Join us for the Texas Law Review Association Banquet on Saturday, April 7, 2018 Learn More

Squinting Through the Pinhole A Dim View of Human Rights from Tallinn 2.0

Essay - Volume 95 - Issue 7

Like the paradoxical task of establishing “law” to govern “war,” the Tallinn Manual project of describing international law applicable to cyberattack is an exercise in mediating contending impulses. The law must on the one hand provide sufficient specificity and constraint to achieve its purpose—whether that is humanitarian protection or avoidance of easy resort to disproportionate, excessive, or destructive response. Such limits not only enable greater predictability in foreign relations but further the security and normative aims of humane, peaceful, rights-respecting societies. On the other hand, states and their legal advisors often appreciate and seek international rules articulated at a sufficient level of generality and elasticity to preserve room for maneuver and advantage. Beneath the lofty vantage point of legal consensus on a rule may lie anything from slight deviations on the interpretive path to a veritable battlefield. Restatements of the law are more valuable to the extent they get the points of consensus right and shine a strong light on everything else. While the initial Tallinn Manual volume on the laws of armed conflict was reasonably successful on this measure, the 2.0 version is less so, and nowhere is this more evident than in its chapter on international human rights law (IHRL).

This essay will evaluate the chapter in view of the Tallinn Manual 2.0’s stated objective: furnishing “[s]tate legal advisors charged with providing international law advice to governmental decision makers” with “an objective restatement of the lex lata.”[1] As a practitioner, I deeply appreciate the pragmatic approach. Unfortunately, the effort fails its own objective, both by approaching international human rights law through the blurry lens of customary international law and in its uneven and debatable account of what actually comprises that body of law. While the editors and authors plainly intend that their audience be mindful of human rights, the fluid and rapidly developing law in this area presents challenges, and so do widening divisions of opinion that are evident between governments, international experts, and civil society on what human rights law requires in the new digital age. This essay will discuss both the Tallinn Manual approach and the treatment of specific issues in IHRL. Human rights law applies in both peace and wartime, and to every action of government affecting individuals, so its omission from the Manual would be irresponsible. But to get the law right, the conscientious legal advisor should look elsewhere, and I will make suggestions throughout to that end.

I. The View from Military and National Security Experts on IHRL

A group of legal practitioners, academics, and technical experts were chosen by the editors to constitute International Groups of Experts who by discussion and consensus formulated and drafted rules. In the first round dealing with jus ad bellum and jus in bello, these persons were mainly experts in international humanitarian law (IHL), as one would expect. But in round 2.0, dealing with public international law in times of peace, the experts were also mainly ex-government or academic lawyers with expertise in military or national security law (with Steven Hill from the North Atlantic Treaty Organization (NATO) as a nonvoting organizational observer), and this perspective informs the text, edited by Michael Schmitt of the United States Naval War College and Liis Vihul then of the NATO Cooperative Cyber Defence Centre of Excellence.[2] Many, though certainly not all, of the well-known experts, contributors, and peer reviewers had also served as advisors to government,[3] and the government of the Netherlands sponsored several rounds of reaction and input to the drafters by governments.[4]

Military and national security lawyers may care deeply about human rights but generally do not develop deep familiarity with IHRL and its constitutive processes—that is more typical of human rights advocates, litigators, academics, and state specialists.[5] Within governments, there is a fair amount of institutional separation: human rights are generally cabined in departments of foreign affairs, and national security matters are dealt with in departments of defense or interior. At the U.N., the substantial human rights apparatus—the Human Rights Council, the Expert Mechanism, the Third Committee—is entirely distinct from the U.N. Office on Drugs and Crime, the Internet Governance Forum, or the Group of Governmental Experts, and despite recent efforts to expose these latter groups to the work of human rights experts, there is still some way to go in integrating human rights expertise.[6] It took years for the United Nations to incorporate human rights expertise into its counterterrorism bodies, and the most recent report of the Special Rapporteur on Counter-terrorism and Human Rights charts the distance still to be traveled.[7]

Another obstacle to the clear application of IHRL to various government actions in the area of cyberattack is the trend towards blurring the distinction between the law of peacetime, where IHRL fully applies, and the law of armed conflict, where it coexists with IHL and where particular provisions may be subject to derogation or displacement by a more specific law. From its inception in the United States, “war on terror” rhetoric has functioned to obscure the legal regime that governs particular interventions,[8] complicating human rights evaluation. Offensive and defensive functions in cyber operations often merge at the institutional level, also complicating application of human rights law.[9] The issue of when transborder operations are covered by a state’s international human rights obligations is deeply contested.[10] In short, institutional obstacles to considering human rights law in the context of cyber operations are considerable for many reasons, including the tendency of military and national security perspectives to dominate the field.

Given this institutional separation, the paucity of human rights experts in the ranks of the Tallinn Manual 2.0 participants at the drafting stage perhaps is unsurprising. But it is regrettable, along with the absence of industry, nonmilitary technicians, or civil-society organizations, given the “multistakeholder” approach that has taken hold in cyber-security projects and that is increasingly evident in other cyberlaw and regulatory processes such as that leading to Brazil’s Marco Civil[11] or that of the Internet Governance Forum.[12] Indeed, nongovernmental experts, practitioners, and scholars have for decades provided much of the gas in the engine of human-rights-law mechanisms, be they treaty bodies, courts, review conferences, U.N. or regional procedures, or legislatures, and not only through the supply of relevant facts but through legal analysis and interpretation. One suspects that the framers of the Tallinn Manual 2.0 process, by limiting exposure of the draft to a broader community of human rights experts and stakeholders, were striving to provide a more statist view[13] of IHRL than normally is on view in scholarship or U.N. publications, but here the framers have missed the mark: IHRL, which operates to bind states to the benefit of ordinary people, is profoundly shaped not just by states, but by the nonstate champions of those beneficiaries. To minimize that perspective guarantees more than a little distortion in the picture of the law.

II. Narrowing the Aperture: Customary International Law of Human Rights

The likely response of the project’s coordinators to my observation on the minimal participation of civil society or specialists in IHRL is that a multistakeholder approach may be appropriate when considering the direction human rights law ought to go, but theirs is a project of assessing where it is now, the lex lata rather than the lex ferenda. While it is true that, like government lawyers, many nongovernmental experts engage in advocacy in the interests of their clients, practitioners in the field of IHRL generally are familiar with a wide range of state practices in many situations, and how they have been tested by a wide variety of adjudicative bodies. This might have been useful in assessing what is surely the most peculiar aspect of Tallinn 2.0, the idea that the lex lata of human rights can be discerned from a narrow focus on customary international law.

There are areas of international law with deep bedrock in centuries or many decades of readily discernable customary practice where restatement of customary international law is valuable to the practitioner. International humanitarian law is surely one, and general legal principles of jurisdiction and sovereignty are other areas where custom had a significant history. Resort to custom is critical where treaties are lacking, where treaties have big gaps, or where major players in the field fail to ratify key treaties but confirm that the instruments partially reflect duties they recognize in customary international law.[14]

IHRL is not one of these areas. It emerged from the mire of World War II and the major atrocities of the late-twentieth century, and it is planted thick with treaties. Many of these treaties are quite widely ratified and equipped with treaty bodies that evaluate state reports, generate interpretations of the law, and even determine complaints under optional protocols.[15] The International Covenant on Civil and Political Rights, for example, has 169 states parties and 6 signatories; the International Covenant on Economic, Social, and Cultural Rights has 165 states parties and 5 signatories.[16] These offspring of the Universal Declaration of Human Rights (a core statement correctly identified by Tallinn 2.0 as reflective of customary law) are often used to explicate the Declaration’s rules, making them essential to understanding the current state of the law.[17] Unless you are the legal advisor to the few nations outside this treaty regime, you are much more likely to start here as your reference point than to search for consensus on what states understand as customary obligations.

Most conscientious legal advisors will start their quest to understand IHRL with the treaties to which their states adhere, how they are interpreted by the relevant treaty bodies, and how they are incorporated and understood in their municipal law. To minimize contention at an international level, legal advisors may also wish to know how the norms are understood by the various U.N. expert mechanisms as well as by other states in the context of U.N. bodies. The regional law, commissions, and courts may also be relevant, as well as the municipal law of states parties most affected or involved by the policy decisions at hand. If this sounds like a big endeavor, it is; there has been an explosion of international human rights law, including accountability measures, in the decades since World War II.[18]

Despite the thickness of written law in this area,[19] exploring it can make lawyers from other disciplines uncomfortable. International human rights law feels different, more ideological than many other areas of law—ratifications are plentiful, including from states that show little intention of adhering to the norms they endorse. Treaties and predecessor declarations (not to mention post-treaty diplomatic conference statements, optional protocols, subsequent resolutions, or declarations pertinent to interpretation) tend to be written in a vague, moralistic, hortatory style to achieve the most universal adoption. Reservations of dubious validity are often criticized but seldom result in exclusion from the treaty regime for the same reason.[20] Human rights law does not fit easily into either a transactional or realist view of the world, as member states are guaranteeing rights to those within their own territory and jurisdiction rather than to their treaty partners, making reciprocity a less reliable guide to compliance. Government lawyers often read it narrowly, even with respect to the behavior of foreign states, from concern IHRL might one day hobble their client’s discretion beyond the constraints of its own constitutional law. It’s hard to measure or achieve compliance under IHRL due to its broad scope and the vast number of governmental and nongovernmental actors engaged—far beyond the military and law enforcement realms. And to top it off, the law is in rapid motion, changing almost constantly through complex processes of advocacy, adjudication, negotiation, and elaboration, at the national, regional, and international levels.

But factors that make international human rights law a perpetually moving target in treaty form also complicate zeroing in on its customary-law core. The relatively short history of IHRL, coupled with the rapidity of its development, makes it difficult to reference longstanding state practice from a sense of legal obligation, especially in the very new context of transnational cyber operations. While some perceive “instant customary international law” forming from treaty adoption where no contrary norm existed before,[21] others resist the notion there is such law.[22] It is difficult to find consistent state practice and opinio juris in an area where state pronouncements and endorsements are thick, while implementation is often thin to lacking. The issue of what counts as state practice or opinio juris is deeply contested in IHRL, with some scholars urging greater attention to state declarations than deeds.[23] And when we examine how this body of law relates to matters of national security or espionage, even public pronouncements are thin and various, as the editors correctly note.[24]

Nevertheless, some scholars believe the quest to locate the customary international law of human rights is valuable, either as a way to surface obscured but real practices or to press the claim of its universality against those who attack it on grounds of cultural relativism.[25] This does not seem to be the motivation of the Tallinn 2.0 Experts, who agreed with one of the sweeping statements of cultural relativism served up by the much-criticized Association of Southeast Asian Nations (ASEAN) Human Rights Declaration,[26] to the effect that “the realisation of human rights must be considered in the regional and national context bearing in mind different political, economic, legal, social, cultural, historical and religious backgrounds.”[27]

What are we to make of the inclusion of this chestnut of “Asian values” discourse?[28] Unfamiliarity or disagreement with the universalist nature of human rights law? There is certainly a theme running through the discussions that IHRL is a mainly contractual affair—no natural law discourse here. Perhaps it is a misguided attempt to make the Manual more appealing as a desk book to ASEAN governments? The first Tallinn Manual has been criticized as a project closely affiliated with NATO.[29] The danger with a manual that aspires to universal adoption is that it will be read as a prestigious invitation to radically bend the interpretation of permissible limitations on rights to fit whatever governments claim are their own unique national circumstances—an eviscerating approach to IHRL.

This is not just a quibble, as the chapter is inconsistent with how it treats regional law concepts, given its project of locating near-universal custom. Another regional doctrine recycled as a generalization is approving reference to the European law concept of a state “margin of appreciation” in applying rights law,[30] a concept that has been criticized by the U.N. human rights bodies.[31] While the Experts worry about the very European nature of proportionality analysis in evaluating limitations on the right to privacy, they are eager to adopt a European perspective on personally identifying information and speculate on how that may be an elevated category of data worthy of heightened privacy protection. On the other hand, they ultimately reject, but give lots of space to discussing, the doctrine of “reasonable expectation of [privacy],”[32] a concept rapidly approaching obsolescence even in the United States.[33]

Yet even where there is scholarly enthusiasm for discovering the customary international law of human rights, there is little consensus on what makes the grade, so texts and restatements tend to describe the ambit conservatively. Tallinn 2.0 is no exception to the conservative approach. The Experts caution “it is often unclear as to whether certain human rights reflected in treaty law have crystallised as rules of customary law,”[34] and they note that the congruence of multiple treaties and case law on a particular point “may support, but does not necessarily do so definitively, a conclusion that customary international law exists to that effect.”[35] In effect, the editors and their Experts have chosen the narrowest pinhole through which to view this subject.

III. A Little Consensus

Having chosen this limited aperture of customary law, the Experts predictably find it difficult to see much detail to agree on. It is hard to say whether this is the unfortunate result of their terms of reference or the end towards which the terms were designed. IHRL, in their view, is a hazy, “[s]pecialized” regime that does not answer many questions.[36] So it is all the more to be welcomed that some areas of agreement and real progress were noted.

Although the chapter begins with a qualified statement—“[i]t is widely accepted that many of the international human rights that individuals enjoy ‘offline’ are also protected ‘online’”[37]—Rule 35 correctly drops the hedging language I have italicized and states it in the declarative form that has been unanimously and repeatedly adopted at the U.N. Human Rights Council and the General Assembly,[38] to wit, “[i]ndividuals enjoy the same international human rights with respect to cyber-related activities that they otherwise enjoy.”[39] This is an important starting point for inclusion of human rights considerations in a wide variety of cyber-security problems, as well as examination of whether there is any justification for limiting rights online to a greater degree than offline, a practice noted and criticized by the Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression,[40] though largely unaddressed by the Manual.

It was also heartening to see that the Experts agreed that both IHRL and IHL apply to cyber-related activities in the context of an armed conflict, although the precise interplay was not explored and viewed as “unsettled,”[41] which is accurate, and perhaps an understatement. The Experts also agree that cybercriminals are entitled to due process[42] and that human rights law entails an obligation, not only for the state to respect rights, but to protect the individual from third party violations of rights.[43] All uncontroversial, apple pie and motherhood stuff.

More unusual was express recognition that the right to freedom of opinion is distinct from freedom of expression and is not subject to restriction.[44] It would have been better to note that the restriction includes both limitation and derogation, and that the same is true of freedom of belief,[45] which is distinct from freedom to manifest one’s religion.[46] Unfortunately, the illustration of an interference, online intimidation, or harassment of an individual, conducted on the basis of that person’s views,[47] is likely to cause confusion because without further definition and an objective standard, this may suggest merely criticism or vocal opposition—both activities that are covered by freedom of expression. I also wished that the authors had explored the interaction of these rights with limitable rights, as when restrictions on privacy, speech, or access to information are so severe as to interfere with our ability to form and hold opinions and beliefs, a concept that finds reflection in doctrines of right of personality.[48]

It was also striking to read “the Experts were aware of no opinio juris suggesting that states consider espionage per se to fall beyond the bounds of their international human-rights-law obligations concerning the right to privacy.”[49] I am not sure why they framed this observation only with respect to the right to privacy, as espionage affects many other rights as well, but I am glad they got that far.

This recognition that IHRL is applicable to espionage, however, does not lead to many conclusions, given the lack of consensus on extraterritorial obligation. The Experts generally agree that customary IHRL applies beyond a state’s borders where it exercises physical “power or effective control” over territory or persons, another welcome bit of progress given the historical U.S. reluctance to even acknowledge extraterritorial obligation under treaty law.[50] But the Experts do not agree on whether there is a customary rule that “power or effective control” can be exercised by virtual means across borders.[51] So we are thrown back on treaty law again, where all the Experts can agree on is that Article 2(1) of the ICCPR “governs the treaty’s extraterritorial applicability, or lack thereof.”[52] Here I picture my hypothetical legal advisor thinking, “Gee, thanks guys” (and yes, the Experts are overwhelmingly guys).

IV. A Lot of Contention

As the above illustrates, consensus often stops at the obvious and does not go very deep. But there is a lot of contention—some of it interesting and some of it disturbing—as it pertains to matters that have received a good deal of attention in the law. This section focuses on several issues where the Experts have difficulty agreeing on what most human rights law experts would consider good candidates for customary principles.

The right to privacy, predictably, gives the Experts a lot of trouble. Here one cannot escape the perception that the discussion often tracks justifications of U.S. mass-surveillance practices exposed by Edward Snowden. Though privacy law encompasses a wide range of topics relating to a person’s autonomy, identity, and association that are surely relevant to issues of hacking, doxxing, and similar intrusive activities, the Experts focused tightly on a few specific matters relating to communications privacy and personal data in what reads like a topic dominated by the consideration of mass-surveillance practices among the Five Eyes.[53]

It will surprise quite a few privacy law experts to hear that the Tallinn Experts could not agree that privacy is implicated by machine inspection of communications until the point of human review. They also had trouble agreeing on a privacy intrusion from “mere collection” of communications.[54] (Nonlawyers, and for that matter, small children, might have a hard time agreeing that if, uninvited, I stick my hand into your mailbox and stuff your letters into my purse, no intrusion on privacy has occurred.) No international law, or any practice, is cited to support the proposition of no rights interference in either situation, though there is quite a bit of support for collection or storing as a privacy intrusion, helpfully set out at footnote 420 in the Manual.[55]

If one were to look for state practice in support of the “no intrusion” view, perhaps the contention of the U.S. government on mass-surveillance collection, or some of the recently minted European surveillance laws under legal challenge, would provide support.[56] An alternate perspective might be whether any of these states would excuse or exonerate foreign espionage or theft of state secrets simply because the agents merely unleashed technology to sort and steal the data but can show no one got around to reading the trove. The conclusion that the matter is still too contested to be customary international law is probably defensible, though again, this does not really help the legal advisor with lex lata given the lawsuits and pronouncements already out under various international treaties.[57]

Given the lack of agreement on whether a state’s collection or algorithmic sorting implicates privacy, there’s no surprise that the Experts divided on the issue of metadata, which is often what the algorithm “reads” and uses for collection. Here the Manual again swims into uncharted water, trying (without any supporting citation) to stuff the issue of metadata into the somewhat separate legal area of data protection of personally identifiable information, or as they style it, “personal data.”[58] This much they agree on: the right to privacy is implicated if the metadata is unambiguously “personal data” (undefined). Other metadata they cannot agree on, giving the example of IMAP or POP3 protocol signifiers as unlikely to implicate privacy concerns.

The problem here is that the Experts are missing the main privacy concern with metadata. The issue is not whether a particular bit of metadata is revelatory of some private fact—the way personally identifying information is—but that the aggregation and analysis of metadata (even IMAP or POP3 protocols) can reveal more than even the substance of a communication about someone’s private life.[59] Each bit of metadata is part of a mosaic that can map a story, even if its use is only to eliminate other possibilities. The e-mail address of a politician may be widely known and not that sensitive. The politician’s correspondence may be very guarded or even encrypted. But a metadata trail showing regular midnight perambulations and cash withdrawals around a foreign embassy, or use of the opposition leader’s wife’s computer connection, might create quite a different impression. In any event, the Experts’ discussion here seems entirely untethered from law, as the only case cited supports the proposition that all metadata is protected.[60]

Another rather shocking pronouncement is that the Experts did not agree “on whether the obligation to provide remedies to victims of international human rights law violations is of a customary nature.”[61] This statement then cites U.N. General Assembly resolutions and U.N. guidelines in support of the obligation to provide a remedy, though for some reason not treaty paragraphs that support the obligation as well.[62] Such a conclusion, which is not only unsupported but plainly inconsistent with the development of IHRL over the last half-century,[63] forecloses many other interesting discussions, including whether states have a duty to remove obstacles to challenges to surveillance practices in courts, or a duty to disclose when evidence used at trial is procured through intelligence surveillance, or a duty to provide adequate information on surveillance practices to legislative or other bodies or the public so that it is possible to discern if violations have occurred and remedies are in order. In fact, the Manual explicitly rejects the idea that oversight bodies are somehow required to protect rights in this very opaque area where national security and public order interests demand a high degree of secrecy—an idea it frames simplistically as a prospective remedy for hypothetical abuse, eliding the very difficult issues that make review and redress through other means so difficult in this area.[64]

But perhaps the most disturbing lack of consensus was the omission of proportionality from the rule regarding justifiable limitations on rights, leaving only the criteria that such limitations must be lawful, necessary, and not discriminatory. Proportionality is a bedrock principle of IHRL, just as it is in IHL.[65] To make things worse, the Experts read proportionality as highly distinct from necessity,[66] misunderstanding they are closely related concepts.[67] When a restriction is necessary, it is not only useful or relevant to addressing a threat, but actually required to address a “pressing social need.”[68] In this way, proportionality analysis begins, and the question of whether there are less restrictive means to the same end quickly follows.[69] Proportionality adds another layer of nuance in that it requires consideration of the overall impact on rights in deciding whether even a necessary restriction can be justified at all—where a measure, even if the only means available to protect a specific public interest, so undermines the essence of rights that the harm outweighs the specific benefit it can achieve.[70] The only support for this gaping omission is citation to U.S. objections to proportionality language in the UNGA resolution on the right to privacy in the digital age, no doubt motivated by the issue of mass surveillance. But here a very obvious question arises: Given the persistent objector rule, so carefully followed by the U.S. government,[71] why would U.S. objection defeat recognition of the customary nature of such a widely recognized standard?[72]

Even worse, the argument that proportionality has not matured into a norm of customary international law is supported by pointing to patently unlawful state practice, in particular “the practice of various [s]tates of imposing limitations . . . that, while possibly advancing a legitimate state purpose, appear to be a greater infringement on human rights than justified by that need.”[73] It is difficult to understand why the editors include an obvious (and all too common) rights violation as a way of showing the lack of consistent practice, when such violations are regularly denounced by many states,[74] even while others frequently resort to them.[75]

By this standard, there is no customary international law of human rights. No one considers that laws against murder fail some rule of recognition or are not considered real and binding laws because people violate them with some frequency. There is much scholarly contention about the right way to judge both state practice and opinio juris in the area of IHRL[76] and whether actions such as statements and endorsements made at the U.N. and other international fora, or condemnation of other states’ practices, or incorporation of rights into constitutions and municipal law, or employment of human rights consideration in various policy processes, count. But this much is clear: measuring the existence of customary international law of human rights by the yardstick of state violations is an extremist approach.

The problem of what counts as state practice and opinio juris surfaces again in the discussion of extraterritoriality of obligation in the context of surveillance. While there was agreement that espionage is not per se exempt from IHRL, the Experts also decided “there is little evidence that when states conduct signals intelligence programmes directed at foreigners on foreign territory, they consider that their activities implicate the international human right to privacy.”[77] This is no doubt true; every country seems to spy on foreigners with gay abandon, according to their means. But no country looks complacently upon other countries spying on their population, from within or outside their borders. Such behavior often incurs condemnation and sometimes sanction.[78] So what is more reflective of state attitudes in this area—gay abandon or condemnation? If we think that states generally have an obligation to protect the human rights of their populations and that member states of the United Nations are obliged to cooperate with each other in promoting and encouraging respect for human rights,[79] it seems a stretch to infer a general state of legal acquiescence from the admittedly widespread but usually clandestine and often-condemned practice of transborder surveillance. Such a conclusion seems even more unlikely in a world where even domestic Internet communications may route across frontiers.

V. Methodological Opacity

The demerits of a focus on customary international law of human rights and the many failures to achieve consensus might be somewhat redeemed if we knew more about who is propounding which position and based on what sources. That, at least, would have directed bright light on the legal debate and given hints as to where the law might be going. But while the Manual highlights some interesting discussions, it hides the proponents and often the bases for their arguments—what we get is more like a snapshot of the dance floor with the dancers in silhouette. Even without identifying particular scholars (though why scholars should seek anonymity in this exercise is unclear), evaluating the conversation would be easier if objections were only from one national vantage point, or where a majority view was reflective of a particular regional legal culture. Legal support for many of the contentions in the Manual is spotty and sometimes absent even for majority views. Since this work is neither to be taken as one scholar’s treatise, nor reflective of one institution, the lack of attribution and support impairs its credibility.

Another obscurity is why certain rights are discussed and others not, and why certain issues are included but others not. For example, since the Experts view “mere” collection of someone’s communications as not implicating privacy, they do not bother to discuss the lawful scope of data retention—one of the most urgent issues in digital human rights, as governments assert mandatory retention authority, manufacturers convert the physical world into smart surveillance devices, and courts continue to express alarm. Another topic not dealt with at all in the IHRL chapter is the lawfulness of encryption, one of the few means individuals have to protect against privacy intrusion and a host of other rights violations, though proposals and laws to make strong encryption unlawful proliferate and the human rights and technical communities express grave alarm.[80] As noted above, the prospect of dissensus on customary international law did not cause the editors to excise many other discussions, so it is hard to see why these important topics are missing.

Given the prospect of finding little established custom to agree on in this area, the Tallinn Experts might have chosen to be forward-looking and put a few more unsettled issues on display. Many of the greatest challenges in applying human rights to issues of cyberattack are yet to come. Issues of human rights and artificial intelligence capabilities of means of surveillance, analysis or attack, or the Internet of Things as a target or instrumentality of attack, raise large rights implications that will have to be explored by others, and are likely to confront the legal advisor soon. There are less futuristic concerns that might have gotten more attention, particularly the nature of Internet access to the enjoyment and exercise of rights. Unfortunately, the Experts dismissed as insufficiently established in custom both a right to anonymity and a right to Internet access even while acknowledging these might be essential to the enjoyment of other rights.[81] Such an approach is sensible only under a narrow, scholastic vision of what qualifies as customary international law. When one considers that a right to water is widely recognized because it is implied by other established rights, the justification for this approach becomes questionable.

VI. A Better Approach

What is the legal advisor to do in an era where many pillars of human protection—from the prohibition against torture to the shelter of refugees—seem as under attack as the cyber-infrastructure? The partial and disputable account of customary IHRL in this chapter will not be great help, and to be fair, the Manual itself frequently turns the conversation to other sources. My initial recommendation is to look first to treaty obligations and then more widely at international interpretation of rights from the most experienced states and practitioners in the international-, regional-, and state-level systems. But I would counsel the legal advisor to consider a few other things as well.

First, actions in the area of human rights are subject to review and scrutiny, not only in the domestic system and from a wide range of advocates and litigants, but also and increasingly internationally. Your duty is to advise your client not just on what it can get away with, but how that action may be received, and not just domestically. To that end, do not be afraid to consult with other departments of government, as well as those with expertise outside of government, even if you think they will disagree. Rehearse your options before the need arises and revisit them, as this law changes quickly. Test the legality of any proposed action by your state as though it were directed against your state; that exercise helps clarify what principles your government stands for, even in the absence of more direct reciprocity in IHRL. And finally, ask: Will this action, even if justifiable under IHRL, set a potentially damaging precedent either for my state or other nations or will it wind up weakening the foundations of human rights that all democratic societies stand on? Your obligation is not only to the lex lata, but to the future as well.

  1. .Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations 2, 3 (Michael N. Schmitt & Liis Vihul eds., 2017) [hereinafter Tallinn Manual 2.0].
  2. .Id. at xii, xiii, xxii.
  3. .See id. at xii–xviii (listing directors, technical and legal peer reviewers, and legal researchers and their respective institutions).
  4. .Id. at xxvi (describing the Netherlands government’s involvement with the drafting process).
  5. .See David Luban, Military Necessity and the Cultures of Military Law, 26 Leiden J. Int’l L. 315, 315–17 (2013) (describing deep cultural differences between military lawyers and human rights lawyers).
  6. .For example, since 2012 the U.N. Office on Drugs and Crime—which increasingly invites participation by civil-society organizations, including human rights groups—has begun internalizing international human rights as relevant to its work. UNODC Intensifies Focus on Human Rights, U.N. Off. on Drugs & Crime (May 25, 2012), https://www []. Similarly, the Internet Governance Forum, a multistakeholder organization that brings both state representatives and nonstate experts together, recognizes human rights topics as relevant to its mandate. See, e.g., Human Rights, Freedom of Expression and Free Flow of Information on the Internet, IGF, component/content/article/121-preparatory-process/1343-human-rights-freedom-of-expression-and-free-flow-of-information-on-the-internet [] (providing an overview of a 2016 meeting session on human rights and free expression on the Internet). By contrast, the U.N. Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security excludes human rights experts and mentions international human rights law as relevant to their concerns only in passing. See, e.g., U.N. Secretary-General, Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security, ¶ 28, U.N. Doc. A/70/174 (July 22, 2015).
  7. .See Ben Emmerson (Special Rapporteur), Promotion and Protection of Human Rights and Fundamental Freedoms While Countering Terrorism, U.N. Doc. A/HRC/34/61, at 4, 15–20 (Feb. 21, 2017) (identifying possible reforms of the U.N.’s institutional architecture that would address human rights issues in the counterterrorism context).
  8. .See Kenneth Roth, Must It Always Be Wartime?, N.Y. Rev. Books (Mar. 9, 2017), [ -6TFV] (noting that “war on terror” rhetoric and other modern aspects of armed conflict serve to blur the lines between war and peace).
  9. .See, e.g., Ashley Carman, The NSA Is Merging Its Cyber Offense and Defense Teams, The Verge (Feb. 6, 2016), [] (explaining that “the [NSA] team that collects information about system vulnerabilities in order to exploit them for espionage purposes will work alongside the team that collects information about vulnerabilities in order to shield U.S. networks from cyberattacks”). See generally Gabor Rona & Lauren Aarons, State Responsibility to Respect, Protect and Fulfill Human Rights Obligations in Cyberspace, 8 J. Nat’l Sec. L. & Pol’y 503 (2016) (discussing the issues of applying international human rights law to cyberspace).
  10. .See Beth Van Schaack, The United States’ Position on the Extraterritorial Application of Human Rights Obligations: Now Is the Time for Change, 90 Int’l L. Stud. 20, 21–22 (2014) (outlining the development of legal doctrines surrounding the recognition of human rights in extraterritorial situations).
  11. .Ronaldo Lemos et al., A Bill of Rights for the Brazilian Internet (“Marco Civil”)—A Multistakeholder Policymaking Case, Inst. for Tech. & Soc’y Rio de Janeiro St. U., available at _Internet [].
  12. .Jeremy Malcom, Multi-Stakeholder Governance and the Internet Governance Forum 19 (2008). Multistakeholder arrangements are increasingly common in many aspects of Internet governance. See NoC Study on Internet Governance, Global Network Internet & Soc’y Res. Ctrs., [] (examining existing multistakeholder systems in Internet governance).
  13. .See, e.g., Michael N. Schmitt & Sean Watts, State Opinio Juris and International Humanitarian Law Pluralism, 91 Int’l L. Stud. 171, 17475 (2015) (lamenting states ceding control over the content, interpretation, and development of IHL to nonstate experts and civil society, among others).
  14. .See, e.g., Michael J. Matheson, The United States Position on the Relation of Customary International Law to the 1977 Protocols Additional to the 1949 Geneva Conventions, 2 Am. U. J. Int’l L. & Pol’y 419, 420 (1987).
  15. .The Office of the High Commissioner for Human Rights lists nine “core” human rights treaties, complete with treaty bodies and optional protocols. The Core International Human Rights Instruments and Their Monitoring Bodies, U.N. Hum. Rts. Off. of the High Commissioner, [ -RUCX]. This list does not include closely related bodies of law, such as International Labor Organization treaties; refugee instruments; or minority, indigenous, or tribal rights instruments. Id.
  16. .Status of Ratification Interactive Dashboard, U.N. Hum. Rts. Off. of the High Commissioner, [] (last visited May 14, 2017) (information accessable under the “Select a treaty” dropdown list).
  17. .See, e.g., International Covenant on Civil and Political Rights, Equal. & Hum. Rts. Commission, [] (last updated Nov. 3, 2016) (stating that both the International Covenant on Civil and Political Rights and the International Covenant on Economic, Social, and Cultural Rights give “legal force” to the Universal Declaration of Human Rights).
  18. .Tallinn Manual 2.0, supra note 1, at 179–80. See generally Thomas Buergenthal, The Evolving International Human Rights System, 100 Am. J. Int’l L. 783 (2006) (discussing the dramatic growth of international human rights law and the mechanisms that have evolved to protect political and civil rights).
  19. .See Başak Çali, Comparing the Support of the EU and the US for International Human Rights Law Qua International Human Rights Law: Worlds Too Far Apart?, 13 Int’l J. Const. L. 901, 902–03 (arguing that the “thickness” of the international human rights regime in the E.U. is responsible for increased support for international human rights law in Europe).
  20. .See Roslyn Moloney, Incompatible Reservations to Human Rights Treaties: Severability and the Problem of State Consent, 5 Melb. J. Int’l L. 155, 156–58 (2004) (describing the dilemma of who determines when a reservation is incompatible with the underlying treaty).
  21. .See, e.g., Roozbeh (Ruby) B. Baker, Customary International Law in the 21st Century: Old Challenges and New Debates, 21 Eur. J. Int’l L. 173, 176–77 (2010) (describing how customary international law is formed and developed); Michael P. Scharf, Accelerated Formation of Customary International Law, 20 ILSA J. Int’l & Comp. L. 305, 318–20 (2014) (presenting the ways that treaties can generate customary rules binding on states).
  22. .See generally Jack L. Goldsmith & Eric A. Posner, A Theory of Customary International Law, 66 U. Chi. L. Rev. 1113 (1999) (arguing that what appear to be rules evidenced by states acting in similar ways from opinio juris are better understood as a coincidences of interest or successful coercion).
  23. .See, e.g., Samuel Estreicher, Rethinking the Binding Effect of Customary International Law, 44 Va. J. Int’l L. 5, 6 (2003).
  24. .Tallinn Manual 2.0, supra note 1, at 179.
  25. .See, e.g., Ralph Wilde, Address at the University of Texas Law Review Symposium: Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations (Feb. 7, 2017).
  26. .See, e.g., ICJ Condemns Fatally Flawed ASEAN Human Rights Declaration, Int’l Comm’n of Jurists (Nov. 19, 2012), [] (criticizing the ASEAN’s Human Rights Declaration as detrimental to human rights).
  27. .Tallinn Manual 2.0, supra note 1, at 180.
  28. .See generally Xiaorong Li, “Asian Values” and the Universality of Human Rights, 16 Phil. & Pub. Pol’y Q. 18 (1996) (analyzing the interaction between Asian values and international human rights).
  29. .See Kristen Eichensehr, Book Review, 108 Am. J. Int’l L. 585, 585 (2014) (reviewing Tallinn Manual on the International Law Applicable to Cyber Warfare (Michael N. Schmitt ed., 2013)) (recognizing that the NATO-centric perspective of Tallinn Manual 1.0 may draw criticism from non-NATO countries).
  30. .See Tallinn Manual 2.0, supra note 1, at 180, 205 (indicating that the International Group of Experts agrees that states enjoy a “margin of appreciation” in limiting human rights obligations).
  31. .See, e.g., U.N. Human Rights Comm’n, International Covenant on Civil and Political Rights, U.N. Doc. CCPR/C/GC/34, at 8–9 (Sept. 12, 2011) (rejecting the “margin of appreciation” analysis when evaluating limitations on freedom of expression).
  32. .See Tallinn Manual 2.0, supra note 1, at 191 (noting the Experts’ discussion of, but lack of agreement on, a reasonable-expectation-of-privacy standard for the right to privacy under customary international law).
  33. .See United States v. Jones, 565 U.S. 400, 417 (2012) (Sotomayor, J., concurring) (suggesting that the reasonable-expectation-of-privacy doctrine may need reconsideration).
  34. .Tallinn Manual 2.0, supra note 1, at 179.
  35. .Id. at 180.
  36. .Id. at 177.
  37. .Id. at 179 (emphasis added).
  38. .G.A. Res. 69/166, The Right to Privacy in the Digital Age, at 3 (Dec. 18, 2014); G.A. Res. 68/167, at 2 (Dec. 18, 2013); Human Rights Council Res. 32/13, U.N. Doc. A/HRC/RES/32/13, at 3 (July 1, 2016); Human Rights Council Res. 26/13, U.N. Doc. A/HRC/RES/26/13, at 2 (June 26, 2014); Gulnara Iskakova (Rapporteur), Rep. of the Human Rights Council on its Twentieth Session, U.N. Doc. A/HRC/20/2, at 23 (Aug. 3, 2012).
  39. .Tallinn Manual 2.0, supra note 1, at 187 (Rule 35).
  40. .Frank La Rue (Special Rapporteur), Promotion and Protection of the Right to Freedom of Opinion and Expression, U.N. Doc. A/66/290 (Aug. 10, 2011), dpage_e.aspx?si=A/66/290 [].
  41. .Id. at 181.
  42. .Id. at 193.
  43. .Id. at 196–98 (Rule 36).
  44. .Id. at 188.
  45. .G.A. Res. 2200A, International Covenant on Civil and Political Rights art. 18 (Dec. 16, 1966) [hereinafter ICCPR].
  46. .Id. art. 18.
  47. .Tallinn Manual 2.0, supra note 1, at 189.
  48. .See, e.g., Bart van der Sloot, Privacy as Personality Right: Why the ECtHR’s Focus on Ulterior Interests Might Prove Indispensible in the Age of “Big Data”, 31 Utrecht J. Int’l & Eur. L. 25, 34–35 (2015) (discussing the right to personal development as found in the Universal Declaration on Human Rights).
  49. .Tallinn Manual 2.0, supra note 1, at 193.
  50. .Id. at 184. Despite the recommendation of then-Legal Adviser Harold Koh, the U.S. maintained the position that the International Covenant on Civil and Political Rights imposes no obligation outside a state party’s territory. Marko Milanovic, Harold Koh’s Legal Opinions on the US Position on the Extraterritorial Application of Human Rights Treaties, EJIL: Talk! (Mar. 7, 2014), [].
  51. .Tallinn Manual 2.0, supra note 1, at 185–86.
  52. .Id. at 186.
  53. .See Tallinn Manual 2.0, supra note 1, at 189–91 (recounting the Experts’ views on privacy in e-mail communications and their inability to agree on a precise definition of “personal data”). The Five Eyes is the shorthand name for the participant countries—Britain, the U.S., Australia, New Zealand, and Canada—in an intelligence-gathering agreement that has been in place since World War II. Paul Farrell, History of 5-Eyes—Explainer, Guardian (Dec. 2, 2013) [ 6E93-BXDU].
  54. .Tallinn Manual 2.0, supra note 1, at 190.
  55. .Id. at 190 n.420.
  56. .Bruce Schneier, Why the NSA’s Defense of Mass Data Collection Makes No Sense, The Atlantic (Oct. 21, 2013), []; James Vincent, Legal Challenge Against UK’s Sweeping Surveillance Laws Quickly Crowdfunded, The Verge (Jan. 10, 2017), [].
  57. .See Leander v. Sweden, 9 Eur. Ct. H.R. 433, ¶ 48 (1987) (holding that storing information alone can interfere with the right to privacy).
  58. .See Tallinn Manual 2.0, supra note 1, at 191–92 (agreeing that “the right to privacy generally protects the personal data of individuals” and that “metadata qualifying as personal data is protected”).
  59. .Privacy Rights, Metadata, and Aggregation, Can. Civ. Liberties Ass’n (May 13, 2015), []; see Dahlia Lithwick & Steve Vladeck, Taking the “Meh” out of Metadata, Slate (Nov. 22, 2013), [] (describing conclusions that can be drawn from data aggregation).
  60. .See Tallinn Manual 2.0, supra note 1, at 192 (citing Malone v. United Kingdom, 82 Eur. Ct. H.R. (ser. A) ¶ 84 (1984)).
  61. .Id. at 200.
  62. .Id. at 200 nn.446–47.
  63. .For two guides to the multitude of international instruments and declarations recognizing the many aspects of the right to a remedy, see generally Int’l Comm’n of Jurists, The Right to a Remedy and to Reparation for Gross Human Rights Violations: A Practitioner’s Guide (2006), []; Theo van Boven, The United Nations Basic Principles and Guidelines on the Right to a Remedy and Reparation for Victims of Gross Violations of International Human Rights Law and Serious Violations of International Humanitarian Law, U.N. Audiovisual Libr. of Int’l L. (2010), ga_60-147/ga_60-147_e.pdf [].
  64. .See Tallinn Manual 2.0, supra note 1, at 201 (“[E]x ante preventive monitoring measures far exceed the requirements of current customary international human rights law.”).
  65. .Proportionality appears in two contexts in IHRL. The first is the limitation of derogation of rights “to the extent strictly required by the exigencies of the situation . . . .” International Covenant on Civil and Political Rights art. 4, Mar. 23, 1976, S. Exec. Doc. E, 95-2, 99 U.N.T.S. 171; U.N. Office of the High Comm’r for Human Rights, Derogations During a State of Emergency, ¶ 4, U.N. Doc. CCPR/C/21/Rev.1/Add.11 (Aug. 31, 2001). The second is proportionality in permissible restriction of rights more generally, often expressed through the condition that restrictions must be “necessary.” International Covenant on Civil and Political Rights art. 19, Mar. 23, 1976, S. Exec. Doc. E, 95-2, 99 U.N.T.S. 171; U.N. Human Rights Comm’n, The Nature of the General Legal Obligation Imposed on States Parties to the Covenant, ¶ 6, U.N. Doc. CCPR/C/21/Rev.1/Add.13 (May 26, 2004). For discussion of the “principle of proportionality” as an overarching feature of many national constitutions and regional human rights instruments, see generally Aharon Barak, Proportionality: Constitutional Rights and Their Limitations (2012); Kai Moller, Proportionality: Challenging the Critics, 10 Int’l J. Const. L. 709 (2012).
  66. .See Tallinn Manual 2.0, supra note 1, at 205 (noting that the Experts emphasized that necessity alone is not sufficient to justify limiting obligations under international human rights law); id. at 348 (treating “necessary” and “proportionally” as distinct requirements to justify state actions taken in self-defense).
  67. .The term “necessary,” like the term “arbitrary,” is indicative of a form of proportionality analysis. See Marko Milanovic, Human Rights Treaties and Foreign Surveillance: Privacy in the Digital Age, 56 Harv. Int’l L.J. 81, 133 (2015) (noting that the Human Rights Committee and the European Court have read “necessary” to include a measure of whether the interference was proportional to achieving a legitimate aim). The principle of proportionality, which first emerged in German constitutional law, is generally stated as having several related parts: consideration of whether a measure is adequate to reach an end, whether it is “necessary” in the sense of least-restrictive, and whether even if the restriction is both adequate and necessary, it conveys greater benefit than harm in the sense of undermining rights. See, e.g., Hiroshi Nishihara, Constitutional Meaning of the Proportionality Principle in the Context of the Surveillance State, 26 Waseda Bull. Comp. L. 1, 4–5 (2008). Elements of this doctrine are found in many constitutional systems and reflected also in the U.N. Human Rights Committee’s interpretation of the term. See, e.g., U.N. Human Rights Comm’n, Freedoms of Opinion and Expression, ¶¶ 3334, U.N. Doc. CCPR/C/GC/34 (Sept. 12, 2011) (discussing the limitations of what can be considered “necessary” regarding proportionality considerations); U.N. Human Rights Comm’n, supra note 65, ¶ 6 (“Where such restrictions are made, states must demonstrate their necessity and only take such measures as are proportionate to the pursuance of legitimate aims in order to ensure continuous and effective protection of Covenant rights. . . . In no case may the restrictions be applied or invoked in a manner that would impair the essence of a Covenant right.”).
  68. .Handyside v. United Kingdom, 1 Eur. Ct. H.R. 737, ¶ 5 (1976).
  69. .See, e.g., Office of the High Comm’r for Human Rights, Freedom of Movement, ¶ 14, U.N. Doc. CCPR/C/21/Rev.1/Add.9 (1999) (requiring that restrictions on the individual freedom of movement that is enshrined in the International Covenant on Civil and Political Rights “conform to the principle of proportionality”).
  70. .Id.; see also Frank La Rue (Special Rapporteur), Promotion and Protection of the Right to Freedom of Opinion and Expression, ¶ 79, U.N. Doc. A/HRC/14/23 (Apr. 20, 2010) (requiring that a contemplated restriction on freedom of expression “not undermine or jeopardize the essence” of that freedom).
  71. .Beth Van Schaak, The United States’ Position on the Extraterritorial Application of Human Rights Obligations: Now is the Time for Change, 90 Int’l L. Stud. 20, 22–23 (2014).
  72. .One reason might simply be that the U.S. recognizes proportionality analysis in many other rights contexts, for example, as a state party to the ICCPR and its guarantee of free expression. See ICCPR, supra note 45, art. 19.
  73. .Tallinn Manual 2.0, supra note 1, at 204–05.
  74. .See, e.g., Human Rights Council, Rep. of the Working Group on the Universal Periodic Review, Belarus, at 5–9, U.N. Doc. A/HRC/30/3 (July 13, 2015) (recording statements of concern by at least six countries on Belarus’s ongoing violations of its citizens’ freedom of the press, assembly, and expression); Human Rights Council, Rep. of the Working Group on the Universal Periodic Review, Bahrain, at 6–7, 10–11, 13, U.N. Doc. A/HRC/21/6 (July 6, 2012) (recording statements of concern by at least ten countries as to Bahrain’s ill-treatment of protestors).
  75. .See, e.g., Human Rights Council, Summary Prepared by the Office of the High Commissioner for Human Rights in Accordance with Paragraph 5 of the Annex to Human Rights Council Resolution 16/21, Russian Federation, at 4, U.N. Doc. A/HRC/WG.6/16/RUS/3 (Jan. 28, 2013) (reporting allegations of torture and ill-treatment of prisoners by the Russian police and security services); Human Rights Council, Summary Prepared by the Office of the High Commissioner for Human Rights in Accordance with Paragraph 5 of the Annex to Human Rights Council Resolution 16/21, Pakistan, at 4, U.N. Doc. A/HRC/WG.6/14/PAK/3 (July 26, 2012) (noting Pakistan’s failure to effectively implement laws protecting women from violence).
  76. .See Scharf, supra note 21, at 313–29 (reviewing the scholarly debate over the extent to which customary international law consists of general state practice and states’ attitudes regarding certain practices); see also Vojin Dimitrijevic, Customary Law as an Instrument for the Protection of Human Rights 5 (Istituto Per Gli Studi Di Politica, Working Paper No. 7, 2006) (summarizing the debate on international custom as a source of international law to be “determining the proportion of the influence on the existence of the customary rule of consistent practice, or of opinio juris, respectively”).
  77. .Tallinn Manual 2.0, supra note 1, at 185.
  78. .See, e.g., Alissa J. Rubin, French Condemn Surveillance by N.S.A., N.Y. Times (Oct. 21, 2013), [] (reporting why the French government castigated the U.S. for “carrying out extensive electronic eavesdropping within France”); David E. Sanger, Obama Strikes Back at Russia for Election Hacking, N.Y. Times (Dec. 29, 2016), https://www [
    S3XQ-47AM] (reporting that the Obama Administration responded to Russia’s efforts to influence the 2016 U.S. elections through cyberspace by imposing sanctions on its two leading intelligence services and expelling thirty-five Russian nationals from the U.S.).
  79. .U.N. Charter art. 1, ¶ 3.
  80. .Amnesty Int’l, Encryption: A Matter of Human Rights 12–13 (2016), available at [] (decrying several countries’ efforts to ban or restrict encryption and the resulting impact on human rights); Daniel Castro & Alan McQuinn, Unlocking Encryption: Information Security and the Rule of Law 3 (2016), available at .1861050019.1489516139 [] (criticizing limitations on encryption as ineffective against terrorism and harmful towards average citizens).
  81. .See Tallinn Manual 2.0, supra note 1, at 194 (acknowledging that international law has not coalesced on a right to anonymity); id. at 13 (recognizing states’ sovereign right to disconnect from the Internet).