The short answer is YES! A bit longer answer could be prompted by questions… why, over the last few days, have we not heard news about ambassadors presenting demarches in Washington, with reasonable doubts whether their e-mails have been intercepted? Or… the news that some national legal adviser, with the hope to have his/her name written in legal history, is preparing a court case against the USA on the grounds of unauthorised access to diplomatic documents stored on Google Drive?
In these examples I have mentioned the USA because of the recent PRISM outrage and the concentration of the Internet industry in the USA. But, in principle, any country could be responsible for (not) observing diplomatic e-immunities.
One of the early incidents involving e-immunities dates back to 2002, when a local Turkish newspaper intercepted and published an e-mail sent by the European Union (EU) delegation in Turkey. The EU demanded that the Turkish government take measures to enhance the security of its diplomatic representation in Ankara, pointing out that communications, including electronic ones, are protected under the 1961 Vienna Convention on Diplomatic Relations (VCDR). The Turks replied that it is difficult, if not impossible, to ensure the e-security of every diplomat. This was a very early incident in e-immunities, which highlights dilemmas that still exist today (e.g. what is a reasonable responsibility of the host State in ensuring e-immunity).
After a long lull, during which our dependence on the Internet has increased, the question of e-immunities has come into the focus of the international community. For example, today, many international organisations – pressured by financial crises – are in the process of replacing expensive in-house servers with much cheaper storage space in the Internet cloud (big server farms run by Amazon, Google and other Internet companies). Can their electronic documents enjoy the same diplomatic protection as those they have on the servers on their own premises? This is a question, currently debated by the leadership of different international organisations.
Countries and diplomats will start connecting the dots, and realising that their digital assets do enjoy the same diplomatic protection as their physical ones.
What will be the legal basis for such claims for e-immunities and, possibly, the first related court cases at the International Court of Justice?
The legal construct of e-immunities starts from the – almost – obvious: the fact that existing law applies to ‘cyberspace’ (whatever ‘cyberspace’ means). For a long time, especially in the early days of cyber-enthusiasm, many argued – I have debated my share as well – that the brave new space of the Internet requires new rules. For cyberspace, we need cyber-law. But a reality check came along quite fast. Yes, bits and bytes flow in all possible ways, but ultimately, they always have a link with physical reality, whether it is the computer we use, the cables that carry our Internet traffic, or servers storing our files. Even wireless communication is ‘physical’, travelling through the ‘air’ under the sovereignty of a specific State. Today, the ‘cyber-illusion’ is cleared, and we focus mainly on the specificities of applying existing law to the Internet, not on inventing new law.
The US cybersecurity strategy clearly stipulates: 'Long-standing international norms guiding state behavior—in times of peace and conflict—also apply in cyberspace'. A similar view is echoed in other international legal and political documents.
What are the rules of existing diplomatic law – codified in the Vienna Convention – that are relevant for the Internet as well?
Diplomatic missions are entitled to free communication, and free also includes free from surveillance. Article 27 says: ‘1. The receiving State shall permit and protect free communication on the part of the mission for all official purposes. …'. Article 40 (3) requires third countries to protect diplomatic communication in transit. This article could be the basis for cases dealing with the interception of e-mail communication on the Internet, outside the country where the diplomat is based.
The Vienna Convention was more specific about regulating the protection of wireless communication, in order to prevent the receiving State from interfering in a communication system run by an embassy and sending State. Could this wireless provision be applied today, when most communication between an embassy and capital is performed via various Internet links, operated by private companies (Internet service providers, VPNs)? Can the receiving State impose special obligations on private companies (e.g. Internet service providers), to protect diplomatic communication? These and other questions should be clarified in the forthcoming period.
Inviolability of correspondence and archives
The VCDR provides very broad protection for archives and documents. Such protection was inspired by the importance of confidentiality for the work of diplomatic services. This protection was highlighted by adding the phrase 'and documents' to the initial draft of Article 24, although documents are covered by the broader term 'archives'. The main reason for adding ‘and documents’ was to include less formal documents that are not part of the archives, such as negotiating documents, ‘non papers’ and memoranda in draft.
This wide interpretation of the concept of achieve was restated by the International Law Commission in their work on the Convention on the succession of States, where archive is defined as ‘documentary material of whatever kind amassed and deliberately preserved by State institutions in the course of their activities.’ (ILC yearbook 1981 vol II, p 50).The phrase ‘of whatever kind’ includes electronic documents and e-mail, even if they are not stored as archives.
Article 30 of the VCDR confers inviolability on correspondence and papers, even those that may be private. One justification for including all correspondence and papers was to reduce the temptation of a receiving State to search papers and classify them as private or official. This is another provision that requires re-examination in the Internet age. One could argue that digital documents saved on diplomats’ computers, as well documents saved in the ‘cloud’ (e.g. GoogleDocs) should also be protected.
How to apply diplomatic immunity to e-communication?
While it is clear that the VCDR’s rules on protection of communication and archives can apply to the Internet, it remains to be seen how to apply them in a reasonable and proportional way.
The first question that arises is related to the universality of diplomatic immunities. According to Article 24 of the VCDR 'The archives and documents of the mission shall be inviolable at any time and wherever they may be’. 'Wherever they may be’ makes diplomatic privileges even more 'virtual' than the Internet itself. Thus, for example, a Brazilian diplomat based in an embassy in Azerbaijan could request protection of his document stored on the Google server in the USA. Back in 1961, when the VCDR was drafted, there were physical limitations to the ‘movability’ of documents and archives. They had to be printed and distributed. Since these physical limitations do not exist any more, the principle of universality of diplomatic protection may need to be re-examined and, possibly, limited.
A second question is related to the level of responsibility that governments have in ensuring e-immunities. In international public law, legal action on immunities cannot be taken against private companies – e.g. Google or Facebook – who may be involved in the breach of e-immunity. Responsibility in international public law exists only among States. National governments – e.g. the USA – have a responsibility to ensure that individuals and institutions under their jurisdiction comply with international law – in our case the VCDR. Here we have a question of proportionality. Would the US Government be responsible for ensuring that any e-mail of any diplomat, stored on – for example, a Gmail server – be protected by diplomatic privilege?
The VCDR provides a possible answer through its rule that governments must take ‘all appropriate steps’ to ensure the protection of diplomats (Article 29). The phrase ‘all appropriate steps’ was one of the most controversial parts of the drafting of the VDCR. Some countries, such as Belgium, wanted to include an indication that governments should take ‘all steps’ to protect diplomatic missions. This formulation was criticized as being too demanding of the receiving State. The negotiations resulted in acceptance of the formulation 'all appropriate steps’. It remains to be seen what 'all appropriate steps’ means in the digital world. For example, diplomats might be required to use a special registration, which would help Internet companies to identify them as diplomats, and ensure the protection of e-immunities. 'All appropriate steps' would also imply punishing the persons or companies who violate e-immunities. In taking ‘all appropriate steps’, national governments must ensure the compliance of their nationals and companies, with the requirements of the VCDR.
It is clear that most existing diplomatic law applies to the Internet as well as our physical world. It is still unclear how this body of law will be implemented in the virtual world. We can expect an interesting process of development of legal practices, first court cases, and the emergence of new principles. Next Wednesday (19 June 2013) at the E-participation Day we will discuss the question of diplomatic e-immunities during one of our break-out sessions. Please join us!
In the meantime, be aware that your e-mail or documents in the cloud might be vulnerable regardless of the legal status of diplomatic protection.