Luca Urech (Fletcher School, MA candidate in Law and Diplomacy) has written in with the following reaction to my post on the extraterritorial right to privacy, discussing how we might apply the concept of "effective control" to cyber-contexts:
Confronting the revelations of the massive NSA surveillance program, Kenneth Roth has recently called for a global right to privacy and stressed that it is time for the “law to catch up.” Before thinking about the creation of new international rules, it is however worth looking at the protection that international law affords as it stands today. Does the right to privacy as enshrined in Article 17 of the ICCPR and many other human rights treaties already provide for global protection, Ashley Deeks rightly asks?
The extraterritorial application of human rights law, and especially the ICCPR, is in itself already a highly controversial subject, and its application to cyberspace in the context of modern surveillance does not make the task any easier. Legally, the crux of the matter lies in the question under what circumstances an individual located outside that state’s border would fall under the jurisdiction or “effective control” of that state?
In the non-cyber world, international courts such as the European Court of Human Rights and the International Court of Justice have relied on either a personal or a spatial model of jurisdiction when applying human rights treaties extraterritorially. The logic of these models is compelling. Whenever a state exercised sufficient physical control over either a person or a given geographic area, that person or space would fall under the state’s jurisdiction.
Cyberspace works differently. For the purpose of intercepting private communication on the Internet, physical control over the sender or recipient of the message becomes largely meaningless. Tackling the question of extraterritoriality in cyberspace hence requires us to develop a more nuanced understanding of what it really means for a state to exert "power" or "authority" over an individual in the human rights context.
As Ashley Deeks rightly points out, this power is physical in nature when it comes to detaining an individual, a human rights violation if conducted in an arbitrary manner. In the case of detention and other “conventional” human rights violations, the physical control over the person is the sine qua non of the violation. If the state’s agents don’t have physical authority over the individual, they cannot detain that person.
Contrast the detention scenario with privacy intrusions in cyberspace. The NSA has collected billions of communication pieces, yet the United States almost never exercised physical control over the persons targeted by the NSA. Collection of, let's say, a private Facebook message does not require the collecting state to send its agents and take the surveillance target into custody. It rather requires the state to exercise power over that part of the Internet infrastructure where the message is stored or transmitted. This power can be the result of legal coercion (e.g. FISA Section 702), voluntary cooperation of the company in question, or even illegal intrusion into the company's network.
From these two examples it becomes clear that a state exercises effective control not so much over a person, but over the person's aspect that is relevant to the right in question. This aspect can be the body of the person in conventional circumstances, but in cyberspace the relevant aspect relates to the person’s virtual identity, consisting of data, stored on servers and flowing around cables and routers. It follows that a state can exercise “effective control” over a person both through physical and non-physical means. In cyberspace, it is always non-physical.