Below is a paper submitted to my advisory committee regarding my doctoral work. I hope you guys will enjoy it!

From espionage to cyber-espionage: an introduction

Espionage – the second oldest profession in the world. So why write about it now? Espionage has never been a favourite of legal academic literature. The secretive nature of intelligence gathering activities made it difficult for academics to conduct credible scholarly research on the topic. Until recently, little was known about the methods used, the type or quantity of information collected. In fact, scholars mostly had to work with the declassified documents released after decades. For that reason, espionage has largely been explored by historians who can use these documents to explain past practices.

The lack of legal analysis in this field is also an outcome of the ambiguous legal status of the practice. States give themselves the legal right to engage in espionage, but will punish severely those who do the same against their interests. The legal status of intelligence gathering is even more equivocal in international law where no treaty explicitly applies to espionage during peacetime. Espionage appears as a practice beyond the rule of law, and therefore not a suitable subject for legal academia.

New technologies in the field of communications led to surprising and unforeseen changes in this portrait. The cyberspace, with its clouds and easy storage options, creates an unequaled opportunity for intelligence collection. In parallel, States are increasingly concerned with the need to transfer, collect and store their own data in a way that protects them from foreign eyes. As a consequence, States developed an interest in coding theories, such as encryption. The United States, for instance, partially funds the Onion Router project[1], an encryption-based browser that preserves users’ anonymity.

Such technologies are crucial to the functioning of governments because of their use to secure internal and external communications. As an example, it can be used by intelligent agents to transfer secret data collected to the headquarters. Much in the same manner, ex-NSA agent Edward Snowden transferred classified information to the website WikiLeaks run by Julian Assange, using the protection of the Onion Router network. The leak essentially exposed the territorial and extraterritorial mass surveillance in which the NSA was engaged largely through digital means[2].

The massive amount of information released by Snowden created a substantive opportunity for academic analysis of relatively up-to-date information regarding government’s practice in terms of Intelligence collection. Since then, others such as Chelsea Manning, have followed in the path of Snowden and contributed to increasing the variety of documents available for legal or political academic writing. Indeed, the post-Snowden era is characterized by a dynamic and critical academic literature on the activities of Intelligence agencies[3].

The Snowden revelations also sparked reactions within the international political community. The concerns were mostly expressed towards the notion of mass digital surveillance – or cyber espionage. The newly available information led some prominent political figures to affirm that this form of espionage clearly violates international norms[4], with some commentators going as far as to argue that perhaps, espionage ought to be regulated by an international treaty[5].

Others however, continue to affirm or act based on the assumption that espionage has always been legal and continues to be even in the form of digital mass surveillance. They point out that the Snowden documents give an account of espionage as a common practice of many nations[6]. They add that States are obviously unwilling to cease extraterritorial surveillance because of its relevance in decision-making[7], therefore making an international consensus unlikely. This latter argument seems to imply that espionage is simply beyond the international rule of law[8].

This debate is the starting point of the proposed doctoral analysis and this paper introduces crucial elements pertaining to this discussion. The first section defines espionage and explores the paradoxes inherent in this practice. The second section discusses cyber-espionage and its particularities while the third and last section considers the legal status of espionage in the international order.

1.The paradox of the spy

“Once you’ve lived the inside-out world of espionage, you never shed it. It’s a mentality, a double standard of existence” [9]– John le Carré

David John Moore Cornwell, also known as John Le Carré, worked for the MI6 when he wrote the best seller The spy who came in from the cold in 1963. When he refers to “[a] double standard of existence”, he was certainly speaking from personal experience.

A discussion of the paradoxical nature of espionage helps to explain why it has remained difficult to seize from a legal and moral standpoint. This section defines espionage, discusses the activities of intelligence agencies and inquire into the moral dilemma inherent in intelligence gathering through a linguistic and legal analysis. The involvement of non-governmental organizations in espionage stratagems will not be covered in this paper.

1.1 Defining espionage

The modern spy can be puzzling to define. As a member of an official intelligence organization, he or she probably does many tasks that do not constitute espionage. For instance, intelligence agents can be engaged in the collection and analysis of data that are available to the public, much like scholars. Consequently, it is only certain aspects of the agent’s work that relates to the classical definition of spying.

English Historian Michael Burn proposed four criteria to identify a spy, stated in The debatable land: A study of the motives of spies in two ages. These serve as an adequate starting point to clarify the present discussion:

1. He is deliberately involved in the conveying of information about people or things recently observed.

2. He acquires or sends it secretly.

3. The information he seeks or conveys is for the use of people hostile to or suspicious of those it is about, and it is usually for and about people in government positions, or thought to be threatening to a Government.

4. He is consciously a deceiver.[10]

Going forward from this, “[e]spionage can be defined as the consciously deceitful collection of information, ordered by a government or organization hostile to or suspicious of those the information concerns, accomplished by humans unauthorized by the target to do the collecting”[11].

Intelligence agencies’ activities are typically classified into two categories: (1) analysis of data or (2) data collection[12]. Espionage is only committed when an intelligence agent is collecting unauthorized data. In other words, analysts are not spies and data collectors are not always spying. That being said, analysts can become spies if they disclose unauthorized information in their possession by means of their employment to an enemy. This person would also be referred to as a double-agent.

In Hollywood-based scenarios, a double-agent is the preferred method to gather confidential information from the enemy. In reality, however, there are various ways to spy on an entity or person, and it does not necessarily involve the presence of undercover or double agents. Indeed, even if it may be counter-intuitive, spies do not always hide their identity. Overt agents, such as foreign embassy officials, also transmit confidential information whenever they receive or exchange any[13].

Besides, intelligence agencies’ responsibilities have extended with time and include other activities that are not espionage per se, such as covert actions. The American National Security Act of 1947, 50 U.S.C. §413b(e) (2000) defines covert action as : “[a]n activity or activities of the United States Government to influence political, economic or military conditions abroad, where it is intended that the role of the United States Government will not be apparent or acknowledged publicly”. According to Professor Radsan:

Carved out from the definition of covert action are a string of “traditional” activities: acquiring intelligence, performing counterintelligence, and maintaining operational security; conduction diplomatic and military activities; conducting law enforcement; and providing “routine support” to over activities[14].

Examples of covert actions include the CIA’s decision to finance political parties in foreign elections (in Italy, amongst others), to create and distribute propaganda in other countries (Radio Free Europe) and to negotiate hostages’ liberation in exchange for munitions of war[15].

This extension of intelligence agencies’ role may need to be reviewed in light of recent changes or expected changes within the Western intelligence culture. Specifically, the Snowden revelations pressured secret services to work with greater accountability and transparency. Some commentators are calling for a higher degree of professionalism within intelligence agencies[16]. This could be achieved by transforming these agencies into think tanks in which critical thinking is encouraged[17]. The agencies would then constitute an independent and educated advising body to the military and the government. Since covert actions blur the distinction between the military and the intelligence, it does not fit in this new change of culture. In addition, it adds unnecessary layers of secrecy while the public is currently demanding more transparency.

Espionage also needs distinguishing from counter-intelligence activities, which relates to the need of secret services to ensure the security of their own exchanges and operations[18]. A document which was unclassified in 1994 under the CIA Historical Review Program, titled “The Anatomy of Counterintelligence” proposes the following explanation for counter-intelligence:

As an activity, counterintelligence consists of two matching halves, security and counterespionage. Security consists basically of establishing passive or static defenses against all hostile and concealed acts, regardless of who carries them out. Counterespionage requires the identification of a specific adversary, a knowledge of the specific operations that he is conducting, and a countering of those operations through penetrating and manipulating them so that their thrust is turned back against the aggressor[19].

Counter-intelligence is then inherent to the ability of Intelligence organizations to carry their functions. This is best illustrated in this excerpt from the same paper:

All the functions of counterintelligence derive from the nature and resultant activities of the adversary. For an imaginary example, let us suppose that country "X" is conducting espionage against country "Y" The latter's counterintelligence service discovers that country "X" has changed its system for communicating with its agents in country "Y." Until recently it had done so through couriers who left and picked up messages written in secret ink and concealed in dead drops. Now most of the agents are sending and receiving coded radio messages. The result will be the creation or sudden strengthening of a group in the defending counterintelligence service which will intercept messages, conduct electronic direction finding, try to break codes, capture radio operators and play them back, and so forth[20].

The Australian Secret Intelligence Service experienced firsthand consequences of a lack of Counter-Intelligence when Chinese hackers stole the blueprints of the agency’s new 630$ million dollar headquarters. ABC reported that “[t]he attack through the computers of a construction contractor exposed not only building layouts, but also the location of communication and computer networks”[21].

The Australian government must either construct another building or live with the consequences that communications within their own secret services’ headquarter may forever be compromised. The building, in other words, will be “[v]ulnerable to future cyber-attacks”[22].

This section demonstrated that a contextual analysis is necessary to discover whether an agent is actually engaged in spying activities given the wide variety of tasks assigned to Intelligence agencies nowadays. This tends to be contradictory with the demands of greater transparency, which characterizes the current political debate. In the United States for instance the USA Freedom Act, which replaces the Patriot Act, has many dispositions that aim to improve objective and transparency. Specifically, a panel of amicus curiae now advises the FISA court regarding matters of privacy and civil liberties. The legal interpretations of the court are also made public.

1.2 Linguistics and morals

Moral dilemmas and related linguistic choices play a fundamental role in fostering an understanding of the place of espionage vis-à-vis the rule of law. Indeed, when addressing the public, authorities are careful to use appropriate terms for the situation at hand. While some words emphasize the crucial role of espionage in decision making, others tend to stress its immoral nature. This tension well represents the many double standards of the profession.

Precisely, Intelligence and military agencies avoid using words such as “spying” and “spy” when referring to their own activities. Preferred terms include “intelligence collection” and “intelligence agents” because it downplays the pejorative nature of espionage. This linguistic game was eloquently accentuated by Professor Radsan:

Around and around we go with the second oldest profession. What we do to them is “gathering intelligence” – something positive, worthy of praise. What they do to us is “performing espionage” – something negative, worthy of punishment. But without the negative sign that depends on the circumstances, X equals X. Gathering intelligence is just the flip side of performing espionage, and performing espionage is just one part of a country’s broader effort for survival. Beyond any international consensus, countries will continue to perform espionage to serve their national interests. Negative or positive, it all depends on who does what to whom. International law does not change the reality of espionage[23].

As opposed to ‘espionage’, the term ‘intelligence’ is intrinsically linked to decision-making, rationality, and independent advising. This choice of word is consequent with the necessity for intelligence agencies to justify resorting to espionage and with their attempt to distinguish themselves from the actions committed by enemies. In other words, using words like ‘intelligence’ as opposed to ‘spying’ downplays the fact that espionage involves deception, betrayal, and abuse of trust. This linguistic stratagem also focuses on the results of the practice as opposed to the methods used.

It is fascinating to note that the Arabic language uses a wider variety of words to help distinguish between the moral and immoral gathering of information. On one hand, ‘Tajassasa’ refers to “the act of attempting to acquire any secret or covert information”. In the Quranic text, Muslims are discouraged from engaging in this activity: “[a]lthough the noun jasous (spy) does not appear in any Quranic text, its root, the verb tajassasa, appears in a verse of the surah (chapter) of Hujurat (Cambers), where Muslims are enjoined not to engage in this activity”. Tajassasa is associated with the work of undercover spies who commit treason by spying on their own nation for foreign entities. In the same order, “[j]asous is also used to refer to the act of detecting private information for selfish reasons, material gain, or any other nonbenevolent purpose”[24].

On another hand, the verb tahassasa is used to refer to morally acceptable spying – i.e. spying for a good cause. In the Arabic Intelligence field, agents are referred to as ain, an expression that can be translated into “eye” but which also refers to “a bird of prey” and by extension “having very keen vision”[25]. Indeed, it appears that different societies share the belief that espionage is both moral and immoral at the same time.

In the Western culture, words associated with the verb “spying” often carry a reference to treasonous behaviours and deceptions. For example, it is common for politicians and journalists to qualify enemies as “spies” or “traitors” without much distinction[26]. Actually, both criminal offenses share characteristics that are particular to a group of crimes referred to as crimes against the state. These infractions obey different dynamics than traditional crimes against the person or against objects.

Espionage and Treason laws are both particular sub-categories of criminal laws because they are politically and morally biased. First, the same event can lead to espionage or treason charges in country X, while leading to societal and legal endorsement in country Y. In other words, the same actus reus committed in two different jurisdictions may yield a different judicial and societal response. By comparison, if someone commits murder similar judicial responses can be expected from most jurisdiction. This is because life is valued almost everywhere on earth, and murder is seen as immoral in most civilizations. There can be some variations as to the defenses that are legally acceptable with self-defence usually accepted, but overall, there is a shared agreement on the immoral nature of murder in most circumstances. With treason and espionage, however, you can be a hero in one country and a criminal in another one – for the same actus reus.

Secondly, accusations of espionage or treason are subject to a scale of seriousness that is defined by the executive branch of the government. A treasonous behaviour is only criminal if it relates to national security, and the unauthorized gathering of information is only relevant to the State if you are stealing something valuable[27]. The definition of national security changes to adapt to new realities, such as cyber-threats and the war on terrorism[28]. The principle is that governments will adjust their national security policies based on their political realities and threats. This reality means that executive government decisions can alter the scope and meaning of the crimes of treason and espionage.

Ultimately, espionage and treason laws exist because of a belief in a shared duty of allegiance implicit in the social contract. In other words, these criminal wrongdoings strike a sensible cord by shaking mutual expectations of trust inherent with loyalty. They are inherently clashing with the idea of society. This is illustrated by the decision of enshrining the crime of treason in the American constitution for instance[29]. From this point of view, spies who commit treason are the quintessence of criminals considering that their crimes affect the very foundations of society, partially explaining the severe sanctions associated with such crimes with some States still applying the death penalty.

The consequence of this is that treason and espionage charges will usually create strong emotional reactions in the general population. However, if these charges fail to gather significant support, they will result in a shared feeling of injustice sometimes leading to a loss of confidence in democratic institutions. This was the case in some segments of the American population following the indictment of Edward Snowden for espionage[30].

It is necessary to stress that treason and espionage do not always overlap. When a citizen steals valuable and unauthorized information from the government and sells it to an enemy, it is both treason and espionage. However, if a foreigner steals the same information and sells it to his or her government, it is espionage but not treason. The foreigner does not have any duty of allegiance towards the foreign government (for legal purposes at least). In the same line, treason can be committed without espionage implications – an example of this could be a local militia, which attacks its government in the hopes of overthrowing it.

In Canada, espionage for the enemy is illegal under the National Defence Act[31], whereas the Security of Information Act[32] punishes espionage for the benefits of foreign entities or terrorist groups. This latter legislation also has a specific infraction for economic espionage[33]. As for the crime of treason, it can be found in the Criminal Code at section 46 which still distinguishes between high treason and petty treason, the former referring to treason during wartime. The distinction has long been abandoned in other common law jurisdictions.

In cases where espionage and treason overlap, authorities may still decide to charge the accused under both offenses. This decision is often politically motivated such as defining an individual or an organization as an enemy of the State.

This can be illustrated by taking the recent example of the Chelsea Manning affair. In June 2013, Manning was sentenced to 35 years in prison in a high-security establishment. She was acquitted of the offense of treason (aiding the enemy) but convicted of many other counts among which violations of the Espionage Act[34].

Born under the name of Bradley Manning, the army official leaked classified information to the website Wikileaks, including the infamous Collateral Murder Video in which US militaries are seen indiscriminately shooting at civilians which included two Reuter’s journalists. Manning also leaked 91 000 files relating to the War in Afghanistan, 392 files from the Iraq War, 779 files concerning the detainees at Guantanamo and 250 000 governmental memos[35].

The political nature of the indictments is best explained in this quote from Manning’s lawyer, David Coombs, following Manning’s trial: “[u]nder the current administration, leaking information to the press is tantamount to aiding the enemy. We avoided a conviction on the aiding the enemy charge, but the fact that they pursued it, let it go forward, should send alarms to all journalists”[36].

Indeed, it appears that the choice of charging Manning with treason was meant to send a clear message that Wikileaks is considered an enemy of the United States and not a journalistic source. Besides, Coombs affirmed that the US government offered a plea deal to Manning “[i]n order to get h[er] to testify against WikiLeaks in an ongoing investigation in the Eastern District of Virginia”[37]. In the wake of the Snowden revelations which concurred with this affair, the charge of aiding the enemy also meant to warn whistleblowers that “[w]hen you sign a security clearance and swear oaths, you actually have to abide by that. It is not optional”[38].

Manning’s own description of his crime are instructive on how technologies have made things much easier for spy (and whistleblower):

I would come in with the music on a CD-RW labelled with something like ‘Lady Gaga… erase the music… then write a compressed split file. No one suspected a thing… [I] listened and lip-synched to Lady Gaga’s Telephone while exfiltrating possibly the largest data spillage in American history”[39].

When Daniel Ellsberg leaked the Pentagon papers, he had to photocopy 7,000 pages during the night hours – we’ve come a long way.

2.Some particularities of cyber-espionage

Having discussed basic principles relating to the paradox of espionage law, we now move to a more specific understanding of cyber-espionage or digital surveillance[40]. To achieve this purpose, the first sub-section offers a definition cyber-espionage with practical examples of digital spycraft. It specifically discusses the Duqu, Stuxnet and Flame viruses – three well-known examples of malware designed to penetrate the enemy’s territorial barrier. The second sub-section presents an overview of the particularities of cyber-espionage. Some of the affirmations in this sub-section require further discussion in technical or political terms and will be the subject of a more detailed analysis in the final doctoral work.

2.1 Definition and examples

It should come as no surprise that spycraft has improved with the advent of new technologies. When planes became available for military purposes, spy planes followed as well, and they continue to improve, as demonstrated by the recent deployment of a top of the line spy plane to Syria by Russia[41]. Cyber-espionage is just another way to use technologies to access unauthorized, classified and/or military information.

To clarify, cyberspace can be defined as the “[g]lobal domain within the information environment consisting of the interdependent network of information technology infrastructure, including the Internet, telecommunications networks, computer systems, and embedded processors and controllers”[42]. There is also a very sociological aspect to the definition of cyberspace, which could help further define this space in cultural and political terms[43]. This aspect of the definition will be discussed in the final doctoral work and in relation to cyber politics and cyber power.

Cyber-espionage, then, can be termed as follow:

As with espionage, cyber espionage describes the unauthorised accessing and copying of confidential information. Cyber espionage however relates to the accessing and copying of electronic information that is being stored in or transmitted through cyberspace. Note that cyber espionage requires more than just gaining access to a computer system; electronic information must also be copied[44].

If the information is not copied, then we are facing charges of computer hacking (unauthorized access) and not espionage. According to Professor Filder’s definition, cyber-espionage aims at “[c]ollect[ing] intelligence information about foreign countries or companies to enhance national security, military power, or economic competitiveness”[45].

With cyber-spyware, the accessing and copying of information is often done simultaneously. This is the case because intelligence gathering in cyberspace often involves the use of sophisticated computer program referred to as spyware or malware.

One of the first spyware to gain a moment of fame is W32.Duqu, discovered in October 2011. Its purpose is “[t]o collect intelligence information on industrial control systems and critical infrastructure assets”[46]. The software was largely built on the coding structure of the infamous Stuxnet virus (leading to a headline declaring that Duqu was the “[s]on of Stuxnet[47]).

Stuxnet is a worm which was designed to infect Industrial Control Systems (ICS) that are not connected to the Internet and to eventually cause physical damages. This malware, qualified as “[t]he world’s first digital weapon”, was capable of “[e]scaping the digital realm to wreak physical destruction on equipment the computers controlled”. The deployment of this virus resulted in physical damages to some of the 164 centrifuges at the Natanz nuclear complex in Iran[48]. Among other things, the incident sparked a debate on the vulnerability of critical infrastructure to cyber-terrorism (a possibility further confirmed by the Ukraine’s power plant hack in December 2015, which resulted in a power cut for 80,000 people[49]). Duqu differs from Stuxnet because it was conceived for espionage and rather than as a weapon. It is, however, instructive to note how digital spyware is only a few code lines away from digital warfare.

Another notorious example of spyware is the Flame virus, discovered in May 2012 by the Russian security firm Kaspersky. Author, Kate Munro, commented the Flame Virus:

The Flame Virus will go down in history as the most complex, most sophisticated and largest cyber-espionage tool to fool Microsoft's Terminal Services licensing certificate authority. Using a detailed yet brilliant (in terms of cybercrime) strategy, Flame infiltrated thousands of computers in the Middle East by capitalising on a flaw that allowed attackers to create a digital security certificate masquerading as an official Microsoft security certificate. What's more, it came in the form of a Microsoft update. Although it looked genuine, users allowing the update were giving Flame the go-ahead to install massive amounts of spyware and code on their machines[50].

Flame is a heavy software with twenty modules, of which only a few are installed with the initial breach. The remainders are installed later on by the operators on valuable endpoints, where they can obtain “[t]he most sensitive information from the most valuable resources without being so overzealous as to raise any red flags with traditional anti-virus (AV) software programs”[51]. Each of these modules operates like a distinct virus with unique functionalities controlled by the administrator.

Spyware are effective because of the facility with which they can bypass anti-virus (AV) software: “[a]nything new, anything unknown, can easily get past a standard IT security system”. In other words, a targeted espionage operation with a new virus will not be stopped by an AV software until much later on. The Flame virus, for instance, took two years to be discovered. It is also difficult to remove it from circulation because it uses multiple infection vectors with different modules for every type of infection[52].

Image : Kate Munro, “Deconstructing Flame: the limitations of traditional defences” (2012) 10 Computer Fraud & Security 8.

According to Munro, “[t]oday’s complex malware and espionage codes can perform any number of functions, including self-replication and further infections”. Flame was a backdoor, a Trojan and had some features of worm malware. Complex viruses like this one can go for a very long time undetected, or can complete their whole espionage operation within seconds[53]. Flame is capable of specific actions such as recording conversations, reading what is being typed on the keyboard and taking screenshots. All of the data collected is then send to Flame’s command-and-control servers[54].

Most importantly, spyware have the capability to target specific information, though this feature is more expensive and less popular. Flame, for instance, was not designed to self-propagate: [t]he cybercrime group behind Flame had complete control over exactly where it would go and what it would do once targets were infiltrated, which contributed to Flame's success at operating completely undetected for two years”[55].

A better understanding of the various spyware available on the market can lead to some consensus on which types of programs are not tolerable in international law. While possibly an imperfect solution, such consensus is necessary to protect individual human rights such as civilians’ right to privacy and to prevent a loss of trust in international institutions due to their inability to regulate cyber-espionage.

For instance, States may be more likely to agree that spyware must be controllable at all time by the administrators and that it should be designed to target information as opposed to indiscriminately infect computers. Building from this consensus, certain restrictions could be agreed on regarding the production and sale of spyware.

This approach mimics the logic behind the limits on methods and means of waging war in international law. The Hague Convention of 1907[56], the 1977 Additional Protocols to the Geneva Conventions[57] and a series of agreements on specific weapons[58] have been developed to reduce superfluous injury or unnecessary suffering. Computer sciences may be able to offer insights leading to this imperfect but necessary type of agreement regarding digital surveillance.

2.2 Characteristics of cyber-espionage

The previous sub-section exposed how computer sciences can help nuance the debate at stake and provide for alternative ways of building an international consensus on cyber-espionage. Indeed, international treaties are an exercise in negotiation that aims at finding common ideas upon which different cultures can agree. This sub-section continues to develop this line of thoughts by exploring how digital surveillance differs from traditional ‘in-person’ espionage. Understanding these particular features of cyber-espionage help to understand the particular interests of States’ in the cyber realm. This knowledge is crucial to frame the place of espionage in international law and identify realistic solutions to the actual inertia.

To begin with, cyber-espionage is characterized by the implication of a wide variety of actors both as perpetrators and victims. This was recently underlined by Professor Russell Buchan:

Historically, espionage was an activity that was practised by States, against States, usually targeting important organs of the State such as those relating to defence and foreign affairs. Significantly, however, and as exemplified by the Snowden revelations, a combination of the widespread use of cyberspace to store information and an increasingly interdependent and competitive international environment has meant that States are also now committing cyber espionage against non-State actors such as international organisations, non-governmental organisations, companies and even individuals[59].

For instance, the targets of Flame included academic institutions, private companies, and pre-selected individuals[60]. In addition, more countries practice espionage than ever before given the availability of adequate software reasonably priced on the market: “[c]ountries no longer have to spend billions of dollars to build globe-spanning satellites to pursue high-level intelligence gathering, when they can do so via the web”[61]. This has led some commentators to affirm that cyber-espionage is “[t]he great equalizer”[62]. Indeed, developing countries can buy commercial spyware from firms like the Hacking Team whose customers include countries such as Uzbekistan, Kazakhstan, and Sudan[63].

Another attribute of digital espionage relates to the ease with which spy craft help States conduct mass surveillance and reach places otherwise inaccessible: “[t]he Internet provides a technological platform and target-rich environment for governments to engage in espionage on a scale, speed, intensity, and depth never before witnesses in spy craft”[64].

This is unsurprising given that the Internet was created as a mean to share information, and was never meant to hold confidential data. Indeed, when the American administration decided to expand the use of telecommunication networks outside of the government, it first did between universities for academics to connect and share ideas more easily.

Nevertheless, private corporations and others saw on the Internet an opportunity to conduct affairs globally with little cost. They used cyberspace for a whole new array of purposes including banking transactions and the storing of confidential data, without much interrogation as to the potential security issues. The Internet was and remains ill-conceived to conduct these operations given its open nature. Today, cyberspace holds so much information that spies barely need to leave their headquarters to access the data needed. Like James Lewis said, “[t]he Internet is God's gift to spies”[65]!

The wide-reaching nature of digital surveillance is fundamental because it triggers particular international obligations relating to human rights. Indeed, in December 2013, the United Nations’ General Assembly adopted Resolution 68/167 which requires members to review intelligence gathering measures to ensure conformity with international human rights law, hence reiterating their relevance in cyberspace[66].

Precisely, article 12 of the Universal Declaration of Human Rights[67] and article 17 of the International Covenant on Civil and Political Rights[68] both state that individuals have the right to privacy, which was defined as followed in Resolution 68/167:

[the] right to privacy, according to which no one shall be subjected to arbitrary or unlawful interference with his or her privacy, family, home or correspondence, and the right to the protection of the law against such interference […].

Resolution 68/167 further notes that information gathering may be necessary for security purpose, but specifies that:

States must ensure that any measures taken to combat terrorism are in compliance with their obligations under international law, in particular international human rights, refugee and humanitarian law.

The Resolution also commissioned a report on privacy in the digital age (which was presented at the Human Rights Council in September 2014 and at the General Assembly in December 2014)[69]. Following this report, the Human Rights Council adopted Decision 25/117 leading to a panel discussion on the promotion and protection of the right to privacy in the digital age[70]. In April 2015, this council also appointed a Special Rapporteur on the Right to Privacy[71].

Resolution 68/167 is fundamental because it stresses that the current discussion regarding the legality of espionage must take into consideration a wider range of international norms than it traditionally did. This growing focus on privacy has to be understood in a larger context of regional or multilateral agreements on data protection enforced through economic incentives.

The European shield is the predominant example in this regards. Under Article 8 of the European Convention on Human Rights, individuals enjoy a “[r]ight to protection against the collection and use of personal data” which “[f]orms part of the right to respect for private and family life, home, and correspondence”[72]. The European jurisprudence is rich in decisions regarding the “[i]nterception of communication”, “[v]arious forms of surveillance” and “[p]rotection against storage of personal data by public authorities”[73].

In European law, data protection is also regulated by the 1981 Convention for the protection of individuals with regard to the automatic processing of personal data (Convention 108)[74] as well as several non-binding recommendations:

Convention 108 applies to all data processing carried out by both the private and public sectors, such as data processing by the judiciary and law enforcement authorities. It protects the individual against abuses, which may accompany the collection and processing of personal data, and seeks, at the same time, to regulate the transborder flow of personal data[75].

The principal source of European data protection the Data Protection Directive[76]. The document aims at harmonizing data protection law and “[t]o give substance to the principles of the right to privacy already contained in Convention 108, and to expand them”[77]. This legal framework is completed by many other directives and r indications as to how the right to data protection can or should be balanced against other rights.

The Data Protection Directive is particular because it gives power to the Council and the European Parliament to determine, on the basis of Article 25(6), “[w]hether a third country ensures an adequate level of protection by reason of its domestic law or the international commitments it has entered into”[78]. This is an important economic incentive for third countries to conform to European data protection standards: “[t]he effect of such a decision is that personal data can flow from the 28 EU countries and three EEA member countries (Norway, Liechtenstein, and Iceland) to that third country without any further safeguard being necessary”[79]. Canadian PIPEDA legislation is among those who have been recognized as satisfying the European standards[80].

This state of affairs regarding privacy leads to some preliminary remarks:

• The legality of cyber espionage is related to the right to privacy in a way that is particular to this form of espionage and this should affect discussions relating to the legal status of this practice;

• Multilateral treaties have already identified some consensus in regard to data protection, which should be an inspiration for digital surveillance;

• Multilateral treaties can be enforced through economic incentives.

This being said, current multilateral and regional treaties tend to represent the traditional wartime alliances. This translates potential issues with the necessity to reach some international consensus.

The third hallmark of cyber-espionage is that, like other cyber-operations, it is difficult to attribute the act to a specific entity. The process by which specialized units manage to identify the perpetrator behind a breach of security is referred to as digital forensics.

A well-known case of digital forensic is the inquiry conducted by the private firm Mandiant; APT1: Exposing One of China’s Cyber Espionage Units[81]. Unit 61398 is one of China’s most prolific cyber-espionage units and employ hundreds, if not thousands of people. Mandiant’s report explains that unit 61398 infiltrated a hundred and forty-one companies in twenty major industries for a total of hundreds of terabytes of data stolen. The Unit also has Command and Control servers in many countries, among which the United States. Though it required a considerable amount of technical skills, Mandiant was able to pinpoint exactly where the unit’s headquarter is located and even specify that the building is twelve stories high, built in early 2007.

Mandiant also obtained evidence that China Telecom “[p]rovided special fiber optic communications infrastructure for the unit in the name of national defense”[82]. In addition, Mandiant affirms that: “[i]n over 97% of the 1,905 times Mandiant observed APT1 [unit 61398] intruders connecting to their attack infrastructure, APT1 used IP addresses registered in Shanghai and systems set to use the Simplified Chinese language”[83]. He also identified the nicknames of some individuals behind the computers to prove that bots did not commit the cyber-espionage. Mandiant’s purpose was to prove that the Chinese government was effectively engaged in a campaign of digital surveillance against American assets.

Nonetheless, the findings of Mandiant were vigorously denied by the Chinese Government who published a commentary in the Xinhua News Agency that qualifies the report as baseless:

One does not need to be a cybersecurity expert to know that professional hackers usually exploit what is called the botnet in other parts of the world as proxies for attacks, not their own computers," according to the commentary. "Thus, it is highly unlikely that both the origins of the hackers and the attacks they have launched can be located.[84]

The report was also criticized by the cyber security industry as having failed to prove attribution:

My problem is that Mandiant refuses to consider what everyone that I know in the intelligence community acknowledges -- that there are multiple states engaging in this activity; not just China," Carr said. "And that if you're going to make a claim for attribution, then you must be both fair and thorough in your analysis and, through the application of a scientific method like ACH, rule out competing hypotheses and then use estimative language in your finding. Mandiant simply did not succeed in proving that Unit 61398 is their designated APT1 aka Comment Crew.[85]

The attribution issue is a crucial one in cyber-security that is exacerbated in the political and legal realms. Even if some commentators find the attribution problem exaggerated in regard to its importance[86], it remains that accusing another State of cyber-espionage requires a high degree of certitude due to the potential impacts on foreign relations. Furthermore, attribution in international law is already a complex process that requires to first prove the international reach and then attribute it to the government or an entity acting on its behalf. The issue of attribution in cyberspace is the object of its own literature and critic, which will be further examined in my doctoral work[87].

It is sufficient, for the purpose of this paper, to understand that as a consequence of the attribution issue, the potential political costs of espionage is quite low, hence encouraging States into pursuing this avenue. Moreover, this has to be understood in a greater dynamic of a militarization of cyberspace characterized by a race towards cyber-power, with cyber-power conceived as the capability to retain national security information[88]. In fact, with spyware, States are just a code line away from digital weapons, as demonstrated by the similarities between Duqu and Stuxnet:

[C]yberespionage helps embed the desire for cyber capabilities deeply into political, military, and intelligence calculations about power and its exercise in international relations. Worries about a destabilizing offensive-defensive cyber “arms race” cannot ignore that cyberespionage facilitates offensive and defensive activities through a shared binary backbone. Arguably, no other instrument of espionage feeds as directly into building weapons and defending against weapons[89].

This brief and imperfect overview of the particularities of digital espionage already brush a picture of the practice as one which differs from traditional espionage. The difficulty with which espionage can be attributed, it’s particular role in relation to the militarization of cyberspace, the availability of spyware at a reasonable cost and its effectivity all contribute to encourage States into the path of mass digital surveillance notwithstanding concerns relating to privacy.

This situation is particularly concerning because individuals whose privacy is violated may lose faith in the domestic rules of law and democratic institutions. In a similar manner, States whose sovereignty is violated may lose faith in the international rule of law and the ability of international organizations to protect their interests. This vicious circle and the current inertia of stakeholders is a dangerous state of affair and prompt intervention is required. In this regard, it is necessary to take into account the perspective of foreign relations and computer sciences and integrate them into an informed legal debate.

3. International Law and Espionage

Having discussed how technologies affect the nature of espionage, this last section proposes an overview of its current status in international law. The absence of treaty regulating the issue during peaceful time has been mentioned, but there are some rules that apply during war time and some principles which are relevant during peacetime. This section explores these in the context of cyber-espionage.

3.1 The rules of war and espionage

The fact that espionage is referred to as the second oldest profession in the world is consequent with its presence in treaties redacted even before the appearance of an international order. Precisely, the Declaration of Brussels of 1867 states that espionage is a lawful means of warfare[90], even if sometimes deceptive[91]. The agreement also involves dispositions regarding the punishment applicable to spies that translate the uncomfortable but necessary nature of espionage:

A spy if taken in the act shall be tried and treated according to the laws in force in the army which captures him… if a spy who rejoins the army to which he belongs is subsequently captured by the enemy, he is to be treated as a prisoner of war, and incurs no responsibility for his previous acts[92].

As colonel Desmarest puts it, “[t]he law of war, while preserving the deterrence effect of capital punishment, and also easing the individual’s fate, rewards success in spying”[93]. Espionage, he argues, “[i]s considered a ‘noncrime crime’” [94] or simply put, the crime of espionage has an expiration date. It is fascinating to see how espionage was regulated like a political game with rules ensuring some sort of fair play between States.

Another point worth mentioning in this Declaration is how the term “spy” is limited to certain individuals. For instance, military men are not spies if it is possible to recognize their military character, even if carrying dispatches[95].This serves a legal purpose, but also relates to the linguistic aspect of the crime previously discusses. Spies are not to be confused with prisoners of war or military men; their status is different due to the puzzling nature of the act as a deception and a lawful act of warfare.

Later on, espionage will also be regulated by The Hague and Geneva conventions based on the Lieber Code, written eleven years prior to the Brussels Declaration[96]. It is useful to discuss the Lieber Code as an introduction to these more recent and familiar agreements. The Lieber Code specifically pinpoints the paradox of espionage:

While deception in war is admitted as a just and necessary means of hostility, and is consistent with honorable warfare, the common law of war allows even capital punishment for clandestine or treacherous attempts to injure an enemy, because they are so dangerous, and it is difficult to guard against them[97].

In fact, this Code is strict on espionage and puts a lot of emphasis on deterrence while still remaining pragmatic: “[t]he Lieber Code marked the beginning of the modern pattern of giving the spy considerable leeway after-the-fact, but very little leeway if caught in the act”[98].

The current applicable laws in wartime can be found in the 1907 Hague Convention which specifies that a spy must be caught in the act and condemned only following a trial[99]. The Rules concerning the control of wireless telegraphy in time of war and air warfare, drafted by a commission of jurists at The Hague between December 1922 and February 1923 are also relevant due to its analogical value with digital surveillance. The following articles can easily adapt to transmission in cyberspace:

6.1. The wireless transmission by an enemy or neutral vessel or aircraft while being on or above the high seas, of any military information intended for a belligerent’s immediate use, shall be considered a hostile act exposing the vessel or aircraft to be fired at;

[…]

8. Neutral mobile wireless stations shall abstain from keeping a written copy of wireless messages received from belligerent military wireless stations, […]

11. Acts which, in others respects, do not constitute acts of espionage, are not considered as such for the mere fact that they imply an infringement of the present rules.

Additional safeguards to the 1907 Hague Convention are added in the Geneva Conventions of 1949 regarding the judicial process surrounding espionage charges. These precisions include the spy’s right to appeal and a six-month waiting period before the execution of the death penalty[100]. The Geneva Protocols of 1977, notwithstanding their purpose “[t]o take advantage of new medical and communication technologies and attempt more thorough inclusion of non-international conflicts”, did little to update the rules of espionage [101].

Colonel Desmarest argues that:

The existing laws of war are a valid starting point for international juridical treatment of peacetime intelligence. Principles regarding spying in the laws of war are unique, clear and consistent. As such, the laws of war provide a compass for navigating the ethical dilemmas involving human rights, sovereignty, and global security that human intelligence collection entails[102].

Nonetheless, this point of view is not endorsed in this paper. The laws of war simply codify common sense in times of war – where everything that is otherwise unacceptable is tolerated. Such rules do not provide any compass to the contradictory nature of espionage, but rather pragmatically accommodates both spies and victims as the author himself stresses later in his article: “[r]ules of war do little to reconcile the paradoxical nature of espionage as a delict”[103].

The laws of war completely ignore the infringement of privacy that may result from cyber-espionage and therefore largely disregard the concept of human rights, except when discussing the judicial treatment of the spy. They also fail to justify their validity in regards to principles of international law, such as those of distinction and proportionality.

These laws were redacted at a moment in history during which espionage was marginal, aimed at military and political targets and definitely a dangerous business. As we have seen, cyber-espionage differs in this regard and the deterrence aspect of these rules have certainly lost its utility. In addition, wartime targets have expanded to include critical national infrastructures and core economic assets – both susceptible to disproportionally affect civilians. This is perturbing because cyber-espionage plays a crucial role in the feasibility of such attacks which are likely to be conducted in cyberspace.

Recent academic literature has focused on espionage in peacetime because of the absence of explicit treaty but it appears that even where the activity is regulated, a discussion is needed to efficiently address concerns such as civilians’ privacy. In the scenario of an overt war implicating modern States, it is likely that the deterrence aspect of the espionage dispositions of the rules of war would prove totally irrelevant.

3.2 Principles susceptible to apply to espionage in peacetime

There is currently no international crime of espionage which specifically makes the practice illegal during peacetime. Besides, the international landscape is marked by multilateral agreements between sovereign States that make the interception, collection, acquisition, analysis and decryption of data easier through collaboration.

The Communications Security Establishment of Canada (CSEC), for instance, is part of the five eyes agreement which also involves the United States National Security Agency (NSA), the United Kingdom’s Government Communications Headquarters (GCHQ), the Australian Signals Directorate (ASD) and New Zealand’s Government Communications Security Bureau (GCSB). Other collaborative agreements include the nine eyes and the fourteen eyes which involve different levels of sharing among the Five eyes and additional European countries. Such alliances often have their source in post-war arrangements.

Notwithstanding this, the Convention on International Civil Aviation (Chicago Convention) of December 1944 implies that territorial sovereignty is not limited to land[104]. According to this treaty, States enjoy sovereignty over their the airspace that falls within their territorial jurisdiction. As a consequence, the unlawful passage of aircraft can lead to a breach of sovereignty and in some cases, trigger the non-intervention principle. The practice of States, however, is somewhat inconsistent and often seems to depend on the character of the aircraft.

In 1983, the Russian interpreted the Chicago Convention as a permission to shoot down a Korean Airliner KAL 007 ostensibly on the grounds of its spying activity. International pressure led to an extraordinary session of the International Civil Aviation Organization on May 10, 1984, after which the following amendment to the third article was adopted:

1. The contracting States recognize that every State must refrain from resorting to the use of weapons against civil aircraft in flight and that, in case of interception, the lives of persons on board and the safety of aircraft must not be endangered. This provision shall not be interpreted as modifying in any way the rights and obligations of States set forth in the Charter of the United Nations.

The organization was very careful to circumcise its intervention to avoid misinterpretation, such as legalizing spy flights. According to Professor Dale Stephens, the last sentence of the amendment above “[i]ndirectly acknowledg[e] the right against physical surveillance intrusion”[105], hence setting a precedent for espionage’s illegality in this particular case. Such physical interdiction is correlated by the United Nations Convention on the Law of the Sea which classifies military surveillance as a non-innocent passage[106]. Silence outside of these treaties, according to this expert, “[s]uggests that there is a tacit acceptance of the right of nations to undertake such activity”[107].

In 2001, another incident implicated a US Navy EP 3 aircraft which was conducting surveillance within 200 nautical miles of the exclusive economic zone of China and collided with a Chinese F-8 fighter, leading to the pilot’s death. The Chinese argued that the US reconnaissance flight disregarded its security interests. The United Stated replied that surveillance within this zone was legally permitted and did not amount to an international breach. They further contended that this activity was consistent with the “peaceful purposes” of the Convention on the Law of the Sea[108]. The vast majority of academic opinions supported the American position[109].

Nonetheless, there continues to be a void in international law in regard to digital espionage which academics are trying to fill using familiar notions such as sovereignty, the principle of non-intervention, the customary rule of law and the Lotus rationale.

The principle of territorial sovereignty corresponds to a State’s “[c]apacity to exercise full and exclusive authority”[110]. There are two competing conceptions of this principle in international law that exist. In the first one, a breach of territorial sovereignty does not require physical impacts to qualify whereas, in the second one, a breach of territorial sovereignty can exist without any physical impacts[111].

These conflicting premises are fundamental in relation to cyber-espionage. As we have discussed, cyber-espionage involves the unauthorized gathering of confidential information through accessing and copying the data. As a consequence, digital surveillance does not cause physical damage outside of cyberspace and does not alter or delete any data. A conception of territorial sovereignty which focuses on physical impacts would mean that cyber espionage would rarely, if ever, qualify for a breach of sovereignty.

Professor Buchan has argued that such a narrow conception should be discarded. Starting from the premise that state practice clearly reveals that states regard themselves as exercising sovereignty in cyberspace[112] and even territorial sovereignty[113], the author argues that:

Although on the face of it cyberspace would appear immune from territorial sovereignty because it is a virtual, borderless domain it must nevertheless be appreciated that cyberspace is a man-made environment that ‘requires physical architecture to exist’,[114] including fiber-optic cables, copper wires, microwave relay towers, satellite transponders, internet routers etc. As a result, where computer networks are interfered with, or where information is interfered with that is located on those networks, and those networks are supported by cyber infrastructure physically located in a state’s territory, that state’s territory can be regarded as transgressed and thus a violation of the principle of territorial sovereignty occurs.[115]

Territorial sovereignty, then, can be used as a legal argument for the protection of data contained in national cyber infrastructure from digital surveillance.

The principle of non-intervention, according to this author, could potentially offer an additional protection through application in cases involving the transmission of data using foreign cyber networks or the storage of data in cloud computing technologies which use a centralized server located in a foreign territory[116].

The issue with the application of these two principles to cyber-espionage is that the argument currently relies on analogical thinking given the absence of international agreements or legal precedents. There are just too many uncertainties in the legal academic literature to interest state representatives and military officials into refraining from engaging in intelligence collection.

A multi-jurisdictional scenario such as those preferred by high-profile cyber-espionage units illustrates this point. Imagine a situation in which cyber-espionage is done using a software written in Russia, sold to Chinese authorities, installed on a control and command server located in Ukraine, executed by a bot with an IP address in Indonesia, through an administrator located in Europe. In this hypothetical scenario, the target of espionage could be the French government who could be storing data in a cloud owned by a foreign country, such as the Netherlands. The French administration would also have cyber-infrastructure in various countries and information is likely to circulate between all of these different geographic points. To apply the previous principles to these types of complicated scenarios is not impossible, but it is complicated, especially given the lack of international cooperation and the attribution principle. There are a lot of gray nuances for perpetrators to exploit and it encourages States to take seriously the application of these principles.

Indeed, an important concern with the application of these principles to regulate cyber espionage is that it operates in a vacuum from the realities of foreign relations. In international law, legal interpretation cannot be dissociated from politics. Professor Buchan’s arguments, while legally convincing, are unlikely to frame a solution-oriented debate regarding the way extraterritorial cyber-espionage ought to be integrated into the rule of law. Besides, the argument is unlikely to engage politicians because of the potential falls back of accepting broad conceptions of such principles.

As for the application of the customary rule of law to espionage or cyber-espionage, it can be summarized briefly as the assumption that a permissive rule was created because most States are engaged in international intelligence gathering. The argument can go as far as claiming that this state of affairs has modified the principles of territorial sovereignty and non-intervention as to create an exception for espionage[117].

For a customary norm to be recognize, two elements must be present: (1) proved state practice and (2) belief that this state practice is licit[118]. It is specifically mentioned in legal precedents that customary norms cannot result from secret practices[119]. The case against the customary rule of law as a justification for espionage has been thoroughly and well debated by Professor Buchan[120]. If tactfully used, this argument can serve as a legal basis to open a debate on the legality of some of the current cyber-espionage techniques.

Lastly, the Lotus principle is simply the judicial statement that “what is not illicit is therefore licit”[121]. Legal precedents clearly indicate that within international law, “[e]very State remains free to adopt the principles which it regards best and most suitable”[122]. This freedom can only be limited by a voluntary decision to adhere to a treaty or an agreement.

Notwithstanding this, proponents of the illegality of espionage affirm that the Lotus principle is circumscribed by the constitutional norms of international law, which include sovereignty. This later principle is conceived as the basis “[u]pon which the whole of international law rests”[123]. Following from this is the worry that the international system, by failing to protect the subjects’ integrity, is likely to lose credibility. This situation could lead to a loss of trust towards these institutions and ultimately, a potential degradation of international relations.

The international legal framework of espionage remains an incomplete work in urgent need of attention given the characteristics of extraterritorial digital surveillance. Wartime agreements fail to address privacy which as a novel concern in this field given mass surveillance’s effect on civilians and are out-dated in many regards such as relating to deterrence effects.

Express dispositions on espionage are completely absent of the international peacetime regime, but many other principles technically apply to guide States’ behavior. These include the principles of territorial sovereignty and of non-intervention, the customary rules of law and the Lotus case’s ratio decidendi.

There are no agreement at the moment on how these should apply to cyber-espionage and no States have endorsed a comprehensive interpretation of the law pertaining to this practice. The Tallinn Manual 2.0, which is set to be published in 2016, will be addressing the question as well and is likely to promise further clarifications. Experts like Professor Buchan has been called to meet with the international group of experts to give a lecture on the possible application of these principles.

To conclude, espionage has always been a perplexing and paradoxical activity that can lead a spy to an honour medal or to a death row sentence. As a marginal practice occupying a privileged place in political decision-making, traditional espionage was tolerated or, as some would say, was accepted as an activity ‘beyond the rule of law’. It can be argued that espionage was traditionally regulated by fair play principles rather than legal norms.

Cyber-espionage has profoundly changed this dynamic and emphasized the treacherous aspects of Intelligence collection. The international reactions to the NSA’s mass digital and extraterritorial surveillance best illustrates this. From the comfort of their headquarters, intelligence agencies could now access information located in foreign territories with very few economic, political or military risks. Following Snowden’s revelations, the United States were the subject of some international critics but these were soon discredited due to their hypocritical nature. The States which were the most vocal about their discontent were also found to be engaged with similar programs of mass surveillance or engaged in human rights abuses relating to cyberspace[124].

Nonetheless, the Snowden revelations prompted a legal debate as to whether extraterritorial digital surveillance is, or should be, permissible under the international rule of law:

Important questions are now rightly being raised as to whether cyber espionage is a permissible cat and mouse exercise that is part of the ebb and flow of a competitive international environment or, instead, whether it is a pernicious practice that undermines international cooperation and is prohibited by international law[125].

Modern intelligence gathering excessive reach has disproportional effects on political integrity. The inability of the international rule of law to prevent such intrusions in a legal system based on independence and legal sovereignty is likely to lead to a loss of trust into international organizations as well as a deterioration of international relations. Another risk is that cyber-espionage and the militarisation of cyberspace leads to a vicious circle of surveillance leading to vast abuses and infringement on the privacy rights of civilians, corporates and governments.

The particular place of cyber-espionage in regards to the militarisation of cyberspace was stressed by the Citizen Lab:

Governments around the world are engaged in a rapid race to militarize cyber space, to develop tools and methods to fight and win wars in this domain. This arms race creates an opportunity structure ripe for crime and espionage to flourish. In the absence of norms, principles and rules of mutual restraint at a global level, a vacuum exists for subterranean exploits to fill.

There is a real risk of a perfect storm in cyberspace erupting out of this vacuum that threatens to subvert cyberspace itself, either through over-reaction, a spiraling arms race, the imposition of heavy-handed controls, on through gradual irrelevance as people disconnect out of fear of insecurity.

There is, therefore, an urgent need for a global convention on cyberspace that builds robust mechanisms of information sharing across borders and institutions, defines appropriate rules of the road for engagement in the cyber domain, […][126]

Notwithstanding some convincing arguments as to the analogical application of legal norms, these comments failed to have a deterrent effect on the practice of States. This was echoed by Professor Fidler, an expert in the field:

In international politics, the rise of cyberespionage converges with the ubiquity of spying against governments and economic espionage against companies to produce a new challenge in a context that lacks effective’s strategies and rules. Every government prohibits espionage within its territory through criminal law, but every government engages in espionage in the territory of other countries. This reality means that national prohibitions do not deter spying and that countries have no incentive to develop (and have not developed) international legal rules that regulate traditional spying or economic espionage[127].

Given the danger of digital espionage, both on international relations and on civilians, it appears that there is an urgent need for some consensus on the practice and it further appears that a polarized debate is unlikely to reach solutions.

Banning intelligence gathering altogether is unrealistic given how information plays a major role into preserving political power online. The fact that a practice cannot be illegal due to practical realities, however, should not deter international regulation. The debate on the legality of espionage needs to be reframed with some flexibility. A better knowledge of the types of software and malware available on the market could lead to a functional regulation of certain types of excessive practices. Consultations with internet stakeholders’ such as international corporations, can also help to build a credible system of monitoring of states’ practice to enforce the consensus reached. Major internet corporations are in the same position than States in regards to international cyber-espionage and their opinions is also relevant, especially given that they often have crucial computer engineering perspectives to propose.

SOURCES

DOMESTIC LEGISLATION

National Defence Act, R.S.C. 1985, n. N-5.

National Security Act of 1947, 50 U.S.C. §413b (e) (2000).

Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5.

Security of Information Act, 1985, c. 0-5.

MULTILATERAL TREATIES

Convention for the Protection of Human Rights and fundamental freedom, Rome, 4.XI.1950 (entry into force 1953).

CoE, Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, Council of Europe, CETS No. 108, 1981.

Convention on the Prohibition of the Use, Stockpiling, Production and Transfer of Anti-Personnel Mines and on their Destruction, 36 ILM 1507, entered into force March 1st, 1999;

Convention on Prohibitions or Restrictions on the Use of Certain Conventional Weapons Which May be Deemed to be Excessively Injurious or to Have Indiscriminate Effects, 1342 UNTS 137, 19 ILM 1524, entered into force December 2, 1983.

Convention on the Protection of Civilian Persons in time of war, 75 UNTS 287 (entered into force October 21, 1950)

Data Protection Directive, OJ 1995 L 281.

Hague Convention IV - Laws and Customs of War on Land: 18 October 1907, 36 Stat. 2277, 1 Bevans 631, 205 Consol. T.S. 277, 3 Martens Nouveau Recueil (ser. 3) 461, entered into force January 26, 1910.

International Covenant on Civil and Political Rights, 999 UNTS 14668 (New York, December 16, 1966).

Project of an International Declaration Concerning the Laws and Customs of War, Aug. 27, 1874, 4 Martens Nouveau Recueil (ser. 2) 219, 65 brit. Foreign & st. Papers 1005 (1873-74)

Protocol Additional to the Geneva Conventions of 12 August 1949, and relating to the Protection of Victims of International Armed Conflicts (Protocol I), 1125 UNTS 3, entered into force December 7, 1978).

Protocol on Prohibitions or Restrictions on the Use of Mines, Booby-Traps and Other Devices (Protocol II), 1342 UNTS 168, 19 ILM 1529, entered into force December 2, 1983; as amended May 3, 1996, 35 ILM 1206.

Resolution 217 A (III), A/RES/3/217/A, 3rd session, 183rd plenatary meeting, December 10, 1948.

The Rules concerning the Control of Wireless Telegraphy in Time of War and Air Warfare, Drafted by a Commission of Jurists at The Hague, December 1922 - February 1923

United Nations Convention on the Law of the Sea, 1994 UNTS 397 (signed in Montego Bay, on December 10, 1982)

JURISPRUDENCE

Accordance with International Law of the Unilateral Declaration of Independence in Respect of Kosovo, Advisory Opinion [2010] ICJ Rep 403

Copland v. the United Kingdom, No. 62617/00, 3 April 2007;

Klass and Others v. Germany, No. 5029/71, 6 September 1978;

Leander v. Sweden, No. 9248/81, 26 March 1987;

Malone v. the United Kingdom, No. 8691/79, 2 August 1984;

Military and Paramilitary Activities in and against Nicaragua (Nicaragua v United States of America) (Merits) [1986] ICJ Rep 14

S. and Marper v. the United Kingdom, Nos. 30562/04 and 30566/04, 4 December 2008.

Uzun v. Germany, No. 35623/05, 2 September 2010;

SS Lotus Case (France v Turkey) [1927] PCIJ Report Series A No 10

MONOGRAPHS

Al-Asmari, Abdulaziz A. “Origins of an Arab and Islamic Intelligence Culture” 89 at 91 in Philip H. J. Davies & Kristian C. Gustafson, Intelligence Elsewhere (Washington: Georgetown University Press, 2013).

Antonopoulos, Constantine. “State responsibility in cyberspace” in Nicholas Tsagourias & Russell Buchan, eds, Research Handbook on International Law and Cyberspace (Edward Elgar Publishing: 2015) 57.

Buchan, Russell. “Cyber espionage and international law” in Nicholas Tsagourias and Russell Buchan, eds, Research Handbook on International law and cyberspace (Edward Elgard Publishing, 2015).

Burn, Michael. The debatable land: a study of the motives of spies in two ages (Hamish Hamilton, 1970).

European Union Agency for Fundamental Rights, Handbook on European Data Protection (Luxembourg: Publications of the Office of the European Unions, 2014).

Fidler, David P. The Snowden Reader (Bloomington, IN: Indiana University Press, 2015).

Fidler, David P. “Thinker, Tailor, Soldier, Duqu: Why cyberespionage is more dangerous than you think” (2012) 5 Int’l J of Critical Infrastructure Protection 28.

Geist, Michael A. Laws, privacy and surveillance in Canada post-Snowden era (Ottawa, University of Ottawa, 2015).

Goldfarb, Ronald L. After Snowden: privacy, secret and security in the information age (New York: Thomas Dunne Books, 2015).

Greenberg, Andy. This Machine Kills Secrets: How Wikileakers, Cypherpunks and Hacktivists Aim to Free the World’s Information (London: Dutton, 2012).

Greenwald, Glenn. No place to Hide: Edward Snowden, the NSA, and the US surveillance State (New York, NY: Metropolitan Books/ Henry Holt, 2014).

Harding, Luke. The Snowden files: the inside story of the world’s most wanted man (New York, NY: Vintage Books – A division of Random House LLC, 2014).

Jordan, Tim. Cyberpower: the culture and politics of cyberspace and the Internet (London, New York: Routledge, 1999)

Khan, Paul W. regarding torture in Sacred Violence: Torture, Terror and Sovereignty (Ann Arbor: University of Michigan Press, 2008).

Lee, Newton. Counterterrorism and cybersecurity: total information awareness (Cham, Springer, 2015)

Lyon, David. Surveillance after Snowden (Cambridge, Polity Press: 2015).

Martin, Greg, Rebecca Scott Bray & Miiko Kumar, Secrecy, law and society (New York: Routledge, 2015).

McCarthy, Daniel R. Power, information technology, and international relations theory: the power and politics of US foreign policy and the internet (Palgrave Macmillan, 2015).

Moorhouse, Frank. Australia under Surveillance (North Sydney: Vintage Books – A division of Random House, 2014),

Schmitt, Michael N. ed, Tallinn Manual on the International law applicable to cyber warfare (Cambridge University Press: 2013)

Shimonsky, Robert. Cyber reconnaissance surveillance and defense (Waltham, MA, Syngress, 2015).

Ziolkowski, Katharina. “Peacetime Cyber Espionage – New Tendencies in Public International Law,” in Peacetime Regime for State Activities in Cyberspace: International Law, International Relations and Diplomacy, ed. Katharina Ziolkowski (CCDCOE, 2013) 458.

ARTICLES: ACADEMIC LITERATURE

Ayers, Pip. “’In my day, MI6 – which I called the Circus in the books – stank of wartime nostalgia': John le Carré reflects” (July 15, 2011), online: Daily Mail <www.dailymail.co.uk>.

Baker, Christopher D. “Tolerance of International Espionage: A Functional Approach” (2003)19:5 American University International Law Review 1091.

Beamon, Todd. “Pete Hoekstra: Snowden still a traitor despite court ruling” (May 8 2015), online: Newsmax TV <www.newsmax.com>

Deibert, Ronald. “The geopolitics of cyberspace after Snowden” (2015) 768 Current History 9.

Desmarest, Geoffroy B. « Espionage in International Law » (1996) 24: 2,3 Denver J Int’l & Pol’y 321.

Heinegg, Wolff Heintschel von. “Territorial Sovereignty and Neutrality in Cyberspace” (2013) 89 International Law Studies 129.

Kanuck, Sean. “Sovereign Discourse on Cyber Conflict under International Law,” (2010) 88 Texas International law Journal 1571”.

Kaplan, Thomas. “Fact checks of the 2016 Election”, online: The New York Times <www.nytimes.com>

Larson, Carlton F. W “The Forgotten Constitutional Law of Treason and the Enemy Combatant Problem” (2006) 154:4 University of Pennsylvania L Rev 863.

Munro, Kate. “Deconstructing Flame: the limitations of traditional defences” (2012) 10 Computer Fraud & Security 8

NCAFP, “Cybersecurity, US foreign policy and a changing landscape: a new generation speaks out” (2014) 36:1 American Foreign Policy Interests 44.

Radsan, John A. « The unresolved equation of espionage and international law” (2007) 28:75 Michigan J of Int’Law 595

Sagar, Rahul. “Against moral absolutism: surveillance and disclosure after Snowden” (2015) 29:02 Ethics & International Affairs 145.

Smith, Jeffrey H. “State intelligence gathering and international law: Keynote address” (2007) 28 Michigan L Int’l L 543.

Sulmas, Glenn and John Yoo, “Counterintuitive: Intelligence Operations and International Law,” (2007) 28 Michigan Journal of International Law 628

Tate, Julie. “Bradley Manning sentenced to 35 years in WikiLeaks case” (August 21, 2013), online: The Washington Post <www.washingtonpost.com>

ARTICLES: NEWSPAPERS

BBC News, “Edward Snowden: leaks that exposed US spy programme” (January 17, 2014), online: BBC News <www.bbcnews.com>

Gidda, Mirren. “Edward Snowden and the NSA files – timeline” (August 21, 2013), online: The Guardian, <www.theguardian.com>

Hern, Alex. “US government increases funding for Tor, giving $1.8M in 2013” (July 29, 2014), online: The Guardian <www.theguardian.com>.

Kelley, Michael B. “Snowden answered the question ‘Aren’t you a traitor’ – and it was puzzling” (October 9 2015), online: <www.businessinsider.com>.

Nelson, Steven. “Edward Snowden unpopular at home, a hero abroad, poll finds” (April 21, 2015), online: US News <www.usnews.com>.

Reuters, « Edward Snowden : We need an international treaty on privacy rights - Fugitive former US spy contractor spoke via video conference from Russia » (September 25, 2015), online: South China Morning Post <www.scmp.com>.

Taylor, Rob. Australian spy HQ plans stolen by Chinese hackers: report” (May 27, 2013), online: Reuters <www.reutors.com>.

Timberg, Craig. “Foreign regimes use spyware against journalists, even in the U.S.” (February 12, 2014, online: The Washington Post <www.washingtonpost.com>.

The Guardian, “China’s demands halt to ‘Unscrupulous’ US cyber-spying” (May 27, 2014), online: <www.theguardian.com>.

The Guardian, “The Snowden Files – Inside the surveillance state” (December 2, 2013), online: The Guardian <www.theguardian.com>).

OTHERS: REPORTS

Information Warfare Monitor & Shadow Server Foundation, “Shadows in the cloud: Investigating cyber-espionage 2.0”, online: <http://shadows-in-the-cloud.net>.

Report of the Office of the United Nations High Commissioner for Human Rights, The right to privacy in the digital age, A/HRC/27/37, presented to the Human Rights Council at its 27th session.

OTHERS: DOCUMENTS FROM THE UNITED NATIONS

Decision 25/117 adopted at the 25th session of the Human Rights council, A/HRC/25/L.12, adopted without a vote at the 54th meeting on March 27th, 2014.

Human Rights Council Resolution 20/8 adopted on July 5th, 2012 on the promotion, protection and enjoyment of human rights on the Internet (A/HRC/20/L.13, 20th session, third committee, adopted without a vote).

International Law Commission (ILC), “Second Report on the Identification of Customary International Law,” A/CN.4/672 (2014)

Resolution 28/16, A/HRC/28/L.27, 3rd committee, 28th session, 56th meeting, adopted without a vote on March 26th, 2015.

The right to privacy in the digital age, resolution adopted by the General Assembly on 18 December 2013 (GA/11475), on the report of the Third Committee (A/68/456/Add.2), 68th session.

UN General Assembly, Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security, June 24, 2013, UN Doc A/68/98.

OTHERS: GOVERNMENTAL DOCUMENTS

Joint Chiefs of Staff, Joint Publication 1-02, DOD Dictionary of Military and Associated Terms (8 November 2010) (As amended through 15 June 2014).

Instructions for the Government of the Armies of the United States in the Field, prepared by Francis Lieber, promulgated as General Orders No. 100 by President Lincoln, 24 April 1863, Adjutant Generals’ Office 1863, Washington 1898, Government Printing office.

Wasemiler, A. C. “The Anatomy of Counterintelligence”, approved for release in 1994 under the CIA Historical Review Program, online: CIA <www.cia.gov>.

OTHERS: WEBSITES AND BLOGS

Bevins, Vincent. “Why Did Brazil’s President Change Her Tune on Spying?” (June 16, 2015), online: Foreign Policy <www.foreignpolicy.com>

Cenciotti, David. “Russia has just deployed its most advanced spyplane to Syria” (Feb. 15, 2016), online: <www.theaviationist.com>.

European Commission, “Commission decisions on the adequacy of the protection of personal data in third countries”, online: <ec.europa.eu>.

Freedom House, “Freedom on the net; Brazil 2014-2015”, online: Freedom House <freedomhouse.org>.

Hannaford, Kat. “How a Burnt Lady Gaga CD Helped Leak Thousands of Intelligence Files” (11/29/10), online: Gizmodo <www.gizmodo.com>.

Lapowski, Issie. “How climate change became a national security problem” (October 20, 2015), online: Wired <www.wired.com>.

Meistev, Andre. "Strategic Initiative Technology: We Unveil the BND Plans to Upgrade its Surveillance Technology for 300 Million Euros” (translated by Kristen Fielder & Nikolai Schnarrenberg from EDRI.org) (September 23, 2015), online: Netzpolitik <www.netzpolitik.org>.

Roy, Debarati. “Flame Malware: All You Need to Know” (May 30, 2011), online: <www.networkworld.com>.

Schwartz, Matthew J. “China Denis U.S. Hacking Accusations: 6 Facts” (February 21, 2013), online: Dark Reading <www.darkreading.com>.

The White House, “The US International Strategy for Cyberspace: Prosperity, Security, and Openness in a Networked World” (May 2011), online: the White House <www.whitehouse.gov>

United Nations, “Germany and Brazil circulate UN draft resolution on condemning surveillance” (November 2, 2013), online: Deutsche Welle <www.dw.com>.

Zetter, Kim. Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon (Crown Publishers, 2014), online: Wired <www.wired.com>.

Zetter, Kim. “Everything we know about Ukraine’s power plan hack” (January 20th, 2016), online: Wired <www.wired.com>.

OTHERS: UNPUBLISHED WORK

Buchan, Russel. The International Legal Regulation of State-Sponsored Cyber Espionage, presented as a lecture to the Tallinn Cyber Defence Centre, to be published in May or April

Stephens, Dale. Online lecture, “cyberwar, surveillance & security’’, Adelaide University, Cyber 101x, online: EDX <www.edx.org>

Yoo, Christopher S. “Cyber espionage or cyber war? International law, domestic law, and self-proactive measures” (2015) University of Pennsylvania Law School: Legal Scholarship Repository, online: <http://scholarship.law.upen.edu>.

[1] See for instance Alex Hern, “US government increases funding for Tor, giving $1.8M in 2013” (July 29, 2014), online: The Guardian <www.theguardian.com>.

[2] For a chronological overview of the Snowden affair, see Mirren Gidda, “Edward Snowden and the NSA files – timeline” (August 21, 2013), online: The Guardian, <www.theguardian.com> and BBC News, “Edward Snowden: leaks that exposed US spy programme” (January 17, 2014), online: BBC News <www.bbcnews.com>. For a more throughout narrative, see Glenn Greenwald, No place to Hide: Edward Snowden, the NSA, and the US surveillance State (New York, NY: Metropolitan Books/ Henry Holt, 2014) and Luke Harding, The Snowden files: the inside story of the world’s most wanted man (New York, NY: Vintage Books – A division of Random House LLC, 2014).

[3] See David P. Fidler, The Snowden Reader (Bloomington, IN: Indiana University Press, 2015); David Lyon, Surveillance after Snowden (Cambridge, Polity Press: 2015); Ronald L. Goldfarb, After Snowden: privacy, secret and security in the information age (New York: Thomas Dunne Books, 2015); Robert Shimonsky, Cyber reconnaissance surveillance and defense (Waltham, MA, Syngress, 2015); Michael A. Geist, Laws, privacy and surveillance in Canada post-Snowden era (Ottawa, University of Ottawa, 2015); Greg Martin ,Rebecca Scott Bray & Miiko Kumar, Secrecy, law and society (New York: Routledge, 2015); Daniel R. McCarthy, Power, information technology, and international relations theory: the power and politics of US foreign policy and the internet (Palgrave Macmillan, 2015); Newton Lee, Counterterrorism and cybersecurity: total information awareness (Cham, Springer, 2015); Ronald Deibert, “The geopolitics of cyberspace after Snowden” (2015) 768 Current History 9; Rahul Sagar, “Against moral absolutism: surveillance and disclosure after Snowden” (2015) 29:02 Ethics & International Affairs 145; NCAFP, “Cybersecurity, US foreign policy and a changing landscape: a new generation speaks out” (2014) 36:1 American Foreign Policy Interests 44.

[4]Brazilian President repeatedly referred to the US’s conduct as an “intrusion [and that the] [m]eddling in such a manner in the life and affairs of other countries is a breach of international law [and] as such an affront to the principles that must guide the relations among them, especially among friendly nations. A country’s sovereignty can never affirm itself to the detriment of another country’s sovereignty” cited in Russell Buchan, “Cyber espionage and international law” in Nicholas Tsagourias and Russell Buchan, eds, Research Handbook on International law and cyberspace (Edward Elgard Publishing, 2015) [Buchan].

The author stresses that “The Brazilian President’s statement before the General Assembly is informative in so far as it reveals that Brazil considers sovereignty to extend to information resident in cyberspace and, moreover, where such information is accessed and copied a reach of international law occurs” (Ibid, p. 184).

China also affirmed that the NSA’s conduct “deserve[d] to be rejected and condemned by the whole world” quoted in The Guardian, “China’s demands halt to ‘Unscrupulous’ US cyber-spying” (May 27, 2014), online: <www.theguardian.com>.

[5] See among others Reuters, « Edward Snowden : We need an international treaty on privacy rights - Fugitive former US spy contractor spoke via video conference from Russia » (September 25, 2015), online: South China Morning Post <www.scmp.com>.

[6] The relation between espionage and customary law was already pointed out before the Snowden affair: “because espionage is such a fixture of international affairs, it is fair to say that the practice of states recognizes espionage as a legitimate function of the state, and therefore it is legal as a matter of customary international law”, cited in Jeffrey H. Smith, “State intelligence gathering and international law: Keynote address” (2007) 28 Michigan L Int’l L 543, 544.

[7] With some others arguing that espionage has benefits, see Christopher D. Baker, “Tolerance of International Espionage: A Functional Approach” (2003)19:5 American University International Law Review 1091.

[8] The argument that a practice can be beyond the rule of law was explored by Paul W. Khan regarding torture in Sacred Violence: Torture, Terror and Sovereignty (Ann Arbor: University of Michigan Press, 2008).

[9] Pip Ayers, “’In my day, MI6 – which I called the Circus in the books – stank of wartime nostalgia': John le Carré reflects” (July 15, 2011), online: Daily Mail <www.dailymail.co.uk>.

[10] Michael Burn, The debatable land: a study of the motives of spies in two ages (Hamish Hamilton,1970), p. 2.

[11] Geoffroy B. Desmarest, « Espionage in International Law » (1996) 24: 2,3 Denver J Int’l & Pol’y 321 at 326 [Desmarest].

[12] John A. Radsan, « The unresolved equation of espionage and international law” (2007) 28:75 Michigan J of Int’Law 595 at. 599 [Radsan].

[13] Desmarest, supra note 11 at 345.

[14] Radsan, supra note 12 at 599.

[15] Ibid at 599.

[16] Frank Moorhouse, Australia under Surveillance (North Sydney: Vintage Books – A division of Random House, 2014), 272.

[17] Ibid – this is referred to as internal dissent in the author’s work but the expression carries an unnecessary pejorative implication which would require further explications.

[18] Radsan, supra note 12 at 607.

[19] A.C. Wasemiler, “The Anatomy of Counterintelligence”, approved for release in 1994 under the CIA Historical Review Program, online: CIA <www.cia.gov>.

[20] Ibid.

[21] Rob Taylor, Australian spy HQ plans stolen by Chinese hackers: report” (May 27, 2013), online: Reuters <www.reutors.com>.

[22] Ibid.

[23] Radsan, supra note 12 at 623.

[24] Abdulaziz A. Al-Asmari, “Origins of an Arab and Islamic Intelligence Culture” 89 at 91 in Philip H. J. Davies & Kristian C. Gustafson, Intelligence Elsewhere (Washington: Georgetown University Press, 2013).

[25] Ibid.

[26] Edward Snowden was often called a traitor by US officials, see Todd Beamon, “Pete Hoekstra: Snowden still a traitor despite court ruling” (May 8 2015), online: Newsmax TV <www.newsmax.com> (Pete Hoekstra is an American politician); Thomas Kaplan, “Fact checks of the 2016 Election”, online: The New York Times <www.nytimes.com> (Cruz says Snowden is a traitor). Peter Taylor from BBC news asked Snowden whether he was a traitor and his answer is instructive: "The question is, 'If I [were] a traitor, who did I betray?' I gave all of my information to American journalists and free society generally." (Cited in Michael B. Kelley, “Snowden answered the question ‘Aren’t you a traitor’ – and it was puzzling” (October 9 2015), online: <www.businessinsider.com>.

[27] In Canada, for instance, s. 46(1) b) of the Criminal Code states that: “(b) without lawful authority, communicates or makes available to an agent of a state other than Canada, military or scientific information or any sketch, plan, model, article, note or document of a military or scientific character that he knows or ought to know may be used by that state for a purpose prejudicial to the safety or defence of Canada”; [Our emphasis]. A notorious example of cyber-espionage relating to national security is the alleged theft of terabytes worth of data regarding the F-35 fighter plane developed by Lockheed Martin for the US Government (see The Guardian, “The Snowden Files – Inside the surveillance state” (December 2, 2013), online: The Guardian <www.theguardian.com>.

[28] Another example is the inclusion of climate change as a national security concerns, see for instance Issie Lapowski, “How climate change became a national security problem” (October 20, 2015), online: Wired <www.wired.com>.

[29] See Carlton F W Larson, “The Forgotten Constitutional Law of Treason and the Enemy Combatant Problem” (2006) 154:4 University of Pennsylvania L Rev 863 at 869. (“The phrases ‘levying war’ and ‘adhering to their enemies, giving them aid and comfort’ in the Treason Clause comes directly from the treason statute of 25 Edward III, enacted in 1351”).

[30]“For his efforts, about 64 percent of Americans familiar with Snowden hold a negative opinion of him, according to KRC Research poll results shared with U.S. News. Thirty-six percent hold a positive opinion, with just 8 percent holding a very positive opinion.” Cited in Steven Nelson, “Edward Snowden unpopular at home, a hero abroad, poll finds” (April 21, 2015), online: US News <www.usnews.com>.

[31] R.S.C. 1985, c. N-5.

[32] R.S.C. 1985, c. 0-5.

[33] Ibid, art 19(1).

[34] Julie Tate, “Bradley Manning sentenced to 35 years in WikiLeaks case” (August 21, 2013), online: The Washington Post <www.washingtonpost.com> [Tate].

[35] Andy Greenberg, This Machine Kills Secrets: How Wikileakers, Cypherpunks and Hacktivists Aim to Free the World’s Information (London: Dutton, 2012) at 14, 167.

[36] Tate, supra note 34.

[37] Ibid.

[38] Ibid citing Steven Bucci, director of the Douglas and Sarah Allison Center for Foreign Policy Studies at the Heritage Foundation.

[39] Kat Hannaford, “How a Burnt Lady Gaga CD Helped Leak Thousands of Intelligence Files” (11/29/10), online: Gizmodo <www.gizmodo.com>.

[40]For the purpose of this written sample both expressions will be used interchangeably, but surveillance is sometimes preferred by the mainstream media when referring the actions of a State spying on its own citizens. This distinction is not endorsed in this written sample.

[41] David Cenciotti, “Russia has just deployed its most advanced spyplane to Syria” (Feb. 15, 2016), online: www.theaviationist.com “The Tu-214R is a Russian ISR (Intelligence Surveillance Reconnaissance) aircraft (…)it is a special mission aircraft equipped with all-weather radar systems and electro optical sensors that produce photo-like imagery of a large parts of the ground: these images are then used to identify and map the position of the enemy forces, even if these are camouflaged or hidden”.

[42] Joint Chiefs of Staff, Joint Publication 1-02, DOD Dictionary of Military and Associated Terms (8 November 2010) (As amended through 15 June 2014) 64.

[43]See Tim Jordan, Cyberpower: the culture and politics of cyberspace and the Internet (London, New York: Routledge, 1999) [Jordan]- Cyberspace’s culture was influenced by the Cyberpunk genre. For instance, author William Gibson first coined the phrase ‘cyberspace’: “Gibson’s fictional conception of cyberspace was a place that collated all the information in the world and could be entered by disembodied consciousness. Disembodiment took place through a computer. Gibsonian cyberspace offers power to those who can manipulate information in cyberspace, either individual hackers relying on expertise or large institutions relying on corporate muscle” (22). It’s interesting to note that Gibson wrote in the 1980s, before any materialised as a reality.

[44] Buchan, supra note 4 at 171.

[45] David P. Fidley, “Thinker, Tailor, Soldier, Duqu: Why cyberespionage is more dangerous than you think” (2012) 5 Int’l J of Critical Infrastructure Protection 28. (Professor Fidler’s definition specifies that cyber-espionage is defined as the government use of the Internet to collect intelligence (…), but this specification seems to result from the context of his editorial, since cyber-espionage is also committed by businesses, mafia and terrorists groups, as well as individuals) [Fidler, Thinker, Tailor, Soldier, Duqu].

[46]Ibid.

[47] Ibid.

[48] Kim Zetter, Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon (Crown Publishers, 2014), online : WIRED <www.wired.com>.

[49] Ki Zetter, “Everything we know about Ukraine’s power plan hack” (January 20th, 2016), online: WIRED <www.wired.com>.

[50] Kate Munro, “Deconstructing Flame: the limitations of traditional defences” (2012) 10 Computer Fraud & Security 8 [Munro].

[51] Ibid.

[52] Ibid.

[53] Ibid.

[54] The Command and Control server (C2 server) is a centralized computer that can sends commands and receive reports from automated programs.

[55] Munro, supra, note 50.

[56]Hague Convention IV - Laws and Customs of War on Land: 18 October 1907, 36 Stat. 2277, 1 Bevans 631, 205 Consol. T.S. 277, 3 Martens Nouveau Recueil (ser. 3) 461, entered into force January 26, 1910.

[57] Protocol Additional to the Geneva Conventions of 12 August 1949, and relating to the Protection of Victims of International Armed Conflicts (Protocol I), 1125 UNTS 3, entered into force December 7, 1978).

[58] See for instance : Convention on the Prohibition of the Use, Stockpiling, Production and Transfer of Anti-Personnel Mines and on their Destruction, 36 ILM 1507, entered into force March 1st, 1999; protocol on Prohibitions or Restrictions on the Use of Mines, Booby-Traps and Other Devices (Protocol II), 1342 UNTS 168, 19 ILM 1529, entered into force December 2, 1983; as amended May 3, 1996, 35 ILM 1206 annexed to the Convention on Prohibitions or Restrictions on the Use of Certain Conventional Weapons Which May be Deemed to be Excessively Injurious or to Have Indiscriminate Effects, 1342 UNTS 137, 19 ILM 1524, entered into force December 2, 1983.

[59] Buchan, supra note 4 at 171.

[60]Debarati Roy, “Flame Malware: All You Need to Know”, online May 30,2011, www.networkworld.com

[61] Information Warfare Monitor & Shadow Server Foundation, “Shadows in the cloud: Investigating cyber-espionage 2.0”, online: <http://shadows-in-the-cloud.net> [Shadows in the cloud], p. 1; see also Fidler, Thinker, Tailor, Soldier, Duqu, supra note 45 at 29: “[t]he global dissemination of cyber technologies, computer skills, and Internet access “democratizes” the ability to engage in high-tech espionage.”

[62] Shadows in the cloud, ibid.

[63] Craig Timberg, “Foreign regimes use spyware against journalists, even in the U.S.” (February 12, 2014, online: The Washington Post <www.washingtonpost.com>, the article refers to the work of the Citizen Lab.

[64] Fidler, Thinker, Tailor, Soldier, Duqu, supra note 45 at 29. This dynamic will be the subject of a much more detailed analysis in my doctoral work.

[65] James Lewis is a senior fellow and director of technology policy at the Center for Strategic and International Studies (CSIS), interview with Frontline, conducted Feb. 18, 2003, online: <www.pbs.org>.

[66] The right to privacy in the digital age, resolution adopted by the General Assembly on 18 December 2013 (GA/11475), on the report of the Third Committee (A/68/456/Add.2), 68th session. See also the Human Rights Council Resolution 20/8 adopted on July 5th, 2012 on the promotion, protection and enjoyment of human rights on the Internet (A/HRC/20/L.13, 20th session, third committee, adopted without a vote).

[67] Resolution 217 A (III), A/RES/3/217/A, 3rd session, 183rd plenatary meeting, December 10, 1948.

[68] 999 UNTS 14668 (New York, December 16, 1966)

[69] Report of the Office of the United Nations High Commissioner for Human Rights, The right to privacy in the digital age, A/HRC/27/37, presented to the Human Rights Council at its 27th session.

[70] Decision 25/117 adopted at the 25th session of the Human Rights council, A/HRC/25/L.12, adopted without a vote at the 54th meeting on March 27th, 2014 : “Decides to convene, at its twenty-seventh session, a panel discussion on the promotion and protection of the right to privacy in the digital age in the context of domestic and extraterritorial surveillance and/or the interception of digital communications and the collection of personal data, including on a mass scale, also with a view to identifying challenges and best practices, taking into account the report of the United Nations High Commissioner for Human Rights requested by the General Assembly in its resolution 68/167”.

[71]Resolution 28/16, A/HRC/28/L.27, 3rd committee, 28th session, 56th meeting, adopted without a vote on March 26th, 2015.

[72] European Union Agency for Fundamental Rights, Handbook on European Data Protection (Luxembourg: Publications of the Office of the European Unions, 2014), p. 15 [Handbook on European Data Protection] referring to the Convention for the Protection of Human Rights and fundamental freedom, Rome, 4.XI.1950 (entry into force 1953).

[73] Ibid, referring to the following decisions : ECtHR, Malone v. the United Kingdom, No. 8691/79, 2 August 1984; ECtHR, Copland v. the United Kingdom, No. 62617/00, 3 April 2007; ECtHR, Klass and Others v. Germany, No. 5029/71, 6 September 1978; ECtHR, Uzun v. Germany, No. 35623/05, 2 September 2010; ECtHR, Leander v. Sweden, No. 9248/81, 26 March 1987; ECtHR, S. and Marper v. the United Kingdom, Nos. 30562/04 and 30566/04, 4 December 2008.

[74] CoE, Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, Council of Europe, CETS No. 108, 1981.

[75] Ibid.

[76] Data Protection Directive, OJ 1995 L 281.

[77] Handbook on European Data Protection, supra note 72 at 17.

[78] European Commission, “Commission decisions on the adequacy of the protection of personal data in third countries”, online: <ec.europa.eu>.

[79] Ibid.

[80] Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5.

[81] (February 19, 2013), online: <www.mandiant.com>.

[82] Ibid, see summary at page 3.

[83] Ibid, see summary at page 5.

[84] Cited in Matthew J. Schwartz, “China Denis U.S. Hacking Accusations: 6 Facts” (February 21, 2013), online: Dark Reading <www.darkreading.com>.

[85] Jeffrey Carr, CEO of Taia Global, cited in Matthew J. Schwartz, “China Denis U.S. Hacking Accusations: 6 Facts” (February 21, 2013), online: Dark Reading <www.darkreading.com>.

(ACA refers to Analysis of Competing hypotheses vetting process)

[86] Emma J. Lovett, from the Royal Australian Air Force, who specializes in cyber security and cyberwar, has affirmed in different conferences and speeches that the attribution problem is overstated and that the Australian government has many ways to confirm attribution in practice.

[87] For a discussion on attribution in cyberspace, see Constantine Antonopoulos, “State responsibility in cyberspace” in Nicholas Tsagourias & Russell Buchan, eds, Research Handbook on International Law and Cyberspace (Edward Elgar Publishing: 2015), p. 57 ss.

[88] See for instance Jordan, supra note 43.

[89] Fidler, Thinker, Tailor, Soldier, Duqu, supra note 45 at 29. This dynamic will be the subject of a much more detailed analysis in my doctoral work.

[90] A position that is still in vigor regarding cyber-espionage. See Michael N. Schmitt, ed, Tallinn Manual on the International law applicable to cyber warfare (Cambridge University Press: 2013) at 158 rule 66(a) : “cyber-espionage and other forms of information gathering directed at an adversary during an armed conflict do not violate the law of armed conflict” [Tallinn Manual].

[91] Declaration of Brussels concerning the laws and customs of wars, art. 14 cited in Leon Friedman, The law of war: a documentary history (1972) at 197 [Friedman].

[92] Ibid at 197-198.

[93] Desmarest, supra note 11 at 332.

[94] Ibid.

[95] Friedman, supra note 91 at 198.

[96] Instructions for the Government of the Armies of the United States in the Field, prepared by Francis Lieber, promulgated as General Orders No. 100 by President Lincoln, 24 April 1863, Adjutant Genrals’ Office 1863, Washington 1898, Government Printing office [Lieber Code], cited in Ibid at 158.

[97] Lieber Code, art. 101 cited in ibid p. 173

[98] Desmarest, supra note 11 at 334.

[99] See article 30. The Hague Rules of Air Warfare also mentions espionage at article 27.

[100] Convention on the Protection of Civilian Persons in time of war, 75 UNTS 287 (entered into force October 21, 1950), art. 75

[101] Demarest, supra note 11 at 337.

[102] Ibid at 330.

[103] Ibid at 338.

[104] 1948 UNTS 296.

[105] Dale Stephens, online lecture, “cyberwar, surveillance & security’’, Adelaide University, Cyber 101x, online : EDX <www.edx.org> [Stephens].

[106] 1994 UNTS 397 (signed in Montego Bay, on December 10, 1982), see speficially article 19(2)c) which explains that “any act aimed at collecting information to the prejudice of the defence or security of the coastal state” is not an innocent passage.

[107] Stephens, supra note 105.

[108] Article 301, for instance, is titled “Peaceful uses of the seas In exercising their rights and performing their duties under this Convention” and impose that “States Parties shall refrain from any threat or use of force against the territorial integrity or political independence of any State, or in any other manner inconsistent with the principles of international law embodied in the Charter of the United Nations.” The notion of peaceful purposes is repeated throughout the Convention and in the preambule.

[109] Stephens, supra note 105.

[110] Russel Buchan, The International Legal Regulation of State-Sponsored Cyber Espionage , presented as a lecture to the Tallinn Cyber Defence Centre, to be published in May or April [Buchan, Legal Regulation of State-Sponsored Cyber Espionage].

[111] Tallinn Manual, supra note 90 at 16 : the International Group of Experts behind the Tallinn Manual agreed that an intrusion into the territory of another state which causes physical damage results in a violation of territorial sovereignty but notes that there was ‘no consensus’ between the experts as to whether intrusion into territory that does not produce physical damage also represents a violation. See also Wolff Heintschel von Heinegg, “Territorial Sovereignty and Neutrality in Cyberspace,” International Law Studies 89 (2013): 129 : “‘[D]amage is irrelevant and the mere fact that a State has intruded into the cyber infrastructure of another State should be considered an exercise of jurisdiction on foreign territory, which always constitutes a violation of the principle of territorial sovereignty”. For the opposing view that physical damage is required see Katharina Ziolkowski, “Peacetime Cyber Espionage – New Tendencies in Public International Law,” in Peacetime Regime for State Activities in Cyberspace: International Law, International Relations and Diplomacy, ed. Katharina Ziolkowski (CCDCOE, 2013) 458.

[112]UN General Assembly, Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security, June 24, 2013, UN Doc A/68/98 paras 19-20; ‘Long-standing international norms guiding state behaviour – in times of peace and conflict – also apply in cyber space’; The White House, “The US International Strategy for Cyberspace: Prosperity, Security, and Openness in a Networked World” (May 2011), online: the White House <www.whitehouse.gov>. see also Schmitt, Tallinn Manual, Rule 1.

[113] “For a discussion of this state practice see Von Heinegg, ‘Territorial Sovereignty and Neutrality in Cyberspace’, 126 (‘State practice provides sufficient evidence that components of cyberspace are not immune from territorial sovereignty’). For further discussion see also Sean Kanuck, “Sovereign Discourse on Cyber Conflict under International Law,” (2010) 88 Texas International law Journal 1571”. Footnotes as written in Buchan, Legal Regulation of State-Sponsored Cyber Espionage, supra note 110.

[114] “Patrick W. Franzese, “Sovereignty in Cyberspace: Can it Exist?” Air Force Law Review 64 (2009): 33” Footnotes as written in Buchan, Legal Regulation of State-Sponsored Cyber Espionage, supra note 110.

[115] Rule 1 of the Tallinn Manual explains that ‘[a] State may exercise control over cyber infrastructure and activities within its sovereign territory’; Tallinn Manual, supra note 90; Footnotes as written in Buchan, Legal Regulation of State-Sponsored Cyber Espionage, supra note 110.

[116] See contra on the applicability of non-intervention principle by Christopher S. Yoo, “Cyber espionage or cyber war? International law, domestic law, and self-proactive measures” (2015) University of Pennsylvania Law School: Legal Scholarship Repository, p. 14, online: <http://scholarship.law.upen.edu>.

[117] Jeffrey H. Smith, “State Intelligence Gathering and International Law: Keynote Address,” (2007) 28 Michigan Journal of International Law 544. Similarly, see Glenn Sulmasy and John Yoo, “Counterintuitive: Intelligence Operations and International Law,” (2007) 28 Michigan Journal of International Law 628: “[s]tate practice throughout history … supports the legitimacy of spying. Nowhere in international law is peaceful espionage prohibited’”.

[118] ‘[F]or a new customary rule to be formed, not only must the acts concerned amount to a settled practice, but they must be accompanied by the opinio juris sive necessitatis’; Military and Paramilitary Activities in and against Nicaragua (Nicaragua v United States of America) (Merits) [1986] ICJ Rep 14, para 263 [Nicaragua].

[119] International Law Commission (ILC), “Second Report on the Identification of Customary International Law,” A/CN.4/672 (2014) para 47.

[120] Buchan, Legal Regulation of State-Sponsored Cyber Espionage, supra note 110.

[121] SS Lotus Case (France v Turkey) [1927] PCIJ Report Series A No 10 [Lotus]. Although interestingly in the Kosovo Advisory Opinion Judge Simma referred to the Lotus principle as an ‘old, tired view of international law’; Accordance with International Law of the Unilateral Declaration of Independence in Respect of Kosovo, Advisory Opinion [2010] ICJ Rep 403, para 2 (Declaration of Judge Simma).

[122] Lotus, ibid, paras 18-19.

[123] Nacaragua, supra note 118, para 263.

[124] NSA was found to spy on 34 Head of States, among which Dilma Roussef and Angela Merkel, who both called for a multilateral civil rights framework and made many statements at the United Nations regarding the state of international law in regards to digital surveillance. For a discussion on their actions see Vincent Bevins, “Why Did Brazil’s President Change Her Tune on Spying?” (June 16, 2015), online: Foreign Policy <www.foreignpolicy.com>; United Nations, “Germany and Brazil circulate UN draft resolution on condemning surveillance” (November 2, 2013), online: Deutsche Welle <www.dw.com>. Following the Snowden revelations, Germany’s BND massively expanded its surveillance capabilities with a 300 million euro program called Strategic Initiative Technology (SIT), see Andre Meistev, "Strategic Initiative Technology: We Unveil the BND Plans to Upgrade its Surveillance Technology for 300 Million Euros” (translated by Kristen Fielder & Nikolai Schnarrenberg from EDRI.org) (September 23, 2015), online: Netzpolitik <www.netzpolitik.org>. As for Brazil, the country constantly ranked about Google’s Transparency report as one of the country which most often has for content removal. The country was also the site of violence against bloggers, criminal defamation law, restrictions on anonymity and restrictive limits on content related to election in the cyberspace – all of these notwithstanding the Marco Civil Law (Constitution for the Internet) voted in 2014.. See Freedom House, “Freedom on the net; Brazil 2014-2015”, online: Freedom House <freedomhouse.org>.

[125] Buchan, Legal Regulation of State-Sponsored Cyber Espionage, supra note 110.

[126] Shadows in the cloud, supra note 61, 10-11.

[127] Fidler, Thinker, Tailor, Soldier, Duqu, supra note 45.

#cyberespionage #internationallaw #doctoralwork