Is Data an Object under IHL?

Due to the rapid expansion of the internet, most daily life activities and functions have shifted to the digital world, as has warfare. Incidents of cyberwarfare may range from hacking into a state’s system to prevent a kinetic missile attack to hacking into a system to merely steal the information of federal employees etc.¹Atrews, RA. “Cyberwarfare: Threats, Security, Attacks, and Impact.” Journal of Information Warfare, vol. 19, no. 4, 2020, pp. 17–28. JSTOR, https://www.jstor.org/stable/27033642. Accessed 30 May 2023. Some cyber operations are merely alterations, deletions, or substitutions of computer data. Data has become fundamental to military operations and is also fundamental to civilian life. This article will analyse whether computer data, which is an intangible thing, can be considered an object under International Humanitarian Law (IHL) which would make attacks on computer data subject to the rules of IHL.

What is Data?

Computer data is defined as “quantities, characters, or symbols on which operations are performed by a computer considered collectively”.²Oxford English Dictionary: The Definitive Record of the English Language All data in a computer is stored in the form of binary digits (0s and 1s). These binary signals are then interpreted by the central processing unit (CPU) as different commands. This means that in its pure form, no distinction can be made in data for military purposes and data for civilian purposes. Yet, this intangible and random collection of digits can be altered by enemy organisations and states to achieve military advantages in conflicts.

 Why is its Classification Significant?

It must be determined whether computer data is an object under IHL. This classification is crucial, because if data is an object under IHL then any attack on IHL needs to be in conformity with the cardinal principles of IHL of distinction, proportionality and precaution. Firstly, the attacks would need to discriminate between civilian and military objects. The principle of distinction states that, “civilian objects should not be the object of attack”.³Article 52(1), Additional Protocol to the Geneva Conventions of 12 August 1949. See also Prosecutor v Blaskic (Judgment) IT-95-14-T (3 March 2000) [180] States would have the burden of proving that a particular data set qualified as a military objective, as defined by Article 52 of Additional Protocol I to the Geneva Conventions (API), thus limiting the quantum of attacks and providing protection to civilian data. Secondly, the attacks would need to comply with the proportionality analysis. An attack would be unlawful if it causes excessive or unproportional incidental damage to civilian objects/ civilian data.⁴Article 57(2)(b), Additional Protocols I Thirdly, as per the principle of precaution, the attacker would be under obligation to take all feasible precautions to prevent any damage to civilian objects, which in this case would include civilian data.

However, it is pertinent to mention that the qualification of computer data as an object under IHL would not automatically provide effective protection to civilian data. This is because these principles govern ‘attacks’ on ‘objects’. One must therefore determine what constitutes an ‘attack’. As per the Tallinn Manual and state practice, only those cyber operations are considered attacks which have kinetic effects. ‘Kinetic cyber-attacks’ refers to a class of cyber-attacks that can cause direct or indirect physical damage, injury or death. For instance, a cyber-attack on the information system of a dam which results in the opening of dam gates causing cities to drown and resulting in physical damage to human life and property. Thus, hacking into a system to steal a state’s military secrets or civilian data would not be considered an attack regardless of whether it is an object or not. This article, however, only focuses on the latter debate, i.e., whether the computer data qualifies as an object. Nevertheless, the above discussion is important to contextualise the need for determining whether data is an object.

Definition of Object in International Humanitarian Law

The term “object” has not been explicitly defined in IHL but the Additional Protocols make numerous references to civilian objects and their protection. Article 52(2) of the AP 1 states that “military objectives are limited to those objects which by their nature, location, purpose or use make an effective contribution to military action.” The definition implies that the term object only includes visible, tangible, and physical objects. This requirement has been made clear in both the English and French commentaries of the Additional Protocol I, object means “something placed before the eyes, or presented to the sight or other sense, an individual thing seen, or perceived, or that may be seen or perceived; a material thing.”⁵Commentary On The Additional Protocols Of 8 June 1977 To The Geneva Conventions Of 12 August 1949, ¶¶ 2007–08 (Yves Sandoz, Christophe Swinarski & Bruno Zimmermann Eds., 1987 While data does not fulfil these requirements, it is still crucial in carrying out military operations, gaining military advantages, even if it may be civilian data, such as social security data, tax records, bank accounts and election records.

Status of Data as per the Tallinn Manual

The Tallinn Manual is a commentary of international law experts on how IHL applies to cyberspace. Although it is non-binding, it is the most reliable source of expertise regarding cyber warfare. The experts unanimously agreed that while “computers, computer networks and other tangible components of cyber infrastructure constitute objects”, the same cannot be said about data. They looked at the commentary of the API and ordinary meaning of the treaty and argued that the requirements of tangibility and visibility were inherent in API. By this reasoning, data did not qualify as an object. This also means that an attack on data would not be considered an attack under IHL.⁶Tallinn Manual 2.0 On The International Law Applicable To Cyber Operations, Cmt. To R. 100, ¶ 5, At 437 (Michael N. Schmitt Ed., 2017)

However, dissenting experts highlighted that the failure to categorise data as an object would mean that any attack on civilian databases such as election records and social security numbers etc would not be unlawful. Civilian property would lose its protection, which is contrary to the purpose and motivation of IHL.

State Perspectives on Data as an Object

It is also crucial to look at how states interpret whether data is an object. States do not appear to be in consensus on the matter. For example,  Germany’s position is that “[…] a civilian object like a computer, computer networks, and cyber infrastructure, or even data stocks, can become a military target, if used either for both civilian and military purposes or exclusively for the latter.”⁷Federal Government of Germany, ‘On the Application of International Law in Cyberspace’, Position Paper (March 2021) 8-9 Other states, such as Norway, maintain that data can be considered an object during target selection.⁸Manual of the Law of Armed Conflict t (The Chief of Defence 2013) (Norway)210 France is of the view that civilian content data may be considered a protected object.⁹International Law Applied to Operations in Cyberspace (Ministe`re des Arme´es 2019)15; Droit international applique´ aux operations dans le cyberspace (Ministe`re des Arme´es 2019) (France) 16 While Romania agreed that cyber operation against data trigger IHL and civilian objects/data may not be attacked.¹⁰Official Compendium of Voluntary National Contributions on the Subject of How International Law Applies to the Use of Information and Communications Technologies by States (13 July 2021) UN Doc A/76/136, 78 (Romania) This is a more modern approach to interpreting the treaty. In contrast, countries like Israel, Denmark and Chile are of the view that ‘under current international humanitarian law […] data would not qualify as objects, in principle, because they are intangible.¹¹R Schondorf, ‘Israel’s Perspective on Key Legal and Practical Issues Concerning the Application of International Law to Cyber Operations’ (2021) 97 Intl L Studies 395, 401 Thus, the lack of state consensus makes it difficult to determine the way forward in regulating cyberspace.

The existing understanding of the term ‘object’ as per the article 52 of the API is already broader than what one would normally presume to be an object. The term ‘object’ does not ordinarily refer to locations or animals and yet they are included in the definition of civilian objects which have the protection of IHL. Nevertheless, they have been encompassed in the definition. Thus, the definition  should also be extended to include computer data.

Computers and even cyber infrastructure have been included in the definition of object.¹²Tallinn Manual 125 Data forms the integral part and the essence of the devices and infrastructure. These structures are merely a vessel for the data, which is the actual object being targeted or protected. Therefore, it seems illogical to consider data and computers as two separate things and not extend the protection of IHL to data too. The only reason this distinction has been made is because if data is included in the definition of object, states will have to comply with the principles of IHL and this would limit their warfare tactics.  Nevertheless, the majority of states interpret the term ‘object’ to include something tangible, which can therefore be easily targeted during military operations; given that computer data is intangible, the majority view is that computer data is not an object under IHL.

Conclusion

As of yet, there is no authoritative framework to bring the events of cyberspace in general under the laws of IHL. This means that most operations against data are not governed by the principles of necessity, proportionality, distinction, and precaution. An object is something visible and tangible, and something which can be physically damaged. A major reason why data is not considered an object is the lack of intention on the part of states. International law is reflective of the state practice and the treaties states sign. States today have invested interests in being able to conduct cyber operations against another state’s data. As data can provide a state access and control of all forms of civilian and military information, it will be against their interest to give computer data the status of an object. However, the possibility cannot be ruled out as state practice may evolve and a consensus may be reached on the matter via a treaty, given the rapid developments of cyberspace.

In my opinion, objects should not be considered an object under IHL as it stands today. The purpose of the law was to mitigate and prevent physical harm caused to civilians during conflict. The hacking, alteration or deletion of computer data does not necessarily cause any physical harm to civilian life or civilian objects. Hence, there is no need for applying the principles of proportionality or distinction.  If there is physical harm then it automatically initiates an armed conflict and the application of IHL. It is unlikely that states will be concerned too much with purely civilian data during cyber warfare. The matter may be regulated through data privacy laws and other human rights norms; however, regulation under IHL does not seem warranted given the difficulty of its regulation.