As an inaugural fellow in the Datasphere initiative I have spent significant time thinking about the role of data governance in national security crises, particularly in times of armed conflicts. The production, collection, and dissemination of data serves many functions in war. It can be used to protect civilian populations, including refugees and those internally displaced. But data can also be used as a weapon to advance the military objectives of belligerent parties, and in certain cases, even facilitating the commission of war crimes.
It is important that we launch a meaningful discussion around informational privacy and data protection in war. The situations in Ukraine, in Palestine, and in Myanmar all demonstrate the vital need for the international community to produce new legal frameworks and enforcement mechanisms that could better respect and ensure digital rights in times of armed conflict.
Regulating Cyber Methods and Means Of Warfare in the Internet Age
The Nuremberg Trials that followed World War II began with an opening statement from Justice Robert Jackson, the chief U.S. Prosecutor for the military tribunal. Jackson’s statement laid the foundations for the prosecution of war crimes and crimes against humanity for decades to come, by affirming: “the wrongs which we seek to condemn and punish have been so calculated and so devastating, that civilization cannot tolerate their being ignored, because it cannot survive their being repeated.”
The wrongs that Jackson was referring to were based on a 20th century conceptualization of methods and means of warfare. The trials and the Geneva Conventions of 1949 that were adopted shortly after the trials, affirmed the idea that international law prohibits certain methods and means used to wage war. “These restrictions apply to the type of weapons used, the way they are used, and the general conduct of all those engaged in the armed conflict.”
Yet, “armed” conflicts in the internet age now involve instrumentalities that should be considered “of war” and “for war” that were unimaginable in the days of Nuremberg. These include the use of machine learning algorithms, the collection of extensive amounts and types of wartime (personal and non-personal) data, the development of digital surveillance, censorship, and disinformation capabilities, and the deployment of malware, internet shutdowns, and content blocking in the course of cyber offensives.
Today’s militaries and paramilitary groups are just as active in the datasphere as any other actor. There is no denying that war has been digitally transformed and that a growing volume of information is now “sensed, collected, stored, analyzed, and disseminated every day” to advance wartime efforts.
Consider various anecdotal examples from the ongoing war of aggression in Ukraine: (1) the use of commercial satellites operated by private companies to collect imagery for intelligence; (2) the role of user-generated evidence in the documentation of gross abuses of international humanitarian law; (3) the formation of cyber militias to help support Ukrainian war efforts by launching cyberattacks against Russian targets; (4) the diversion of mobile and landline internet traffic through Russian networks to control information flows that enter occupied Russian territories in Ukraine; (5) the use and abuse of TikTok and other social media platforms to advance viral war propaganda including by committing outrages upon the personal dignity of the dead and of prisoners of war.
Against this backdrop it is alarming to know that there have been few soft law norms, let alone binding rules, that have been established to constrain and control abuses of power by the military and governments in their data-intensive campaigns supporting wars they are involved in. A crucial concern then is that such abuses of power could generate additional suffering and harm in ways that would hinder the objective of protecting the civilian population from the horrors faced during and after the war.
The multistakeholder and polycentric tapestry of data governance in wars
In June this year, I published a co-edited anthology titled The Rights to Privacy and Data Protection in Times of Armed Conflict. The book, which was commissioned by the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE), provides a first-of-its-kind account of the complex data ecosystem that is generated during war. Our contributing authors, all experts in their field, provided a canvassing “of the various actors that play a role in the multistakeholder and polycentric tapestry of governance that controls emerging military technologies” with particular focus on the role of non-state actors who are involved in the generation and dissemination of wartime data. As we write in the introduction to the book, the book’s chapters “provide a true tour de force of the ecosystem, examining such actors as military contractors, tech giants, internet service providers, cloud providers, third-party vendors and suppliers of software and hardware, armed groups, international organizations and fact-finding missions, courts and tribunals, journalists, and humanitarian actors.”
Take another concrete example, in the case of Israel and Palestine. To effectively facilitate its management of the checkpoints, Israel employs a complex data system within the Palestinian territories.
As Omar Yousef Shehabi writes, that system involves among other things the employment of biometric databases, facial recognition at checkpoints, the use of video surveillance and behavior-predictive machine learning, and various forms of spyware and other cyber tools. Yet how can we ensure that these tools are being utilized in a responsible fashion, and is the very notion of the responsible deployment of panoptic surveillance technologies in occupied territory an oxymoron? As Omar himself writes: “In the inherently coercive context of military occupation, the desire to regulate surveillance technologies, limit the use of the data they yield, and endow data subjects (i.e. protected persons in the occupied territory) with some degree of agency over their personal data is compelling. However, the pursuit of a doctrinally sound way to regulate the use of these technologies raises thorny epistemological questions regarding the law of occupation and its role in international law.” In particular, Omar highlights the fact that whereas informational privacy and data protection, especially in their European model, are premised on a highly procedural and bureaucratic system involving data protection authorities and regulators with compulsory powers to enforce against data controllers and processors, such a system is “neither theoretically nor practically suited to the structure of military occupation.”
What the international community should do now
There are a number of international fora that could serve as a focal point for the development of future international legal frameworks to protect digital rights in times of armed conflict. These include, amongst others:
- The United Nations Open-Ended Working Group (OEWG) and the United Nations Governmental Group of Experts (GGE). Both of these entities have been working within the UN towards the codification of rules for responsible behavior in cyberspace.
- The International Committee of the Red Cross (ICRC). The ICRC is a humanitarian organization that operates with the mandate to protect victims of international and internal armed conflicts. As part of this process the ICRC has produced commentaries and interpretive guidance to the Geneva Conventions and their Additional Protocols.
- The European Data Protection Board (EDPB). The EDPB is an independent European body which brings together representatives of the EU national data protection authorities and the European Data Protection Supervisor. The EDPB works to ensure consistent application of data protection rules throughout the European Union.
Each of these organizations could begin a multistakeholder consultation process to address some of the concerns we’ve discussed. Such a process should prioritize dialogue with representatives of marginalized and vulnerable groups and civil society associations in conflict zones. Such consultation could lead to the formation of best practices and ultimate standards for the protection of digital rights in war. These could then be implemented by militaries which remain the primary actors in times of armed conflict.
The armed services of each country rely on military manuals for their day-to-day function. These are official publications detailing the current doctrines, practices, and rules that each military employs and abides by. An effective international consultation process could ultimately result in the development of model language that could then be recommended for incorporation into these military manuals.
As we explore and foster innovative approaches for managing the future of data, we need to take into account the oversized role that data now plays during humanitarian crises, including in times of armed conflict. During war, data is collected, stored, analyzed, and shared to achieve military objectives. Data thus plays an important role in war and can be utilized for good.
Accurate and timely intelligence helps minimize harm to civilians and civilian objects by reducing the likelihood of error. Another example comes from the work of humanitarian organizations who utilize complex datasets and algorithms to enhance logistical efforts to provide humanitarian assistance to vulnerable groups in remote areas during conflict.
At the same time, however, this blog post has shown how data can be abused during war by the belligerent parties. Despite an ongoing military arms race over data, there is currently a gap in the law and in the literature, around regulation of this practice: how we can responsibly unlock the value of data in war. This post has thus called on the international community to begin a much needed consultative process with the hope of developing norms for the governance of wartime data.
¹Dr. Asaf Lubin is an Associate Professor of Law at Indiana University Maurer School of Law and an inaugural fellow at the Datasphere Initiative.
²“The Grave Responsibility of Justice”: Justice Robert H. Jackson’s Opening Statement at Nuremberg, WWII Museum (Nov. 20, 2020), https://www.nationalww2museum.org/war/articles/robert-jackson-opening-statement-nuremberg.
³Methods and means of warfare, ICRC (Oct. 29, 2010), https://www.icrc.org/en/document/methods-means-warfare.
⁴Asaf Lubin, Big Data and the Future of Belligerency: Applying the Rights to Privacy and Data Protection to Wartime Artificial Intelligence, in Handbook on Warfare and Artificial Intelligence (Geiss & Lahmann eds., forthcoming, 2023).
⁵Sandra Erwin, Drawing lessons from the first ‘commercial space war’, SpaceNews (May 20, 2022), https://spacenews.com/on-national-security-drawing-lessons-from-the-first-commercial-space-war/.
⁶Rebecca Hamilton and Lindsay Freeman, The Int’l Criminal Court’s Ukraine Investigation: A Test Case for User-Generated Evidence, Just Security (March 2, 2022), https://www.justsecurity.org/80404/the-intl-criminal-courts-ukraine-investigation-a-test-case-for-user-generated-evidence/.
⁷Lorenzo Franceschi-Bicchierai, Inside Ukraine’s Decentralized Cyber Army, Vice (July 19, 2022), https://www.vice.com/en/article/y3pvmm/inside-ukraines-decentralized-cyber-army.
⁸Adam Satariano, How Russia Took Over Ukraine’s Internet in Occupied Territories, N.Y. Times (Aug. 9, 2022), https://www.nytimes.com/interactive/2022/08/09/technology/ukraine-internet-russia-censorship.html.
⁹Isabelle Khurshudyan and Sammy Westfall, Ukraine puts captured Russians on stage. It’s a powerful propaganda tool, but is it a violation of POW rights?, Washington Post (Mar. 9, 2022), https://www.washingtonpost.com/world/2022/03/09/ukraine-russia-prisoners-pows/.
¹⁰The Rights to Privacy and Data Protection in Times of Armed Conflict 15 (Russell Buchan & Asaf Lubin eds., CCDCOE, 2022).
¹²Omar Yousef Shehabi, Emerging Technologies, Digital Privacy, and Data Protection in Military Occupation, in The Rights to Privacy and Data Protection in Times of Armed Conflict 87, 90-95 (Russell Buchan & Asaf Lubin eds., CCDCOE, 2022).
¹³Id., at 89.
¹⁴Id., at 111-112.