Hacking International Organizations: The Role of Privileges and Immunities
International organizations (IOs) collect vast quantities of information as part of their daily activities. Depending on the organization’s mandate, this information can relate to the monitoring of sanctions; the enforcement of arms control regimes; counterterrorism efforts; the protection of civilians; the monitoring of ceasefires; the documentation of breaches of international humanitarian law and international human rights law in the course of peacekeeping operations; and the execution of military and non-military operations. It goes without saying that maintaining the confidentiality of this information is critical to enabling the IO to discharge its tasks and achieve its objectives.
The information collected by IOs is invariably compiled as electronic data which, as many reports suggest, can be hacked by a diverse range of actors including States engaged in armed conflict. For example, in 2020 it was reported that dozens of United Nations (UN) servers—including those operated by its human rights offices—had been hacked. This post will focus on hacking by States. We schematically identify three types of hacking scenarios: first, hacks by member States; second, hacks by States in which the IO is headquartered (host States); and third, hacks by non-member States. Hacking operations may breach a number of international legal rules but, due to space constraints, in this post we focus on the IOs’ privileges and immunities and examine the extent to which they protect them from hacking.
The Privileges and Immunities of IOs
IOs are afforded privileges and immunities to enable them to operate independently on the international plane and achieve their objectives without interference. Privileges and immunities refer to exemptions from local jurisdiction and both indicate what is necessary for the independent functioning of IOs. Privileges and immunities are typically granted to IOs on the basis of conventional (treaty) law but, as we shall see, they are also established in customary international law (CIL).
IOs are usually granted privileges and immunities by their constitutive agreements. Often, IOs conclude additional agreements to flesh out the nature, content, and scope of their privileges and immunities. The Convention on Privileges and Immunities of the United Nations (CPIUN) of 1946 is such an agreement and, importantly, it has been used as a model by other IOs when formulating their privileges and immunities conventions. In this way, the CPIUN acts as the “reference point” for determining the privileges and immunities of IOs generally (Debuf, p. 333).
IOs enjoy a wide range of privileges and immunities that provide overlapping protection from hacking. First, the “premises” of IOs are “inviolable” (Section 3, CPIUN). “Premises” demarcate those areas that house or contain IOs, such as their buildings, car parks, and gardens. The “premises” of an IO can be virtual insofar as they include the computer networks and systems that are supported by cyber infrastructure that is physically located within the organization’s premises (Tallinn Manual 2.0, Rule 39; Buchan, p. 73). However, the “premises” of an IO do not encompass the computer networks and systems hosted by cyber infrastructure located beyond the IO’s physical premises, for example, where computer networks and systems are supported by servers located within the territory of the host State or third States.
Given that an IO’s premises are “inviolable,” any non-consensual intrusion into those areas is prohibited. On this basis, hacking operations against an IO’s computer networks and systems that are supported by cyber infrastructure located within its premises are unlawful.
Second, the “property” and “assets” of IOs are, “wherever located and by whomsoever held, … immune from search, requisition, confiscation, expropriation and any other form of interference” (Section 3, CPIUN). “Property” and “assets” certainly include an IO’s physical property and assets, and this means that computer hardware such as servers and storage devices are protected from interference. But “property” and “assets” also cover an IO’s non-physical property and assets such as its bank accounts. If this is the case, computer networks and systems and data can be “property” or “assets” of an IO and, accordingly, they are protected from hacking that constitute a prohibited “search” or “interference.”
Importantly, property and assets are protected “wherever located and by whomsoever held.” This means that data stored by IOs in the Cloud is protected from interference even though it resides on computer networks and systems supported by cyber infrastructure located within the territory of another State and regardless of whether that infrastructure is publicly or privately owned or operated. Presumably, an IO’s “property” and “assets” must be identifiable as such for it to enjoy protection from interference.
Third, “[t]he archives of [an IO], and in general all documents belonging to it or held by it, shall be inviolable wherever located’ (Section 4, CPIUN). Archives and documents refer to “the entire collection of stored documents … including their official records and correspondence,” which implies that in order to enjoy protection archives and documents must be identifiable as official records of the IO. It is well established that, in the digital age, archives and documents are inviolable irrespective of whether they are compiled physically or electronically (Bancoult No. 3, para. 21). Significantly, archives documents are protected “wherever located,” which means that an IO’s data are protected from hacking even when stored on or transiting through cyber infrastructure located beyond the premises of the IO. This would mean, for example, that data are protected when it is outsourced to private actors for analysis. The caveat, however, is that where an IO passes data to or shares data with another actor and, in doing so, relinquishes control over it, those data can no longer be described as “belonging to” or “held by” the IO (Bancoult No. 3, para. 68).
Fourth, IOs enjoy “the right to use codes and to despatch and receive [their] correspondence by courier or in bags, which shall have the same privileges and immunities as diplomatic couriers and bags” (Section 10, CPIUN). Electronic communications such as emails constitute correspondence analogous to courier dispatches and, where they contain attachments (for example, zip files), they can be analogized to diplomatic bags (Choi, p. 127). Under Article 27(4) VCDR, diplomatic bags must “bear visible external marks of their character.” In the cyber context, email addresses, subject lines and electronic signatures can be used to identify the communications of an IO. Critically, under Article 27(3) VCDR diplomatic bags cannot be “opened or detained,” meaning that while the external features of a diplomatic bag can be inspected, their contents cannot be revealed. Thus, sniffer software that can detect malicious emails is permitted, but more intrusive software that reveals the content of emails is proscribed.
IOs are almost always located in the territory of member States and this raises the possibility that host States may interfere in the organization’s work. In particular, host States have greater opportunity to hack the data of IOs because IOs may use the cyber infrastructure located within the territory of host States to support their computer networks and systems and may use this infrastructure to connect and communicate with the outside world. IOs and host States therefore conclude bilateral treaties—usually known as headquarters agreements—to regulate their relations and maintain the IO’s independence. Headquarters agreements tend to replicate the privileges and immunities set out in the CPIUN, and in some cases, these agreements expressly refer to it. As we have seen, the CPIUN grants the UN sweeping privileges and immunities, and for the reasons explained previously, headquarters agreements protect IOs from hacking by host States.
Customary International Law
Non-member States may also hack the computer networks and systems of IOs, and as a matter of treaty law, they are not bound to observe the privileges and immunities contained in conventional agreements. Importantly, however, these privileges and immunities may have passed into CIL and bind non-member States on this basis.
For CIL to arise, there must be general State practice and opinio juris. As a general rule, where States become party to a convention the act of ratification evinces an intention to be bound by that treaty and, from this, no State practice or opinio juris can be deduced to support the formation of CIL. That said, the International Court of Justice (ICJ) has held that a treaty can be assimilated into CIL where there is “very widespread and representative participation in the convention” and provided its membership includes those States whose “interests” are “specially affected” (North Sea, para. 73; for a similar view see Eritrea-Ethiopia Claims Commission, para. 31). The issue is that widespread ratification qualifies as general State practice and also signals the emergence of a global opinio juris. In this regard, it is significant that the CPIUN has been ratified by 162 states.
The argument that provisions contained in widely ratified treaties are constitutive of CIL is even more compelling when they are replicated in successive treaties (International Law Commission, Conclusion 11(2)). Where provisions are repeated in subsequent conventions this amounts to general State practice and indicates the gradual formation of a communal opinio juris. This is indeed the case with the CPIUN. As explained previously, the CPIUN has been used as a template for many other treaties on privileges and immunities—in fact, the CPIUN’s privileges and immunities provisions are usually repeated verbatim in most IOs’ privileges and immunities treaties.
National courts have affirmed that privileges and immunities have passed into CIL. For example, in A. S. v. Iran-United States Claims Tribunal the Dutch Supreme Court held that, in the absence of an agreement on privileges and immunities, “it follows from unwritten international law that an international organization is entitled to the privilege of immunity from jurisdiction on the same footing as generally provided for in the treaties referred to above [headquarters agreements and privileges and immunities conventions].”
Another ground on which the CIL of privileges and immunities can be established is the international legal personality of IOs. Privileges and immunities are attendant to and realize the legal personality of IOs, and it is therefore well accepted that they constitute part of the customary law rights that apply to IOs as legal persons (Okeke, p. 253). If this is the case, the key question is when does legal personality arise.
Historically, there was disagreement as to whether the subjective or objective approach should be used to establish the legal personality of IOs. While some States continue to adopt the subjective approach, in recent years the objective approach has become dominant because it creates stability and certainty in the international legal order (White, pp. 101-120). The objective approach awards legal personality to IOs where objective criteria are met; that is, international law grants legal personality where IOs exhibit certain features and characteristics, such as members, organs, powers, and objectives. For example, in the absence of a specific provision in the Charter bestowing legal personality on the UN, the ICJ recognized the UN’s legal personality on the basis of its attributes (Reparation for Injuries, pp. 177-185). The significance of an IO’s objective legal personality is that it operates erga omnes and is therefore opposable to member and non-member States alike. It follows from this that hacks by non-member States breach an IO’s CIL privileges and immunities and are unlawful.
IOs perform critically important functions especially during times of armed conflict, and it is essential that they are able to maintain the confidentiality of their data. Since reports suggest that hacks against IOs are on the rise, this post examined whether international law can provide protection. As discussed above, hacking by member States breaches the privileges and immunities granted to IOs by their constitutive instruments and other related treaties (such as headquarters agreements for host States). These treaties usually provide for the inviolability of IOs’ premises, property, assets, archives, and documents. Hacking by non-member States also breaches the privileges and immunities of IOs that are established in CIL on the basis of a general State practice accompanied by opinio juris and because they attach to the objective legal personality of IOs.
Russell Buchan is Senior Lecturer in International Law at the University of Sheffield, UK.
Nicholas Tsagourias is Professor of International Law at the University of Sheffield, UK.