We Only Spy on Foreigners : The Myth of a Universal Right to Privacy and the Practice of Foreign Mass Surveillance

The digital age brought with it a new epoch in global political life, one neatly coined by Professor Philip Howard as the “pax technica.” In this new world order, government and industry are “tightly bound” in technological and security arrangements that serve to push forward an information and cyber revolution of unparalleled magnitude. While the rise of information technologies tells a miraculous story of triumph over the physical constraints that once shackled mankind, these very technologies are also the cause of grave concern. Intelligence agencies have been recently involved in the exercise of global indiscriminate surveillance, which purports to go beyond their limited territorial jurisdiction and sweep in “the telephone, internet, and location records of whole populations.” Today’s political leaders and corporate elites are increasingly engaged in these kinds of programs of bulk interception, collection, mining, analysis, dissemination, and exploitation of foreign communications data that are easily susceptible to gross abuse and impropriety. When called out about any of these programs, policy makers often respond to their constituencies with a shrug and a smile: we only apply these programs to foreigners, you have nothing to worry about

Politics, Power Dynamics, and the Limits of Existing Self-Regulation and Oversight in ICC Preliminary Examinations

Professor Lubin\u27s contribution to volume 2 is titled, Politics, Power Dynamics, and the Limits of Existing Self-Regulation and Oversight in ICC Preliminary Examinations, pp. 77-150. Should the normative framework that governs the International Criminal Court’s (‘ICC’) oversight concerning preliminary examinations undergo a reform? The following chapter answers this question in the affirmative, making the claim that both self-regulation by the Office of the Prosecutor (‘OTP’) and quality control by the Pre-Trial Chamber (‘PTC’) currently suffer from significant deficiencies, thus failing to reach the optimum point on the scale between absolute prosecutorial discretion and absolute control. The chapter demonstrates some of these inadequacies using the example of the preliminary examination concerning the situation in Palestine. The chapter first maps out the legal structures and mechanisms that regulate the preliminary examination stage. The chapter then explores a number of key areas in which the OTP has considerable independence, and concerning which sufficient quality control is critical to ensuring the legitimacy of the preliminary examination process, and of the Court itself. This review includes an analysis of the Court’s potential for politicization, the problems faced by the OTP when attempting to articulate generalized prioritization policies and exit strategies, the regulation of evidentiary standards at the preliminary examination stage, and the role of transparency in the preliminary examination process. The chapter concludes with four suggestions for potential reform of the existing control mechanisms over prosecutorial discretion in preliminary examinations: (1) re-phasing of the preliminary examination phase and the introduction of a Ganttbased review process and a sliding scale of transparency requirements; (2) redefinition of the relationship between the OTP and PTC at the preliminary examination stage; (3) redrafting the existing OTP policy papers on Preliminary Examinations and Interests of Justice, as well as adopting a new policy paper on Evidence, Evidentiary Standards, and Source Analysis; and (4) introducing a ‘Committee of Prosecutors’ as a new external control mechanismhttps://www.repository.law.indiana.edu/facbooks/1219/thumbnail.jp

A Principled Defence of the International Human Right to Privacy: A Response to Frédéric Sourgens

Part I offers a brief summary of Sourgens’ key arguments and his legal rationales for them. Part II pushes against the existence of a general privacy principle. This Part challenges both the methodology employed by Sourgens to identify this principle, as well as the practicality of the overall endeavor. Part III makes the case for an extraterritorial right to privacy under both treaty and customary international law. This Part further analyzes recent successes of IHRL in fighting against unwarranted surveillance, and concludes by providing counter-arguments to the concerns raised by Sourgens regarding the effectiveness of the human rights discourse in this sphere. I conclude my response in Part IV by acknowledging the real need, noted by Sourgens, for a paradigm shift in the discourse on privacy. Despite the recent accomplishments, it is nonetheless true, and worth highlighting as Sourgens persuasively does, that IHRL activists have not been able to establish sufficient privacy protections against foreign mass surveillance. This Part makes the claim that the only solution for the many deficiencies of the human right to privacy is to reform human rights thinking and advocacy. Instead of introducing a new non-enforceable general principle with identical content to that of the human right it seeks to supplant, let us reconceptualize the legal content of the human right itself. The final concluding Part thus gestures towards a paradigmatic shift within IHRL by suggesting a controversial, yet far more realistic way of applying tailored privacy protections to foreign surveillance, taking into consideration the justified needs of States

The Reasonable Intelligence Agency

Article 57(2) of the First Additional Protocol to the Geneva Conventions requires parties to an armed conflict to “do everything feasible to verify” their objects of attack and take “all precautions” to minimize civilian casualties and unintentional damage to civilian property. This obligation has been interpreted in international law to require state parties to set up an “effective intelligence gathering system” that would properly identify targets using all technical means at the disposal of the combating forces.But existing law has failed to define what “effective intelligence” looks like. Quite the opposite. Modern history is filled with examples of intelligence errors that resulted in calamitous civilian casualties. In this paper I look at three such case studies, spanning various historical periods, geographical zones, and belligerent parties. Examining these cases, this Article makes the claim that faults in wartime intelligence production are not inevitable as is often presumed and that it is for a lack of specific regulation within the treatises of International Humanitarian Law (IHL) that they occur at the rate that they do.The paper makes two important contributions: First, it highlights a temporal and spatial disconnect between the intelligence and military functions, which is not sufficiently accounted for in our contemporary laws of war. Tribunals and military manuals guide us to rely on the reasonable commander test in determining the lawfulness of a particular strike. Yet, in the process we overlook the fact that any reasonable commander will turn to her reasonable intelligence agency —the contours of this standard are conspicuously under-defined. Second, the paper demonstrates the existence of an accountability gap in IHL for faulty intelligence used in targeting decisions. The paper takes a first step at proposing a new duty of care, under which states will be held civilly liable for unreasonable intelligence errors that are found to be the cause for the otherwise avoidable civilian harm

The Dragon-Kings’ Restraint: Proposing a Compromise for the EEZ Surveillance Conundrum

The United States and China are at it again, as naval and aerial interceptions in and around the South China Sea become a matter of disturbing routine. At the heart of the dispute stands the lingering question of whether customary international law as reflected in the United Nations Convention on the Law of the Sea (“UNCLOS”) authorizes third States to engage in surveillance and military maneuvers in coastal States’ Exclusive Economic Zones (“EEZ”) without their consent. The answer lies in interpreting Article 58(1) of UNCLOS. This paper aims to respond to the calls put forward by States, scholars, and research institutes to promote a legal compromise between permissive and prohibitive interpretive approaches to UNCLOS Article 58(1). The traditional interpretation of the Article, and the EEZ Surveillance conundrum more broadly, has thus far been reviewed by scholars solely through the lenses of the age-old debate between Hugo Grotius and John Selden over Mare Liberum and Mare Clausum. In other words, existing scholarship treats the dispute as a binary zero-sum game. The model proposed in the Article recognizes the freedom of navigation premise as an analytical starting point, but nonetheless introduces, for reasons of maintaining minimum order, a set of restraints (“necessity,” “last resort,” and “proportionality”) to be internalized by third States in deciding whether to launch intelligence operations in another coastal State’s EEZ. To develop these standards, the paper examines the limits of a State’s right to spy under international law and the effects that advancements of surveillance technology have had over our evolutionary interpretation of UNCLOS. The paper’s nuanced approach thus treats the EEZ surveillance problem as a microcosm through which to examine meta-issues concerning the function intelligence plays in our public world order

Insuring Evolving Technologies

The study of the interaction between law and technology is more critical today than ever before. Advancements in artificial intelligence, information communications, biological and chemical engineering, and space-faring technologies, to name but a few examples, are forcing us to reexamine our traditional understanding of basic concepts in torts and insurance law. Yet, few insurance professionals and scholars will identify themselves as working in the field of “law-and-technology.” For many of them, technology is “just a fact about the world like any other,” as Ryan Calo once put it, not one that always merits “special care.” This short paper is an attempt to build a first-of-its-kind bridge between these two scholarly silos. Directed at an insurance audience, the paper attempts to draw attention to a body of law-and-technology scholarship that has so far gone mostly unnoticed by insurance professionals. The paper is built on the premise that insurance lawyers, whose business model depends on the mitigation of losses from technological harm, are not dramatically dissimilar from their law-and-technology counterparts. Both are fascinated by the same set of questions: if, when, and how, might private and public regulation mitigate losses resulting from technological risk. The paper draws key concepts from the law-and-technology literature to explore the effectiveness and utility of regulation in mitigating risks from emerging, evolving, and disruptive technologies. The paper further identifies the different phases in technology’s life cycle and discusses the challenges that each of these phases introduces on the insurance market. Relying on cyber insurance as its primary case study, the paper concludes by applying these insights to an assessment of a recent state-wide regulation, the New York Cyber Insurance Risk Framework, the first of its kind in the country. The paper demonstrates the promise and pitfalls of this type of regulation, taking into account broader trends in the cyber insurance market

Cyber Plungers: Colonial Pipeline and the Case for an Omnibus Cybersecurity Legislation

The May 2021 ransomware attack on Colonial Pipeline was a wake-up call for a federal administration slow to realize the dangers that cybersecurity threats pose to our critical national infrastructure. The attack forced hundreds of thousands of Americans along the east coast to stand in endless lines for gas, spiking both prices and public fears. These stressors on our economy and supply chains triggered emergency proclamations in four states, including Georgia. That a single cyberattack could lead to a national emergency of this magnitude was seen by many as proof of even more crippling threats to come. Executive Director of the Cybersecurity and Infrastructure Security Agency (CISA), Brandon Wales, went on to describe the incident as a “galvanizing event for the country.” This Article challenges this characterization, suggesting instead that little has changed in terms of regulation, enforcement, or liability and that, as a result, another cyber incident targeting our critical infrastructure is, quite frankly, a matter of when and not if. The Article explores a set of kneejerk legal processes—litigatory, regulatory, and legislative—which were set in motion in the wake of the Colonial Pipeline incident. For each these processes the Article highlights points of failure in generating positive long-term effects aimed at increasing broader cybersecurity. Relying on insights from Daniel Solove and Woody Hartzog’s recent book Breached!, this Article treats the Colonial Pipeline incident as a microcosm through which to understand our broader regulatory deficits in critical infrastructure cybersecurity. Against this backdrop, the Article offers the first scholarly examination of a new and innovative blueprint developed by the Biden Administration to promote holistic regulations as part of a National Cybersecurity Strategy. The Article highlights both the promises and pitfalls of this Strategy on future regulation of critical infrastructures

Espionage as a Sovereign Right under International Law and its Limits

The literature surrounding the international legality of peacetime espionage has so far centered around one single question: whether there exist within treaty or customary international law prohibitive rules against the collection of foreign intelligence in times of peace. Lacking such rules, argue the permissivists, espionage functions within a lotus vacuum, one in which States may spy on each other and on each other\u27s nationals with no restrictions, justifying their behavior through the argumentum ad hominem of tu quoque. . .

The Law and Politics of Ransomware

What do Lady Gaga, the Royal Zoological Society of Scotland, the city of Valdez in Alaska, and the court system of the Brazilian state of Rio Grande do Sul all have in common? They have all been victims of ransomware attacks, which are growing both in number and severity. In 2016, hackers perpetrated roughly four thousand ransomware attacks a day worldwide, a figure which was already alarming. By 2020, however, ransomware attacks reached a staggering number, between 20,000 and 30,000 per day in the United States alone. That is a ransomware attack every eleven seconds, each of which cost victims on average nineteen days of network downtime and a payout of over $230,000. In 2021 global costs associated with ransomware recovery exceeded$20 billion.This Article offers an account of the regulatory challenges associated with ransomware prevention. Situated within the broader literature on underenforcement, the Article explores the core causes for the limited criminalization, prosecution, and international cooperation that have exacerbated this wicked cybersecurity problem. In particular, the Article examines the forensic, managerial, jurisdictional, informational, and resource allocation challenges that have plagued the fight against digital extortions in the global commons.To address these challenges, the Article makes the case for the international criminalization of ransomware. Relying on existing international regimes––namely, the 1979 Hostage Taking Convention, the 2000 Convention Against Transnational Crime, and the customary prohibition against the harboring of terrorists––the Article makes the claim that most ransomware attacks are already criminalized under existing international law. In fact, the Article draws on historical analysis to portray the criminalization of ransomware as a “fourth generation” in the outlawry of Hostis Humani Generis (enemies of mankind).The Article demonstrates the various opportunities that could arise from treating ransomware gangs as international criminals subject to universal jurisdiction. The Article focuses on three immediate consequences that could arise from such international criminalization: (1) Expanding policies for naming and shaming harboring states, (2) Authorizing extraterritorial cyber enforcement and prosecution, and (3) Advancing strategies for strengthening cybersecurity at home