Separate problems of extraterritorial executive jurisdiction of States in cyberspace.

Tebenkova Viktoriya Nikolaevna Postgraduate Student, Department of International Law, Kutafin Moscow State Law University 123001, Russia, Moscow, Moscow, Sadovaya-Kudrinskaya str., 9 vikivik.teb@gmail.com Other publications by this author

Introduction

Traditionally, executive jurisdiction aimed at enforcement of State legislation is territorial in nature, meaning that States can exercise their powers in full only with respect to persons, objects and events located or occurring on their territory.

At the same time, the development and active use of information and communication technologies, primarily the Internet, has led to the emergence of new types of extraterritorial executive jurisdiction, the legality of which, from the point of view of international law, raises questions. In particular, we are talking about the implementation by States of access to information stored on websites, devices or servers outside their territory (hereinafter referred to as cross-border remote access to information/data; the terms "information" and "data" are used as synonyms in this article).

This problem is particularly relevant in the light of the increasing number and territorial coverage of cybercrimes, evidence for which often exists only in electronic form and can be located around the globe.

International conventions provide for such a way of obtaining information as making requests for legal assistance. The main problems, however, are that requests for legal assistance may be ineffective in a situation where the data is on devices and servers located around the globe. Moreover, the data can be quickly moved from one jurisdiction to another, changed or deleted, can be stored in different jurisdictions at the same time, which makes mutual legal assistance mechanisms obsolete and often unworkable. 

In this regard, many States recognize remote access to information stored on websites, computers or servers outside their territory as legitimate, and the evidence obtained in this way is legitimate.

An example is the Decision of the Supreme Court of Norway in the case of Tidal (Tidal Music AS v. The Public Prosecution Authority, HR-2019-610- A, case No. 19-010640STR-HRET, March 28, 2019), in which the court found permissible the actions of Norwegian law enforcement agencies who, during a search of the premises of companies in Norway, downloaded certain data from servers located in Norway through computers located there USA and other European countries. According to the court, the actions of law enforcement agencies did not affect another State to the extent that this constitutes a violation of the principle of sovereignty, since the data search was conducted in a Norwegian company using access credentials that the company, represented by its employees, provided to Norwegian law enforcement agencies.

Another illustration is the US Law on Clarifying the Legitimate Use of Data Abroad, also known as the "CLOUD Act" (The Clarifying Lawful Overseas Use of Data Act or CLOUD Act (H.R. 4943), March 23, 2018), which does not directly authorize the right of remote cross-border access to information by law enforcement agencies, but obliges information and communication service providers, on the basis of a warrant or subpoena, provide information under their control, regardless of the location of the data.

Thus, it is possible to distinguish two methods used by States to obtain cross-border access to information stored on the territory of another state:

- direct access to data using technological means or

- indirect access through sending requests to information and communication service providers (hereinafter referred to as service providers) ^{[1, p.540]}.

Despite the practical application of these methods, the question of whether States, from the point of view of international law, can carry out such actions and under what circumstances, remains open.

Starting to analyze this issue, we note that according to the generally accepted approach, international law applies to the activities of States related to the use of information and communication technologies ^[2]. In this regard, extraterritorial executive jurisdiction in this area must meet the requirements of international law.

Extraterritorial executive jurisdiction of States in international law.

The term extraterritorial jurisdiction in international law is used to denote the exercise of the sovereign right or powers of a State outside its territory ^{[3, pp.273-274]}.

Due to the fact that the exercise of extraterritorial jurisdiction of a State may affect sovereign rights and constitute illegal interference in the internal affairs of foreign States, the problem of the exercise of such jurisdiction is the most important in international law.

Essential for considering the question of how international law regulates extraterritorial jurisdiction is the classification of jurisdiction into prescriptive jurisdiction, expressed in the establishment of legal norms, and executive jurisdiction, ensuring the enforcement of legal norms through the use of legal coercion ^{[4, pp.33-37]}.

The establishment of extraterritorial prescriptive jurisdiction is based on the principles of extraterritorial jurisdiction recognized by international law, demonstrating the legitimate interests of the State when asserting its jurisdiction in a particular case on the basis of sufficient connection with the relevant persons, property and actions ^{[3, p.275]}.

According to the UN International Law Commission, such principles that allow a state to extend the operation of national legislation beyond its own territory are: a) the principle of objective territoriality; b) the doctrine of consequences; c) the principle of protection; d) the principle of citizenship; and e) the principle of passive legal personality ^{[3, p.275]}.

In turn, the exercise of executive jurisdiction is more strictly territorial in nature and its extraterritorial manifestation can be carried out only if there is a permissive rule of international law or with the consent of the State.

This conclusion was emphasized in The Lotus case (The "Lotus" Case, September 7, 1927. PCIJ A., No. 10. 1927), in which the Permanent Court of International Justice, in fact distinguishing between prescriptive and executive jurisdiction, pointed out that international law does not prohibit States from extending the application of their laws to persons, property and actions outside their territory and further exercise jurisdiction on their own territory, however "... when in the absence of a permissive rule to the contrary, the State cannot exercise its power in any form on the territory of another State. In this sense, jurisdiction is certainly territorial; it cannot be exercised by a State outside its territory, except by virtue of a permissive rule arising from an international custom or convention."

The report of the UN International Law Commission on extraterritorial jurisdiction emphasizes that a State cannot enforce its criminal legislation, that is, investigate crimes or arrest suspects on the territory of another state without the consent of that other state ^{[3, p.278]}.

Direct cross-border access to data

Direct cross-border access of law enforcement agencies to information stored on servers and devices located outside the territory of the State is one of the types of extraterritorial executive jurisdiction, since it involves the implementation of law enforcement functions aimed at obtaining electronic evidence outside the territory of the state.

At the same time, at the moment there is no norm of customary or universal conventional international law that allows States to exercise this kind of extraterritorial jurisdiction. In this regard, direct remote access to information on the territory of another State without his consent will constitute a violation of international law.

This conclusion can be supported by reference to the norms of existing international conventions of a regional nature regulating, among other things, international cooperation in criminal cases related to the use of ICT, which directly restrict the possibility of direct remote access to information by the territory of the State. In particular, similar provisions are established in article 19 of the 2001 Convention on Computer Information Crime (Budapest Convention) ^[5] and article 4 of the 2010 Convention of the League of Arab States on Combating Crimes in the Field of Information Technology ^[6].

In the draft UN Convention on cybercrime currently being developed, it is also proposed to consolidate the provision that the participating States do not have the right to exercise jurisdiction and functions on the territory of another state that fall exclusively within the competence of the authorities of that other state in accordance with its domestic legislation, and the activity of collecting electronic evidence should be limited to their own territory. states ^[7].

In addition, it should be noted that States have exclusive jurisdiction over the ICT infrastructure located on their territory. At the same time, in accordance with the principle of non-interference, States should not directly or indirectly interfere in the internal affairs of another state, including with the help of ICT ^[2].

Thus, direct cross-border access will lead to violations of the sovereignty of the State in whose territory the data are located, as well as constitute unjustified interference in matters within the internal jurisdiction of the State, which can be considered a violation of the principle of non-interference.

There are, however, a number of cases where direct cross-border access to information is considered permissible under international law.

Professor Cedric Ringart, in particular, points out the permissibility of such actions in cases where the information is publicly available, the territorial state permits such searches or the owner of the information gives his consent [8. p.81].

Indeed, in cases where we are talking about publicly available data and publicly available sources of information, for example, Internet sites, pages in social networks, we can hardly talk about illegal access to information that has already been disclosed to the public.

The implementation of direct cross-border access based on the consent of the State in whose territory the data is stored will also comply with international law. 

A more complicated issue is the possibility of access to information based on the consent of its "owner".

Such a basis is contained in subparagraph b of article 32 of the Budapest Convention and subparagraph 2 of article 40 of the League of Arab States Convention on Combating Crimes in the Field of Information Technology 2010.

Thus, subparagraph b of Article 32 of the Budapest Convention states that a party may, without the consent of the other party, obtain access to computer data stored on the territory of the other party through a computer system on its territory, or receive them if that Party has the legal and voluntary consent of a person who has the legal authority to disclose this data to that Party through such a computer system. the system.

At the same time, these treaties are not universal and apply exclusively to Member States.

At the same time, in our opinion, the conclusions that obtaining access on the basis of the consent of an authorized person will be considered by all States as consistent with international law are premature.

Similar doubts are caused by the fact that the provision on the possibility of obtaining direct cross-border access to data on the basis of consent was excluded from the draft UN Convention on cybercrime currently being developed.

Thus, article 72 of the draft convention, considered during the fifth negotiating session of the ad hoc committee ^[9] contained a provision that a State party may, without the permission of another State party, obtain through a computer system on its territory access to stored computer data located in another State party, or such data itself, if the State Party accessing or receiving such data obtains the lawful and voluntary consent of a person with legal authority to disclose data to this State Party through this computer system.

As a result of the negotiation session of the ad hoc committee, this item was deleted from the draft convention and was not contained in the consolidated negotiating document discussed at the sixth session ^[10].

We believe that the main reasons for the exclusion of this provision are related to the concerns of States regarding the possible violation of the sovereignty of the participating States in the implementation of this type of access and the lack of legal certainty of the terms "lawful and voluntary consent", as well as "lawful authority".

In particular, the Russian Federation notes that it is not clear whose law and by whom should be applied when assessing "lawful and voluntary consent" and "lawful authority", and it is also not clear whether service providers will have such "lawful authority" for cross-border disclosure of their data ^[11].

In our opinion, the very nature of cyberspace, which implies the possibility of storing data around the world, leads to the fact that direct cross-border access to information based on the lawful and voluntary consent of a person with legal authority to disclose data should be considered permissible.

Otherwise, sending a request for international assistance is also required when the legitimate "owner" of the information is willing to voluntarily provide it to law enforcement agencies. This approach has a number of disadvantages, as it leads to an unjustified delay in investigations associated with the need to resort to mutual legal assistance mechanisms, and violates the rights of the "owner" of information to freely dispose of it. In addition, this approach is unlikely to be fully implemented in practical reality, since both the "owner" of information and law enforcement agencies may often not know the actual location of data storage, especially when it comes to data storage by a cloud service provider, which, as a rule, have servers in a number of states.

In this regard, it is necessary to achieve an international consensus aimed at resolving controversial issues related to obtaining information based on the consent of its "owner".

In our opinion, the person with the legal authority to disclose data should be the direct "owner" of the data, for example, an individual or his legal representative, if we are talking about personal data, information on his e-mail, accounts in applications, social networks, websites, computer devices.

At the same time, the evaluation of the terms "lawful and voluntary consent" and "lawful authority" should be interpreted in accordance with the legislation of the state of the "owner" of the data.

Information service providers, as a general rule, should not be considered as persons with legal authority to cross-border disclosure of their subscribers' data. Contacting service providers should be carried out through requests for legal assistance, or by recognizing the possibility of directly sending a request to a service provider on the basis of a bilateral or multilateral international agreement.

An example of such international cooperation can be the Second Additional Protocol of 2022 to the Convention on Cybercrime on the expansion of cooperation and disclosure of electronic evidence ^[12].

The additional protocol provides for two types of requests that a State party to the Convention may send directly to service providers in another State party:

- request to the provider of the domain name registration service on the territory of the other party for information to identify the owner of the domain name registration or to contact him (Article 6);

- a request to the service provider in the territory of the other party, in order to disclose information about a specific subscriber (Article 7).

At the same time, States should take legislative measures obliging service providers in their territory to provide data at the request of the State party.

Indirect cross-border access

Indirect cross-border access involves obtaining information about subscribers of a service provider stored on the territory of another state by sending mandatory requests to the service provider in accordance with national legislation.

To resolve the question of whether extraterritorial enforcement jurisdiction is carried out with this type of access, we can consider the arguments used in the case related to the issuance by the US authorities to Microsoft of an order for the provision of data controlled by Microsoft, but stored in Ireland (Microsoft Corp. v. United, 829 F.3d 197 (2d Cir. 2016)).

During the proceedings in the court of appeal, Microsoft argued that the requested data could not be provided, since they were stored on servers in Ireland, and therefore, by issuing an order obliging disclosure of data, the US authorities were carrying out illegal enforcement activities on the territory of another state.

In turn, the US government pointed out the absence of extraterritorial executive jurisdiction in this case, since the provision of information under the warrant did not require US officials to enter the addressee's premises to search and seize property in his possession, but rather required the addressee to disclose to the US authorities the data available to him. In this regard, the US authorities would not have carried out any actions of physical coercion abroad, since all the steps necessary to ensure the disclosure of information would have been taken by Microsoft itself.

The court, analyzing this issue, focused on determining the moment when there would have been an interference with the client's privacy rights in the event of the execution of the order. If this happens in the place where Microsoft transfers data to the US authorities, i.e. in the US after Microsoft exported them there, then the question of extraterritorial jurisdiction does not arise and the provision of data under the warrant is permissible. If the interference occurs at the moment when Microsoft gets access for extraction purposes to data stored in a data center in Ireland, then an unacceptable extraterritorial application occurs.

As a result, the court ruled that any interference with the client's privacy rights occurs where the protected data is stored. Thus, since the requested data was stored in a data center located in Ireland, the court ruled that the execution of the warrant would violate the sovereignty of Ireland if the procedures for requesting legal assistance were not followed.

The decision was appealed to the Supreme Court, which, however, did not rule on the merits, due to amendments to the law explicitly obliging service providers in the United States to provide information under their control by warrant or subpoena, regardless of the actual location of the data (we are talking about the previously mentioned US law on clarification legal use of data abroad, also known as the "CLOUD Act").

The court's decision and the positions of the parties in this case illustrate two views on whether extraterritorial enforcement jurisdiction is exercised in cases of obtaining indirect access to data.

Analyzing the case, Professor Dan Svantesson noted that the positions of Microsoft and the US government may be correct at the same time, depending on how we understand extraterritorial jurisdiction: "according to the government, and it is true that there is no law enforcement activity on foreign territory. However, and this is important, law enforcement functions are carried out on the territory of another state. In other words, the government looks exclusively at the place from which jurisdiction is exercised (the United States). Microsoft also takes into account extraterritorial effects, and these effects are manifested in Ireland. Thus, the US government gives extraterritoriality a narrow definition, while Microsoft gives it a broad definition" ^{[13, p. 52]}.

As a result, the professor comes to the conclusion that international law cannot solve this problem, since it does not contain provisions defining exactly where the behavior in question takes place in situations like the Microsoft warrant case, that is, at what point information is disclosed and, accordingly, the exercise of the executive jurisdiction of States ^{[13, p.51]}.

Criticizing these arguments, another researcher, Stephen Allen, points out the need for a systematic consideration of this issue and suggests referring not only to the rules on jurisdiction, but also on State responsibility in international law ^{[14, pp.407-408]}.

Thus, article 5 of the Articles on the Responsibility of States for Internationally Wrongful Acts, according to which the conduct of a person or entity that is not an organ of a State in accordance with article 4, but authorized by the right of that State to exercise elements of State power, is considered as an act of that State under international law, provided that in this case this person or entity acts in this capacity ^[15].

In the light of these provisions, the fact that representatives of law enforcement agencies will not directly engage in law enforcement activities on the territory of another State is not a key criterion for establishing State responsibility from the point of view of international law.

As a result, indirect access becomes similar to direct access, in which not its law enforcement agencies act as an agent of the state, but a private person authorized by the state to do so.

Thus, the implementation of indirect access to data can also be considered as a violation of international law, in the absence of the consent of the State in whose territory the data is actually stored.

On the other hand, such an approach clearly does not contribute to the effective and prompt collection of electronic evidence and makes it attractive for service providers to search for favorable legal regimes characterized by a low degree of international cooperation.

In this regard, Professor Dan Svantesson's conclusions that solving the problem of indirect access to data requires the creation of a legal fiction aimed at determining the moment of data disclosure and developing conditions for such disclosure are quite reasonable ^{[13, p.51]}.

Conclusion.

Based on the above, it can be concluded that direct cross-border access to data stored on the territory of a foreign State is one of the ways to exercise extraterritorial executive jurisdiction and, accordingly, must be carried out in accordance with the requirements of international law, namely, the presence of a permissive norm or the consent of the State.

Indisputable in international law is the approach according to which States can obtain remote access to data stored on the territory of another State if such data is publicly available, or the consent of the State to access the data has been obtained.

A more complicated situation is when access was obtained on the basis of the legal and voluntary consent of a person who has the legal authority to grant access. In particular, disagreements may arise both in connection with the general legality of such access without the consent of the State in whose territory the data is stored, and in connection with the interpretation of the terms "lawful authority" and "lawful and voluntary consent".

Indirect cross-border access to information carried out by sending a request to an information service provider obliging, according to national legislation, to disclose information about its subscribers, regardless of its actual location, can also be regarded as contrary to international law. In this case, the service provider is considered as an agent of the State and performs illegal, from the point of view of international law, access to data under the jurisdiction of a foreign state.

These difficulties lead to the fact that States continue to be guided by requests for mutual legal assistance in order to obtain electronic data, despite the fact that the question of the effectiveness of using such methods to combat cybercrime remains open.

Cooperation mechanisms are more advanced, such as the possibility of sending direct requests to service providers, are developing within the framework of regional associations, which, according to the fair opinion of the UN intergovernmental group of experts on cybercrime, increases the risk of the formation of country clusters, within which there are the necessary powers and procedures for cooperation between their member countries, but which, in relation to all other countries are limited to "traditional" types of international cooperation that do not take into account the features of electronic evidence ^{[16, p.220]}.

In this regard, in order to increase the effectiveness of combating cybercrime and obtaining electronic evidence, it is necessary to develop common standards for remote access to data located on servers and devices located on the territory of another state. Such standards should regulate the following areas:

- define procedures and rules for obtaining the consent of a person with authority for cross-border data disclosure;

- to expand universal international cooperation, including by recognizing the possibility of sending direct requests for the provision of certain information about subscribers to service providers;

- establish mechanisms for disclosure by service providers of data under the control of the provider, but stored on servers located on the territory of foreign states.