is the main criterion for the applicability of international human rights treaties, the nexus between the state and the individual's human rights – that is, the factual control, power or authority that the state exercises over a given individual, territory or situation.104 Unlike jurisdiction in general international law – defined above as the competence of states to regulate in accordance with international law – jurisdiction in IHRL can be based on a factual situation. This means that in exceptional circumstances jurisdiction can be extraterritorial, covering acts and omissions of the state authorities performed or which produce effects outside their own territory,105 even without a lawful basis.106 However, as a principal rule, international human rights conventions enshrine a primarily territorial notion of jurisdiction, which they apply within the state party's national territory.107
The two types of jurisdiction in IHRL, extraterritorial and territorial, leads to the obligations of two states in the cyber context: first, one that effectively controls the territory (Section 4.1), and second, the territorial state (Section 4.2).
4.1. The Jurisdiction of the Outside State
Extraterritorial jurisdiction under IHRL may have two alternative preconditions, based on effectiveness over persons (the personal model):108 whether cyber activities by a state could give rise to the personal model and, if they could, what is the required level of effectiveness over the person abroad?109 For present purposes it suffices to note that physical control over foreign territory entails the extraterritorial jurisdiction of the state. It is widely recognised by the International Court of Justice (ICJ)110 as well as universal111 and regional112 human rights treaty monitoring bodies that the state is required to fully respect and protect its human rights obligations outside its territory in an area over which it exercises ‘effective control’ – this is the case of an occupied113 or leased114 territory. ‘Effective control’ is considered to be synonymous with that of ‘actual authority’,115 the main requirement of belligerent occupation within the meaning of the 1907 Hague Regulations.116 Once the state's extraterritorial jurisdiction is established under the spatial model, the state's customary and treaty obligations under IHRL apply also to the cyber context, as monitoring bodies have confirmed.117 One can add that the area might be effectively controlled not only by a state, but by de facto authorities without the control of an outside state – that is, without their conduct being attributed to a state. As far as they are bound by IHRL,118 they are obliged to respect human rights in the cyberspace.119
4.2. The Jurisdiction of the Territorial State
Beyond an external state having extraterritorial jurisdiction in the area under IHRL, human rights treaty bodies have clarified that the territorial state also continues to have jurisdiction in the part of its territory where it has lost effective control. While extraterritorial jurisdiction is based on effectiveness over territory or over persons, the territorial state's jurisdiction in the absence of its territorial control is based on sovereignty. This can be explained by the general international law presumption of the application of any treaty to the entire territory of the state party.120 In the Assanidze case – concerning the difficulty of the Georgian central authorities in enforcing a decision of acquittal by a regional administration – the ECtHR established the ‘presumption of competence’ or, in other words, the presumption of the state's jurisdiction in respect of its entire territory.121 While it did not specify whether it is a rebuttable presumption, it referred to objective circumstances that exclude the state's effective control over part of its territory, such as the separatist aspirations of a region or the exercise of effective overall control by another state there.122 The Court further elaborated on the presumption of jurisdiction in the Ilasçu judgment.123 The case concerned the question of Moldova's jurisdiction for alleged human rights violations committed by the unrecognised de facto authorities of Transnistria, an area within the territory of the Republic of Moldova. The Court held that the presumption of the territorial state's jurisdiction may be limited in exceptional circumstances ‘where a State is prevented from exercising its authority in part of its territory’ as a result of military occupation by another state, ‘acts of war or rebellion, or the acts of a foreign State supporting the installation of a separatist State within the territory of the State concerned’.124 The same circumstances prevent the territorial state from exercising its authority in the cyberspace as far as it loses control over the physical layers.
The ECtHR did not recognise that the presumption of jurisdiction could be rebutted, but held that it might be ‘limited’ in such an exceptional situation:125
Those [positive] obligations [undertaken by the states parties under Article 1 of the Convention] remain even where the exercise of the State's authority is limited in part of its territory, so that it has a duty to take all the appropriate measures which it is still within its power to take.
The Court considers that where a Contracting State is prevented from exercising its authority over the whole of its territory by a constraining de facto situation, such as obtains when a separatist regime is set up, whether or not this is accompanied by military occupation by another State, it does not thereby cease to have jurisdiction within the meaning of Article 1 of the Convention over that part of its territory temporarily subject to a local authority sustained by rebel forces or by another State.
In other words, the presumption is irrebuttable, as the territorial state continues to have residual jurisdiction under IHRL. Therefore, the ECtHR held that unilateral declarations made by territorial states by which they intend to exclude the application of the European Convention on Human Rights (ECHR) in its entirety to the area outside their effective control cannot have the effect of restricting the territorial application of the Convention.127 Certain territorial states made similar declarations while signing the Budapest Convention on Cybercrime – a multilateral treaty binding more than 60 states parties:128 Azerbaijan, the Republic of Moldova and Ukraine declared their inability to apply the Convention in areas outside their effective control.129 Unlike the ECHR, which applies to the entire metropolitan territory and allows the extension of its applicability only to dependent territories,130 Article 38 of the Budapest Convention allows states parties to specify the territory or territories to which the Convention applies and thus exclude certain areas from its territorial scope. However, the Budapest Convention is complementary to and does not affect states parties’ applicable multilateral or bilateral treaties,131 including human rights treaties.132 Therefore, the non-application of the Budapest Convention to areas outside the state's effective control does not affect the human rights obligations of the territorial state or the scope of its jurisdiction under IHRL.
Beyond confirming the territorial state's jurisdiction, the ECtHR also clarified the kind of positive obligations the territorial state has with regard to individuals in the area outside its effective control. It held that the territorial state is required to take ‘appropriate and sufficient’ measures in order to guarantee the rights of individuals under the ECHR in an area outside its effective control.133 The Court stated:134
[S]uch a factual situation reduces the scope of that jurisdiction in that the undertaking given by the state under Article 1 must be considered by the Court only in the light of the Contracting State's positive obligations towards persons within its territory. The state in question must endeavour, with all the legal and diplomatic means available to it vis-à-vis foreign states and international organisations, to continue to guarantee the enjoyment of the rights and freedoms defined in the Convention.
In the case of human rights violations committed by de facto authorities in the area, the ECtHR will verify whether the territorial state has complied with a minimum threshold in the particular circumstances – ‘to what extent a minimum effort was nevertheless possible and whether it should have been made’.135 The territorial state's positive obligations relate both to the measures needed to re-establish its control over its territory ‘as an expression of its jurisdiction, and to measures to ensure respect for the applicants’ rights’.136 The obligation to re-establish control over the territory requires the territorial state, ‘first, to refrain from supporting the separatist regime and, secondly, to act by taking all the political, judicial and other measures at its disposal for re-establishing control over that territory’.137
The second aspect of the territorial state's positive obligation to ensure respect for individuals’ rights includes ‘the diplomatic, economic, judicial or other measures that it is in its power to take and are in accordance with international law to secure to the applicants the rights guaranteed by the Convention’.138 The availability of those measures is context-dependent and monitoring bodies will examine their use on a case-by-case basis.
In the Ilasçu judgment of the ECtHR six dissenting judges opposed the jurisdiction of Moldova, holding that there was no evidence of the state's direct or indirect authority over, or acquiescence in the commission of the human rights violations in Transnistria.139 Similarly, some commentators consider the judgment to be too strict with regard to Moldova.140 However, subsequent case law shows unanimity or an overwhelming majority in the judgments regarding Moldova's responsibility.141
It seems that the ECtHR did not set the threshold too high, considering that the judgment cited several concrete examples where the measures taken by the Moldovan government produced real effects on the lives of individuals in Transnistria in general, or the applicants in particular.142 The measures taken by the territorial state that the Court accepted as complying with its positive obligations consisted, for instance, of diplomatic acts such as protests or negotiation,143 non-recognition of the illegal situation,144 investigative or judicial measures operated in the government-controlled area,145 provision of certain socio-economic benefits for individuals in the area,146 and cooperation with other states or international organisations in addressing the wrongful act.147
The territorial state's positive obligations arise from the sovereign state's so-called due diligence standard.148 Under due diligence, ‘no state has the right to use or permit the use of its territory in such a manner as to cause injury by fumes in or to the territory of another or the properties or persons therein’.149 Consequently, the state ‘on whose territory or in whose waters an act contrary to international law has occurred, may be called upon to give an explanation’ and where the state knew, or ought to have known, of any unlawful act perpetrated in its territory that caused damage to another state, then the first state is obliged to take measures to prevent it or, in the case of a continuing or a terminated violation, to respond to it.150 Considered also as a customary norm151 or general principle of law,152 due diligence has been extended in IHRL as an obligation to protect not only other states, but also individuals against violations by third parties (private parties or other states).153
In other words, due diligence is a general international law standard that leads to concrete positive obligations in IHRL to prevent and respond to human rights violations in the territory of the state. Therefore, the relation between the due diligence standard and positive obligations in IHRL is that of the general and the special. The standard is especially applicable to a state having lost its territorial control, as it guarantees flexibility in assessing its particular situation. The state incurs responsibility for failing to comply with due diligence only under two cumulative conditions: (i) it had the means to prevent or to repress the human rights violation; and (ii) it knew or should have known about the risk of the violation.154 The first condition – known also as the ‘capacity to influence’ effectively the actions of private actors155 – assesses the actual means in the state's power to take legal, administrative, diplomatic and other measures to protect human rights. This means that the jurisdiction of the territorial state, while based mainly on sovereignty, still depends on effectiveness as far as the latter determines the scope of the state's obligations. Accordingly, the state is required to take all those steps it reasonably could within its effective power in the particular situation. According to the second condition, the state is responsible only if the human rights violation actually occurred and if the state was aware of, or should normally have learned of the risk of the violation.156 In respect of areas outside the effective control of the state, actual knowledge and available means is to be assessed to establish whether the territorial state complied with its due diligence – as is the practice of the ECtHR in its case law.
It could be argued that the threshold set by the ECtHR in separatist areas is too demanding, binding only on states parties to the ECHR, a regional treaty enshrining one of the highest standards. However, UN Charter-based human rights bodies157 and universal treaty monitoring bodies158 have reiterated the same standard and addressed various positive obligations with regard to individuals in areas outside government control in their concluding observations on territorial states.159 While the ECtHR has based this case law on the necessity to cover the European ‘legal space’ by the effective application of the ECHR160 and to eliminate ‘vacuums’ at the regional level,161 UN treaty monitoring bodies seek to ensure the universality of human rights with the same practice. The irrebuttable presumption of the territorial state's jurisdiction in IHRL is in conformity not only with the object and the purpose of human rights treaties (the ‘legal space’ and elimination of the vacuums at the regional level, universality at the universal level), but also with the concept of the ‘responsibility to protect’ of the territorial state.162 It is perhaps too early to speak of an established customary norm,163 but at least international human rights treaties are interpreted in accordance with the above mentioned practice.164
The obligation not to allow the state's territory to be used for acts contrary to the rights of other states or individuals binds the state in every activity performed in its territory, including cyber activities.165 While the Tallinn Manual discusses extraterritorial jurisdiction in IHRL,166 it fails to set out the presumption of the state's jurisdiction over its entire national territory. It equally fails to integrate the due diligence standard in IHRL – this would conceptualise the obligation to protect167 and establish systemic integration between the general and the special regimes of international law applicable to cyber operations. The reason for these omissions is the focus of the Manual on customary rather than conventional IHRL.168 However, given the almost universal ratification of the various UN human rights treaties and the wide ratification of regional human rights treaties, their convergent treaty practice should be taken into account. As explained in the next section, due diligence and the specific positive obligations it leads to in IHRL – namely, within the territorial state's jurisdiction over human rights violations committed in the area outside its effective control – apply equally in cyberspace.
5. The Application of IHRL by the Territorial State in Cyberspace
Certain states have declared their readiness to apply to cyberspace the existing norms of international law, without the need to reinvent a new special branch of international law.169 This suggests that IHRL is adaptable to new phenomena like cyberspace with its existing normative framework.170 Because of the horizontal protection they impose against violations by third parties, the due diligence standard and the corresponding positive obligations of the territorial state in IHRL are likely to be adaptable to the online context. Human rights monitoring bodies have recognised that where a state exercises its jurisdiction in the sense of general international law (Section 3) – that is, its regulatory authority over the telecommunications or internet service providers in its territory – the same state is bound by its international human rights obligations.171 However, they did not specify what the applicable norms are when the state has no effective control over part of its territory.
If the case law of IHRL on the jurisdiction of the territorial state is applied to the cyberspace, it appears that the presumption of its jurisdiction and its positive obligations apply fully in the online context, even in the absence of effective control over the physical infrastructure. As mentioned above, the ECtHR applies a two-step approach to examine whether the territorial state has complied with its positive obligations: its positive obligations relate both to the measures needed to re-establish its control over its territory ‘as an expression of its jurisdiction’ (Section 5.2), ‘and to measures to ensure respect for the individual applicants’ rights’172 (Section 5.3). Before examining how these positive obligations apply in cyberspace, the article will explain that, despite the focus of the ECtHR on positive duties, the territorial state is bound equally by negative obligations under IHRL in cyberspace (Section 5.1). As this section will clarify, universal human rights monitoring bodies also share the territorial state's negative and positive obligations.
5.1. Negative Obligations
The emphasis of the ECtHR on positive obligations certainly does not disregard the fact that the territorial state continues to be bound by negative duties. Such duties are understood as the state's obligation not to violate human rights in an area outside its territorial control. Negative obligations continue to impose on the territorial state, for example, the duty not to violate the right to life of individuals by cyber attacks, the prohibition of torture and inhuman or degrading treatment through online means,173 and prohibitions on freedom of expression, including incitement to racial hatred174 or to terrorism.175 In this regard, there is no difference between government-controlled areas and those not under government control: negative obligations bind the territorial state in both contexts.
As mentioned above, territorial states have often had recourse to blocking or filtering communications on the internet, invoking protection of their national security.176 A first possible legal basis for such measures is the derogation allowed by certain human rights treaties in a state of emergency. Under such a derogation, a state may suspend provisionally the application of one or more human rights, to the extent strictly required by the exigencies of the situation at a time of sufficiently grave crisis that threatens the life of the nation, provided that such measures are not inconsistent with its other obligations under international law.177 While the territorial state may derogate in respect of certain human rights, such as freedom of expression, it cannot limit the application of non-derogable rights,178 nor the totality of human rights affected by the loss of effective control, and it should regularly review the derogation.179
Second, even beyond emergency situations, international human rights treaties permit the lawful restriction of freedom of expression, if prescribed by law and to the extent necessary to ensure national security, territorial integrity, the protection of the rights of others or the prevention of disorder or crime.180 The protection of the existence of the nation, its territorial integrity and political independence against the use of or threat of force might justify the invocation of national security,181 provided that the conventional limits of restricting freedom of expression are respected. As the Human Rights Committee held:182
Any restrictions on the operation of websites, blogs or any other internet-based, electronic or other such information dissemination system, including systems to support such communication, such as internet service providers or search engines, are only permissible to the extent that they are compatible with paragraph 3 [of Article 19 of the ICCPR on freedom of expression].
Furthermore, ‘[p]ermissible restrictions generally should be content-specific; generic bans on the operation of certain sites and systems are not compatible with paragraph 3’.183 Human rights treaty bodies allow national authorities to restrict a given communication only in proportion to the nature and extent of its perceived threat to national security or other protected interests.184 In other words, states parties have a negative obligation not to interfere with freedom of expression, unless the restriction is prescribed by law, made in the interests of the admitted legitimate purposes, and satisfies the necessity and proportionality test. The same three-part test applies in situations of armed conflict where international humanitarian law applies simultaneously.185
Unqualified and broadly defined monitoring of the content of internet communications, such as nationwide filtering measures, is likely to be considered an unlawful restriction of freedom of expression and the right of access to information.186 The a posteriori (after publication) blocking or filtering of clearly specified unlawful content can be considered lawful, however, to protect the rights and interests of others and of society as a whole if the above-mentioned conditions of permitted restrictions are satisfied, even without notice from the alleged victims or from third parties.187
5.2. Measures Intended to Re-establish Control over Territory/Cyberspace
As mentioned above, the territorial state is required to take all political, judicial and other measures at its disposal for re-establishing control over its territory. Such measures serve as mere expression of its jurisdiction over areas not under government control,188 irrespective of the ineffectiveness of those measures: the ECtHR has also recognised that there might be little that the territorial state could do to re-establish its authority over the area.189 Such measures could be considered to be ‘pure political rhetoric’190 or the mere expression of the state's desire to re-establish its territorial control, which is incapable of being subjected to judicial review.191 While it is indeed difficult to derive such an obligation from IHRL which protects individuals rather than state sovereignty, it can be seen as part of the due diligence standard. The latter standard, that of the ‘diligens paterfamilias’,192 would expect any reasonable, civilised government, as a minimum, to refrain from acquiescing in the wrongful acts,193 and to reassert its responsibility for its national territory and its residents.
The expected measures may consist of asserting sovereignty over the area ‘both internally and internationally’; criminal proceedings against certain leaders of the de facto authorities; diplomatic negotiations; or certain forms of cooperation with the de facto authorities with a view to normalising the everyday lives of the people living in the area.194 The measures to re-establish control over territory apply to the online context as far as control over cyberspace and extending access to the internet ensure a greater likelihood of human rights protection by the territorial state.195 The internet is a channel through which the state can fulfil human rights, such as the right to education, the right to vote and the right to an effective remedy for citizens from the area outside the state's effective control.196 Therefore, measures that aim to re-establish ‘internet sovereignty’ are likely to satisfy the requirements of the ECtHR. For instance, diplomatic protests against the ongoing violation of the state's sovereignty over cyberspace in the area,197 the expression of an intention to re-establish its control in a treaty declaration on the Budapest Convention on Cybercrime,198 cooperation with the de facto authorities to restore telecommunication links,199 or the restoration of a transmission tower in the neighbourhood of the area not under government control200 are likely to constitute measures intended to re-establish control over sovereignty/cyberspace.
As a general rule, the state has a discretion to choose the measures to re-establish control that it deems the most appropriate. However, it is problematic if the state restricts internet/telecommunications for an extended period in order to re-assert control over its territory, while the same measures violate individuals’ human rights and thus run against the third type of obligation (below). For instance, in the context of the Iraqi fight against online propaganda and terrorist recruitment by ISIL, the Iraqi government ordered internet service providers to shut down the internet in the five provinces under ISIL control in June 2014.201 In fact, the measures aimed to re-establish control over territory/cyberspace should be taken within the limits defined by international law202 in general, and IHRL in particular. The three-part test referred to above determines the lawful restriction of qualified human rights, especially freedom of expression. While blocking websites that are dedicated to inciting racial discrimination and hatred in conformity with fair trial guarantees might be proportionate,203 shutting down the entire internet in an area outside the territorial state's control is likely to constitute a disproportionate restriction.204
5.3. Measures Intended to Ensure Respect for Individuals’ Rights
While cyberspace is considered largely as embodying freedom of internet communication, the free flow of information and respect for the right to freedom of opinion and expression,205 entailing mainly negative obligations on the part of the state, does not exclude positive obligations to protect individuals against human rights violations by third parties. In recent years, human rights treaty monitoring bodies have clarified various positive obligations that states have in cyberspace.206
As mentioned above, in areas outside the effective control of the state special measures with the aim of protecting the rights of individuals include positive duties ‘to take the diplomatic, economic, judicial or other measures that were both in its power to take and in accordance with international law’.207 As a translation of the due diligence standard, the anticipated measures depend on the context and must be reasonable – commensurate with the territorial state's limited ability to protect human rights in an area outside its effective control.208 In the face of online human rights violations, the most relevant measures are providing remedies (5.3.1) and preventive measures (5.3.2).
5.3.1. Providing Remedies
As the territorial state does not have physical access to the elements of the breach (the victim, the perpetrator or the ICT infrastructure) situated in the area, its judicial and investigative authorities are limited to the area under the control of the government. Its obligation to provide remedies should consist of enabling the victim to inform the state authorities ‘of the details of his situation and to be kept informed of the various legal and diplomatic actions taken’.209 It may be possible to enable individuals to seek a remedy remotely, such as by allowing files to be sent electronically, providing information about remedies and communicating via Skype or email with citizens from the area outside its effective control.210 Similarly, universal treaty bodies have recommended that states guarantee access to toll-free helplines for victims in all regions within their territory.211 Another way of complying with the obligation to provide a remedy is to create, in the government-controlled territory, ‘a set of judicial, investigative and civil service authorities which work in parallel’ with those created by the de facto authorities.212 While the effects of any decisions taken by these authorities can be felt only outside the conflict area, they have the function of enabling cases to be brought in the proper manner before the territorial state's authorities, ‘which can then initiate diplomatic and legal steps to attempt to intervene in specific cases’.213
The territorial state is required to undertake to investigate cybercrimes committed in the area outside its effective control.214 Even though denied access to the area, the territorial state should initiate all investigative procedures commensurate with its limited ability,215 for instance, by keeping thorough documentation on the victims of human rights violations.216 The absence of territorial control and access to evidence on the spot is in itself a less important obstacle in the case of cyber activities than in the case of offline human rights violations, because the former can be investigated from remote places. As a first channel, the authorities of the territorial state can monitor publicly available (open source) stored computer data.217 A second method of investigation is through mutual legal assistance requested from a third state where information technology storing relevant data is located.218 However, states hosting the largest cyber service providers like the United Kingdom or the United States rarely allow the sharing of digital evidence and might impose restrictions on companies sharing content data with foreign governments.219 Universal human rights monitoring bodies, however, require states in general,220 and the UK221 and the US222 in particular, to strengthen international cooperation in combating certain transnational crimes.223
A third channel of investigation in the absence of territorial control is the possibility for states to access computer data stored in another state without obtaining authorisation from that state. This is foreseen in certain cybercrime conventions which allow a party to access stored computer data located in the states of another party with ‘the lawful and voluntary consent of the person who has the lawful authority to disclose the data to the Party through that computer system’.224 However, this practice is highly contested on account of its restriction of privacy and the sovereignty of the third state,225 and the said cybercrime conventions have a limited number of ratifications.226 A fourth possible channel of investigation is to seek the assistance of international organisations,227 especially those conducting a programme against cybercrimes such as INTERPOL,228 EUROPOL,229 the International Telecommunications Union (ITU),230 and the Virtual Global Taskforce as an international collaboration combating online child sexual abuse.231 Furthermore, beyond international cooperation, the territorial state is obliged to seek cooperation with the de facto investigative authorities in crimes concerning the physical integrity of persons (the right to life, prohibition of torture and other inhuman or degrading treatment or punishment).232 Despite strong contestation of this duty,233 it is the existing threshold, at least in Europe. For less serious online human rights violations, one can argue that the territorial state should consider seeking cooperation with the de facto authorities.234 The choice of the concrete forms of investigation depends on the context, but the state should use all available lawful means.
Given that these measures originate from the due diligence standard, under this standard the required degree of diligence depends upon the actual control the territorial state has over cyberspace, its available resources, its capacity to influence the perpetrator effectively and the gravity of the harm.235 In the cyber context, this means that during an ongoing armed conflict with grave human rights violations offline, while a territorial state like Ukraine might not have the capability to investigate an alleged hacking of e-mail in Eastern Ukraine, it should focus on serious and large-scale human rights violations, such as racial hatred, through the internet.236 Likewise, when the Iraqi authorities have to allocate their limited investigative capacity among various major human rights violations, it is legitimate that they focus on the online sale of girls237 as that relates to ongoing violations of the victims’ physical integrity to the detriment of less serious breaches of media freedom.
5.3.2. Preventive Measures
It has been queried whether states have a customary international law obligation to prevent wrongful acts in the cyber context.238 The majority of experts are of the view that the due diligence standard does not impose on states a general obligation of prevention before the cyber activity generates serious adverse effects, but expects the state to stop ongoing wrongful acts in cyberspace.239 IHRL, however, enshrines special duties of prevention that are not limited to the duty to react to and repress ongoing human rights violations in cyberspace, but expects effective measures to prevent violations by third parties if there are reasonable grounds to believe that such abuse will occur.240
Human rights monitoring bodies have interpreted various treaty provisions as requiring preventive measures to combat online human rights violations in ordinary situations of governmental control over territory. Their recommendations include, for example, that states parties regularly monitor and prevent incidences of (cyber-)bullying;241 identify internet service providers with a view to preventing the sale of children, child prostitution and child pornography;242 collaborate with the media and the ICT industry to enforce global standards for child protection;243 establish ‘effective mechanisms for identifying potential future threats of terrorist attacks before they have materialized’ through the gathering and analysis of relevant information by intelligence and law enforcement agencies.244 The general rule is that the territorial state is required to take all measures within its power as far as their effects might affect areas that are not under government control.
Furthermore, online human rights violations should be prevented by regulatory means,245 for example, by criminal legislation adopted in the government-controlled area that extends its regulatory scope to the entire territory.246 The rationale is the preventive effect of the law, even if it is enforceable in the government-controlled area only. For example, the customary international law duty on the part of states to prohibit and prosecute the online recruitment of children, at least under 15 years, into armed forces or armed groups applies to the entire territory.247
A state can always regulate internet service providers or online media companies based in the government-controlled area. Human rights treaty bodies recommend ‘identify[ing] Internet service providers (ISPs) that host or disseminate offending material’248 with a view to preventing or mitigating human rights violations. This would be effective as far as those companies provide services in the area outside the government's control. For instance, the Iraqi government could regulate the conduct of those ISPs in the ISIL-controlled areas that were based in the government-controlled territory. As Baghdad does not have centralised control over the country's telecommunications infrastructure, such regulatory measures could not prevent terrorist communication using the service of ISPs based in Turkey and Iran.249 With regard to those private actors, due diligence would expect Iraq to use all available means, such as requesting legal assistance from its neighbours, even if its efforts are unsuccessful.250 In the case of belligerent occupation, however, where the territorial state no longer has de facto regulatory power over ISPs, preventive measures might be limited to diplomatic protests and the seizure of international human rights control mechanisms.251
While preventing certain online human rights violations, the state should ensure a balance between the limitations of the various human rights. In the case of restricting online content to prevent racial hatred, freedom of expression may be restricted only by applying the three-point test. In the example referred to above of shutting down the internet in five Iraqi provinces under ISIL control, a lawful preventive measure could have involved ordering Iraqi internet service providers to disrupt the use of specific websites and social media by those associated with extremist groups for delivering propaganda and recruiting foreign terrorist fighters.252
While the above measures are not exhaustive, human rights control bodies will verify whether a minimum effort was taken by the territorial state to protect human rights online.253 The threshold of the positive obligations described above, in accordance with due diligence, depends on the actual knowledge and the available means of the territorial state to prevent and mitigate the commission of wrongful acts by third parties. If the state is not aware of the online human rights violations committed against a victim in the area outside its control, it cannot be expected to take positive measures to protect the victim.254
The greater the capacity that the state has to comply with its due diligence, the higher is the standard of action required in the particular case. None of those factors – the legal, political, administrative, technological, military and diplomatic means – depends exclusively on territorial control that the state has lost in the region in question, but the scope of feasible measures is always context dependent. Feasibility depends, among others, ‘on the technical wherewithal of the state concerned, the intellectual and financial resources at its disposal, the state's institutional capacity to take measures, and the extent of its control over cyber infrastructure’ located in the government-controlled territory.255
This capacity is to a large extent technical, often referred to as ‘virtual power’256 or ‘virtual control’, understood as the ‘ability to intercept, store, analyse and use communications’.257 Since governments might have very different relationships with the internet and telecommunications companies that could facilitate surveillance, their capacity to access directly the undersea cables and other carriers of internet and telephonic communications might be different. However, ‘virtual power’ or ‘virtual control’ is not the only factor that determines the capacity of the territorial state to comply with its due diligence. Even if the state is not a developed state with modern technical infrastructure, it might still have legislative or diplomatic means, for example, to exert pressure on the perpetrators to cease the violation or to prosecute them. Many of the above-mentioned preventive, regulatory, investigative and redress measures can be taken in the government-controlled areas and this fact relativises the importance of the lack of territorial control over the area.
The lack of control of the territorial state over the physical space is closely associated with online human rights violations on the one hand, and the state's restricted (but not necessarily non-existent) control over the cyberspace on the other. Notwithstanding the absence of its effective territorial control, the state continues to be entitled to exercise its sovereignty over both the territory and the cyberspace. The consequence of sovereignty in IHRL is the presumed jurisdiction of the territorial state. The irrebuttable presumption of the state's jurisdiction over its entire territory in IHRL is in conformity not only with the object and the purpose of human rights conventions (the ‘legal space’ and the elimination of vacuums at the regional level, universality at the universal level), but also with the concept of ‘responsibility to protect’. In accordance with the latter theory, it is the primary responsibility of the territorial state to guarantee human rights in its territory.
Treaty monitoring bodies recommend various positive measures that any territorial state should take while seeking to restore its ‘internet sovereignty’ in the separatist region – measures disposed to re-establish control over the cyberspace. The territorial state is obliged to use its investigative and judicial capabilities, legislate and regulate non-state actors in the entire national territory, and seek international cooperation in reacting to online human rights violations.
As a result of technological progress, the presumption of the territorial state's jurisdiction is a fortiori applicable to cyberspace where the state can ensure the re-establishment of its control over human rights violations, even in the absence of territorial control. Given that most territorial states retain some information and telecommunications infrastructures in their government-controlled area, applying the so-called due diligence standard to human rights in cyberspace in areas outside the effective control of the territorial state is feasible. Consequently, national legislation, cyber security strategies, military manuals and doctrinal commentaries like the Tallinn Manual258 should expressly recognise that the state is presumed to have jurisdiction under IHRL over its entire territory, even in the absence of effective control over it.
A revised Tallinn Manual should integrate the due diligence standard in its chapter on IHRL with a view to conceptualising the obligation to protect259 and establish systemic integration between the general and the special regimes applicable to cyber operations. More generally, it should further take into account the obligations flowing from international human rights treaties, especially those applied universally.