Nation states and hacking

As technology and communication become increasingly intertwined, new vulnerabilities and methods of attacking critical IT systems are emerging. This also has an impact on how hacking takes place and, not least, who does the hacking. Several years ago, the Language Council of Norway introduced the Norwegian word "datasnok" (snok = someone snooping/nosing around) as an alternative to describing a hacker. This Norwegian word plays on the fact that the hacker snoops around in other people's files without permission.

However, today's hackers are a far more diverse group, driven by more than just curiosity and a need to test boundaries. Hackers don't just operate alone, but often form larger communities that not only engage in organised hacking, but also develop common tools to engage in large-scale hacking. By making these tools available to others via various channels on the Internet, anyone from professional hackers to so-called "script kids" can download ready-made computer programmes that can be used for computer attacks and hacking. The nickname "script kids" alludes to the fact that this easily allows people who do not possess the necessary knowledge or expertise to engage in direct hacking to use such tools. A well-known example is how hackers first spread malicious software infecting thousands of computers around the Internet. Later, these infected machines are used in coordinated attacks that bombard websites or other targets with repeated requests or commands, leaving the recipient unable to receive other requests or to crash completely. 

Alongside this development, we have seen the emergence of more sophisticated attacks that use a combination of surveillance and specially developed programmes capable of paralysing large organisations. Such programmes can be developed by hackers, as described above, but also by private companies that sell them, much like suppliers in the arms industry. In this publication, I have previously written about hackers who demand a ransom to reopen systems or to prevent the spread of downloaded confidential information. "Hack-for-hire" has also become a familiar term, where hackers take on assignments to find information or data that can be used for various purposes by the client through hacking. This is a growing problem linked to industrial espionage and acts of sabotage.

Hackers are also recruited as full or part-time employees on the payroll of various countries around the world. It's easy to understand why countries that engage in this kind of activity want to build up expertise in hacking to prevent and thwart attacks against their own national interests. But these are resources that are not just used defensively. In the media, we regularly read about attacks on digital infrastructure where there is a clear suspicion that other countries are behind the actions. One of the first major attacks where it was clearly suggested that a foreign state was responsible was "Operation Aurora", which took place in 2009 and 2010. The name of the operation was given by the security company McAfee, which discovered the name of the binary files that had been used to carry out the attack.⁽¹⁾ They believed that this was most likely the code name used by the hackers. Perhaps this name is also a reference to the armoured cruiser Aurora which, on the evening of 25 October 1917, fired the shot that signalled the storming of the Winter Palace in Petrograd. The grenade that was fired was an empty shell with no explosives, but the ripple effects of this single shot were enormous and marked the start of the October Revolution. Or perhaps it is a reference to a colourful sunrise: an aurora. In any case, the symbolism points in the direction of an event that is the start of something bigger.

Operation Aurora is a special case; it was one of the first major coordinated attacks against private organisations to be reported in the media and disseminated to the general public. The attack sent shockwaves throughout the IT world. In particular, the scale, resources and coordination behind the attack were sensational. It revealed a high level of expertise on the part of the hackers and a purposeful plan to guide it all.

Google was the first and only company to openly share information about this massive attack. It is not common for organisations to release this type of information, which they often want to keep hidden as far as possible. Subsequent analyses have shown that the attack was carried out through several stages, and that an important factor was a so-called "zero-day" vulnerability in Internet Explorer. The term describes a situation where there is a vulnerability or opening in a programme that is as yet unknown.

Google itself published a blog post in January 2010 about what had happened, and at the same time it was made clear that Google suspected China of being behind the attack.⁽²⁾ Google has since created a six-episode series on YouTube that deals with this incident ("Hacking Google"). The series describes the extensive work that was done to map and stop the attack. In the blog post back in 2010, Google itself described the extent of the attack:

"Like many other well-known organizations, we face cyber attacks of varying degrees on a regular basis. In mid-December, we detected a highly sophisticated and targeted attack on our corporate infrastructure originating from China that resulted in the theft of intellectual property from Google. However, it soon became clear that what at first appeared to be solely a security incident – albeit a significant one – was something quite different."

At that time, there was already reason to believe that at least 20 other large organisations were affected. This number has since been greatly increased to include organisations in finance, technology, media, etc. In addition, it was reported that the attack targeted Gmail accounts linked to Chinese human rights activists, among others. Several other attacks were also uncovered.

Google concluded the blog post by pointing out that they now had to consider Google's investment in China, which was well underway at the time.

"These attacks and the surveillance they have uncovered – combined with the attempts over the past year to further limit free speech on the web – have led us to conclude that we should review the feasibility of our business operations in China. We have decided we are no longer willing to continue censoring our results on Google.cn, and so over the next few weeks we will be discussing with the Chinese government the basis on which we could operate an unfiltered search engine within the law, if at all. We recognize that this may well mean having to shut down Google.cn, and potentially our offices in China."

The conclusion was that Google discontinued the investment and pulled out of China. Google has since re-entered China, but with a limited presence. It has never been confirmed whether China was behind the attack. The hacker group believed to be behind the attack has become known as "Elderwood", another word that has been found in data files used in connection with the attacks.⁽³⁾ This group is characterised by the fact that they have used a large number of zero-day vulnerabilities such as those mentioned above, and several hundred such attacks have reportedly been carried out.⁽⁴⁾ This is a demanding form of hacking, which also requires special expertise. All known vulnerabilities are normally rectified on an ongoing basis through patching and new updates. Uncovering new weaknesses to the extent that Elderwood has apparently done says a lot about the capabilities of these hackers.

Like several other large IT companies, Google is currently behind a number of measures against organised hacking. The company points out that the war in Ukraine is an example of how hacking is now a natural part of the armoury of nation states and is used in modern warfare:

"A lot has changed in our approach since Aurora. And perhaps no example illustrates that shift more clearly than our response to the war in Ukraine.

Russia’s invasion sparked, not just a military and economic war, but also a cyber war and an information war. In recent months, we have witnessed a growing number of threat actors – state actors and criminal networks – using the war as a lure in phishing and malware campaigns, embarking on espionage, and attempting to sow disinformation.

We launched Project Shield, bringing not just journalists, but vulnerable websites in Ukraine under Google’s security umbrella against DDOS attacks. While you can DDOS small sites, it turns out that it’s pretty tough to DDOS Google. We disrupted phishing campaigns from Ghostwriter, an actor attributed to Belarus. And we helped the Ukrainian government modernize its cyber infrastructure, helping fortify it against attack."

DDOS is a form of attack in which the recipient is overloaded with requests from a number of different senders, hence the name Distributed Denial Of Service attack. This was discussed briefly above in connection with amateur hackers, referred to as script kids. This is also a form of attack that can be made far more sophisticated and can quickly compromise a large number of websites and servers which are exposed through the Internet.

In other words, our modern world is entering a phase in which we must assume that different nation states have their respective hackers testing and challenging each other. They work both on defence and consolidation on their own side but, as we understand, they are also used in offensive attacks, espionage, disinformation, etc. What makes these activities particularly difficult to pursue is that they are usually carried out within the borders of the home state, but affect the recipient, who may be located somewhere else on the globe. Not only does this make it difficult to track and investigate, but it also raises complicated legal issues relating to jurisdiction and the principle of sovereignty under international law. State immunity is an expression of this principle, and means that a specific state cannot be sued in the national courts of another state.

To illustrate this issue, we will take a closer look at a recent and important decision from the UK. On 4 October 2024, the English Court of Appeal handed down its decision in the case of Shehabi & Anor v Kingdom of Bahrain (2024 EWCA Civ 1158 (Shehabi)). This is the first case where an English Court of Appeal considered hacking carried out from abroad to be an "act in the UK" within the meaning of the Act. The legislation at issue in this case was the State Immunity Act of 1978 (SIA).

As is known, Norway adheres to the dualist principle, whereby a special implementing act is required before a convention can be applied directly in Norwegian law. We have combined this with the presumption principle, which means that Norwegian law must be interpreted and understood in such a way that it is as consistent as possible with our international obligations. However, in the event of a direct conflict, Norwegian law will take precedence.

The principle of sovereign and diplomatic immunity is an important part of international law and provides protection against foreign states' courts and other executive authorities. In this area, Norwegian law takes a different approach, where international law takes precedence if it conflicts with Norwegian domestic law. This is often referred to as sector monism, whereby the foreign rule is adopted as Norwegian law within a limited area.

The Shehabi case centred on a foreign state's alleged use of hacking to surveil individuals now living in the UK. The two claimants, Dr Saeed Shehabi and Moosa Mohammed, alleged that agents from Bahrain used the FinSpy programme to hack or infiltrate their computers. The programme was then allegedly used to surveil everything that happened on the infected devices. FinSpy is an advanced form of spyware that allows the operator to gain control of a targeted system. In this case, the programme was allegedly used to collect extensive data and enable real-time bugging and surveillance.

According to the two claimants, the hacking was carried out by sending infected e-mails, which installed the FinSpy software on the local laptop when opened. This gave the agents access to private files, communication and browsing history, chat logs, contact lists, photos, databases and other material. In addition, they could simultaneously activate microphones and cameras to surveil the claimants' physical surroundings when they had the machine with them. The hacking also enabled location and movement tracking using location data, as long as an infected laptop was with one of the claimants.

This ability to surveil the claimants' surroundings is worth noting. The reason for the surveillance is said to be that both claimants have been prominent members of the political opposition to Bahrain's regime and have made their mark in pro-democracy movements. Dr Saeed Shehabi is a journalist and founder of Al Wefaq, a political party in Bahrain. Dr Shehabi has lived in the UK since 1973, where he was granted asylum and later British citizenship. From his exile in England, he is said to have continued his commitment to political reform in Bahrain. Moosa Mohammed is also a Bahraini opposition figure who has been involved in various political activities. After fleeing Bahrain in 2006, he was granted refugee status in the UK. He has worked to highlight human rights abuses in Bahrain and has been a vocal critic of the regime, particularly in relation to Bahrain's treatment of political dissidents.

The claimants allegedly became aware of the hacking in the wake of the publication by WikiLeaks in August 2014 of documents relating to Bharain's use of FinSpy software. An organisation called Bahrain Watch subsequently identified the claimants as one of the targets of this operation.

The State of Bahrain contested all the allegations made by the claimants. In the lower court, reference was nevertheless made to expert reports which, in the court's view, substantiated a course of events in line with the claimants' allegations. However, this question of evidence was not considered in the appeal. It must be emphasised that the Court of Appeal did not have to decide whether Bahrain had actually carried out the acts. All issues thus concerned the preliminary assessment of the immunity issue. The substantive issue related to liability for the act itself will be decided in the subsequent main proceedings.

Incidentally, Saudi Arabia has been through a similar case, which was also heard by the same judge in the court of first instance. This ended with a similar result, where the nation state was struck down. Saudi Arabia appealed the decision, but the appeal was rejected due to lack of security for legal costs, so the issue of immunity was never heard on the merits by the court of appeal. The Shehabi case is thus the first time a UK Court of Appeal has taken a closer look at the relationship between state immunity and hacking of this kind.

Section 5 of the SIA was at the centre of the case, as it is this provision that sets out the exemption from the immunity that foreign states enjoy under UK law:

Personal injuries and damage to property.

A State is not immune as respects proceedings in respect of – (a) death or personal injury; or (b) damage to or loss of tangible property, caused by an act or omission in the United Kingdom.

The case thus concerned the interpretation and application of the provision in this specific case.

The appeal was limited to three specific questions related to the hacking itself, all of which concerned the legal prerequisites for holding Bahrain liable.

1. Whether the actions of Bahrain's agents constituted an act in the UK at all under the SIA
   Bahrain argued that the alleged offences had not occurred in the UK anyway, as the hacking had been carried out from abroad. Thus, it should be Bahrain, and not the UK, that had jurisdiction over the case. For a UK judge to decide the case would thus constitute a violation of the principle of sovereignty and the underlying doctrine of jurisdiction. Hence, Bahrain maintained its immunity. The court thus had to consider whether the remote manipulation of computers in the UK, carried out from abroad, could be considered an act that took place in the UK.
    
2. Whether the annulment of Bahrain's immunity under the SIA was dependent on all of the tortious acts being deemed to have been carried out in the UK
   Bahrain also argued that exemptions from immunity under the provision are only relevant where "an act" takes place in its entirety in the UK. Here, one had to consider at least parts of the act to have been carried out in or from Bahrain.
    
3. Whether psychological injuries constitute "personal injury" under Section 5 of the State Immunity Act 1978
   As a final point, Bahrain argued that the psychological injury alleged by the claimants was not covered by Section 5 of the SIA, as it did not constitute an "injury" within the meaning of the Act.
    

With regard to the first question, the Court of Appeal ruled that the acts had to be considered to have taken place in the UK. This was despite the fact that it was assumed that the agents had not been physically present in the UK at any time. Based on the wording of the Act, the Court does not express any doubt about this question in paragraph 34 of the decision. The Court states that it would be artificial and unprincipled to draw a distinction between the act abroad and the effect in the UK, and emphasises that the act intervenes directly in the UK's territorial sovereignty:

"In my judgment, as a straightforward use of language, the remote manipulation from abroad of a computer located in the United Kingdom is an act within the United Kingdom. The true position in such a case is that the agents of the foreign state commit acts both in this country and abroad. To distinguish between what happens abroad and what happens here, characterising the former as an act and the latter as merely the effect of the act, is artificial and unprincipled. The reality is that a foreign state which acts in this way is interfering here with the territorial sovereignty of the United Kingdom."

In the further analysis, the Court points out that those applying the law must be careful when using the legal sources here, as the issue of immunity is a separate legal issue with its own source material in international law and domestic law. Legal sources related to other jurisdictional issues, such as extradition rules and procedural rules on service of process abroad, cannot as such be used as a basis in issues of exemptions from immunity under Section 5 of the SIA. On the other hand, practice from such cases shows that hacking from abroad against the UK has been considered to take place in the UK. In the Court's view, this means that the wording of Section 5 of the SIA should in mere linguistic terms cover hacking in the same way.

Not only does the Court emphasise the mere linguistic meaning of Section 5 of the SIA in relation to hacking, but also refers in paragraph 40 to the underlying principle of immunity on which the entire Act is based. If a foreign state carries out unlawful acts within the jurisdiction of another state, this is in reality a violation of sovereignty under international law. The basis for immunity then falls away:

"That is because the hacking by a foreign state of a computer located in this jurisdiction is an interference with the territorial sovereignty of the United Kingdom, as already noted. For this purpose it makes no difference where the agents of the foreign state are located."

Bahrain's lawyer in the case invoked a new decision from the European Court of Human Rights (ECtHR) of 12 September 2023 (ECtHR cases 64371/16 and 64407/16, referred to here as the Wieder case). This judgment had not been available to the lower court (see paragraph 30), so this was a new argument in the appeal. The complainants in the case were an American citizen residing in the United States and an Italian citizen residing in Germany. The central question under consideration was whether the UK had infringed Article 8 of the European Convention on Human Rights (ECHR) by carrying out bulk collection of electronic communications. The unique feature of this case was that none of the complainants were resident in the UK or had sent any communications from there. The UK argued that there was no jurisdiction or liability under the jurisdiction in a case where neither the sender nor the recipient was located in the UK. The ECtHR did not agree with this, writing in paragraph 93 of Wieder:

"Although there are important differences between electronic communications, for the purposes of Article 8 of the Convention, and possessions, for the purposes of Article 1 of Protocol No. 1, it is nevertheless the case that an interference with an individual’s possessions occurs where the possession is interfered with, rather than where the owner is located […] Similarly, in the specific context of Article 8, it could not seriously be suggested that the search of a person’s home within a Contracting State would fall outside that State’s territorial jurisdiction if the person was abroad when the search took place."

The ECtHR also refers to other cases that do not concern hacking or surveillance, but where the same principle applies. The Hanover case (ECtHR 59320/00) concerned the publication of photos taken of Princess Caroline of Monaco in various everyday situations. The Princess won against the German press, as the photos were of a private nature and there was, among other things, no public interest that could support any legitimate need for publication. The ECtHR notes that several elements of a person's private life cannot be separated from the physical person, such as physical integrity. In the Hanover case, the ECtHR had nevertheless found that photographs taken in Austria and published in German magazines in Germany and read by German readers violated the Princess's private life – even though she was resident in France and had an official residence in Monaco.

In applying these principles on the relationship between place of injury and jurisdiction to the case at hand, the ECtHR stated in Wieder, paragraph 94:

"Turning to the facts of the case at hand, the interception of communications and the subsequent searching, examination and use of those communications interferes both with the privacy of the sender and/or recipient, and with the privacy of the communications themselves. Under the section 8(4) regime the interference with the privacy of communications clearly takes place where those communications are intercepted, searched, examined and used and the resulting injury to the privacy rights of the sender and/or recipient will also take place there."

Returning to our case and the UK Court of Appeal, it is clear that the first-voting judge is not surprised that the ECtHR was not persuaded by the UK's arguments in the Wieder case. Furthermore, the Court emphasises that the case does not support Bahrain's arguments about lack of jurisdiction. Instead, paragraph 93 from the Wieder case is highlighted, partially quoted above, and concludes with comparing hacking to a traditional burglary:

"In modern terms, the hacking of a person’s computer is equivalent to burglars breaking in and stealing the contents of their safe."

It was thus clear that the act took place in the UK within the meaning of Section 5 of the SIA.

The next question was then whether all parts of the act that caused the injury under Section 5 of the SIA must take place in the UK. Here, the lower court had concluded that it was sufficient that "an act or omission" caused the injury, i.e. that there was a causal relationship between the act and the injury. This interpretation meant that it was not necessary to look at the entire act in a larger perspective, it would be sufficient that there is an act that causes injury. In other words, a small part of a set of actions may be sufficient to remove immunity if it is deemed to have been carried out in the UK under Section 5 of the SIA. It then has no bearing on the issue of immunity whether additional or other parts of the act in a broad sense have been carried out abroad.

The Court reinforces the linguistic interpretation by referring to the fact that this is also in accordance with the state of the law in several other countries, and also follows from several conventions – without the Court citing any sources in this regard. From this, the Court derives a general principle on the limitations on immunity in paragraph 55:

"Accordingly, if State A interferes with the territorial sovereignty of State B by doing an act in State B which is liable to cause death or personal injury to persons in State B, it takes the risk that it will be subject to civil proceedings in State B."

This is followed by an interesting source of law analysis related to an argument from Bahrain about the purpose and history of Section 5 of the SIA, including a discussion of an internal memo that was made available to members of the House of Lords in the British Parliament in connection with the State Immunity Bill in 1978. The Court points out that the memo by its nature is a very weak source of law, and that much has changed since 1979 in relation to hacking and jurisdiction. The Court also notes that the underlying argument about the purpose of the legislation in this case was not merely to continue international conventions, as several specific changes and adaptations were made as part of the national legislative work.

In the following discussion, the Court reviews a wide range of international legal sources, including the ECtHR (Al-Adsani, ECtHR case 35763/97), the Supreme Court of Canada, Article 12 of the UN Convention and US legislation and case law in this area. However, the Court finds no basis for deviating from the interpretation of the wording that opened the discussion, and thus rejects the second ground of appeal.

The final question concerned whether the complainants had suffered injury as a result of the hacking. In this case, it was a question of psychological injury as a result of discovering the hacking and the extent of the invasion of privacy. Bahrain argued that such injury was not covered by Section 5 of the SIA and the condition of "personal injury".

The claimants had presented evidence in the form of expert reports that supported the claim of psychological injury. This object of proof was not itself appealed for hearing. As discussed above, the appeal did not cover the substantive issue of whether Bahrain had actually carried out the acts in question, including the actual hacking and associated surveillance.

Under this question, Bahrain recognised that British law currently has developed a doctrine that recognises "personal injury", so that the term includes both physical and psychological injury. However, it was pointed out that the relevant provision in English law was introduced in 1978, and therefore not covered by later developments of the term. Here, the Court quickly cuts through and states in paragraph 91 that English law follows a general dynamic principle of interpretation under the term "always speaking":

"It is a general principle of statutory interpretation that a statute is not frozen in time at the date of its enactment, but should be interpreted taking into account changes that have occurred since its enactment."

If there had been a clear and established understanding in international law, this could have influenced this starting point and locked in an understanding of the content of personal injury. The Court finds no trace of any such practice. Instead, the Court refers to a case in the House of Lords from 1998, where a question concerned whether the Person Act of 1861 covered psychological injuries. It was held that recent practice included psychological injury, while the Act in question preceded this extension – thus a very relevant example in relation to our case. Lord Steyn presided over the case and commented (cited in paragraph 93 of our decision):

"Psychiatry was in its infancy in 1861. But the subjective intention of the draftsman is immaterial. The only relevant enquiry is as to the sense of the words in the context in which they are used. Moreover the Act of 1861 is a statute of the “always speaking” type: the statute must be interpreted in the light of the best current scientific appreciation of the link between the body and psychiatric injury."

Lord Steyn also provides a good summary of the history behind "always speaking", which is worth reading. For our case, it was clear that the starting point had to be a dynamic interpretation of Section 5 of the SIA, which also included psychological injury. Hence, the question was whether there was any basis for deviating from this starting point. In this analysis, the Court looks at several other cases in the area, which nevertheless do not change the dynamic interpretation model.

In addition, the Court points out that the claimants in any event had demonstrated that the term "personal injury" both in 1978 and earlier was considered to include psychological injury. A number of different statutory provisions introduced in the period 1948 to 1980 define the concept of injury so as to include psychological injury. Hence, the Court finds it substantiated that this was already the case when Section 5 of the SIA was introduced in 1978, and that the legislator's intention must have been to include psychological injury.

The lower court analysed several international legal sources, including the European Convention, the Council of Europe's interpretation opinions, the international special report that formed the basis for the UN Convention, Article 12 of the UN Convention and legal sources that address this provision. The conclusion of the lower court, which the Court of Appeal fully agrees with, is that there is no evidence to consider psychological injury to fall outside the concept of injury. The Court then makes an independent assessment of a number of other international sources of law, as we have seen in the other sections. In Canadian law, some court decisions emerge that go in the opposite direction, but the Court concludes that these are not based on international law and the question of the term's interpretation in the issue of immunity for nation states.

This meant that the third ground of appeal could not succeed either. It was then not necessary to consider the final question in the case. The claimants had argued that a dismissal of the main claim with reference to immunity, i.e. that Section 5 of the SIA did not remove Bahrain's immunity, would constitute a violation of Article 6 of the ECHR. As is known, this provision guarantees the right to a fair trial.

In a large number of decisions, the ECtHR has established that Article 6 must be read in such a way that it also provides an equally strong right to access to court. Without such a right, the principle of fair trial would lose much of its function. The ECtHR has been clear that Article 6 must be an effective and forceful provision, and has thus cracked down on unreasonably high court fees, demanded that cases must be heard within a reasonable time, etc.

The claimants had submitted that dismissal of the case due to immunity was only acceptable if the dismissal was fully in accordance with international law and custom in this area.

The Court did not need to consider this question, as the conclusion was already that Bahrain did not have immunity as the requirements in Section 5 of the SIA for annulment were present. Since a discussion with the opposite outcome would in any case have taken into account the international sources of law, it would probably be highly unlikely that the ECtHR would have annulled a decision with the opposite result. This is assuming that the national court had taken Article 6 into account in its assessment, and at the same time carried out a proportionality assessment between the principle of immunity and the claimants' need to have their case heard. The submission is nonetheless interesting, and it has a clear effect in that it encourages the court to conduct a thorough discussion of the international legal sources.

In an article by the undersigned in Lov & Data no. 158 (2/2024, page 36), reference was made to how the ECtHR in the case Podchasov v Russia (ECtHR case 33393/19) states in paragraph 50 et seq. that merely requiring the storage of data relating to an individual's private life constitutes an interference under Article 8 of the ECHR, cited here from paragraph 51:

"As regards the storage by ICOs of Internet communications and related communications data, the Court reiterates that the mere storing of data relating to the private life of an individual amounts to an interference within the meaning of Article 8. The subsequent use of the stored information has no bearing on that finding. However, in determining whether the personal information retained by the authorities involves any of the various private-life aspects, the Court will have due regard to the specific context in which the information at issue has been recorded and retained, the nature of the records, the way in which these records are used and processed and the results that may be obtained"

This applies irrespective of any subsequent use of the collected information, but the context of the surveillance and the type of data retrieved are important factors in the assessment. In the Podchasov case, the issue was an injunction to disclose data, not hacking. The issue that was discussed was also different from whether psychological injury is covered by a national statutory provision. At the same time, we see that the Convention's requirement of access to court contains an expectation that serious violations of the Convention will result in greater intensity of review by the ECtHR. This means that the national margin of appreciation, i.e. the room for manoeuvre that the individual member state has in interpreting and applying the Convention in each specific case, can be considerably reduced. For the national court, this means a stricter requirement to follow the methodology and topics of assessment that the ECtHR has prescribed through its practice. This is necessary in order for the ECtHR to be able to subsequently assess the case in any appeal proceedings. If there has been no specific assessment under domestic law of whether an interference is necessary in a democratic society, in practice formulated by the ECtHR as a requirement that there is a pressing social need, this may indicate that the proportionality assessment under domestic law is inadequate. In that case, we also see that the alternative submission related to Article 6 mentioned above will probably have a stronger position.

The judgment is unanimous, but with an additional comment from Lord Justice Warby. He begins by pointing out the paradox that the agents who hack and surveil want to keep this hidden. It is only when this fails and the whole thing becomes known that injury is caused to the claimants. In other words, the tortious act takes place contrary to the tortfeasor's plan and wishes.

The second point of view relates to the first question in the case, where he expresses that Bahrain's submission seems artificial and unprincipled. He refers to a question during the proceedings, where Bahrain's counsel gave a concrete example:

"He submitted that when a person uses a pen to create a manuscript document the marks on the page are not part of the act of writing but only the effect of that act."

Lord Justice Warby was clearly not impressed with the answer. Incidentally, this comment shows how an unfortunate example can be counterproductive, highlighting the weakness of a line of argument.

I have spent a good deal of time in this article reviewing the arguments and use of legal sources in this case. The decision is very well suited to present the international legal source picture and the specific issues of jurisdiction that quickly become relevant when hacking occurs across national borders, and all the more so when nation states are allegedly behind it. Whether Bahrain carried out the hacking in this case is therefore not decisive, and the Court's assessments of all three questions stand regardless of the outcome of the main case.

When hackers operate under government control, it is very reminiscent of the privateers of the Age of Sail. There is a kind of legitimisation of an activity that is otherwise highly undesirable and causes great injury. In 1243, England issued the first known privateer commission, a kind of "licence to pirate" that allowed private vessels to attack, board, search and seize ships from hostile states. A private vessel was immediately turned into a military asset, and at the same time received an economic incentive to actively seek out enemy ships. Even neutral ships could be arrested, and their cargo seized, if weapons and other war contraband were involved. In principle, privateers were not to be penalised as pirates if they were captured by the enemy; they enjoyed a kind of immunity under criminal law as legitimate exercisers of state power. Instead of engaging in direct warfare with each other, there are examples of shipping powers instead engaging in limited skirmishes between privateers. Later, conventions and international rules emerged that formalised the privateer role to a greater extent. The U.S. Constitution of 1787 authorised Congress to issue such letters of marque, as stated in Article 1 Legislative Branch – Section 8 Enumerated Powers – Clause 11 War Powers:

"To declare War, grant Letters of Marque and Reprisal, and make Rules concerning Captures on Land and Water…"

In Norway, we are familiar with letters of marque from both the Great Northern War (1700-1721) and the war with Great Britain (1807-1814).

Proceedings is a journal of the US Naval Institute. The US Naval Institute is a private organisation that has been publishing Proceedings since 1874. An article published in October 2019 discusses the Active Cyber Defence Certainty Act⁽⁵⁾, which in practice would give private companies a letter of marque. Not only for mere defensive measures, but also more active and outreach activities.⁽⁶⁾ The author describes an imaginary attack against a bank on Wall Street, which engages a security firm for assistance. This firm has obtained a modern letter of marque authorising counterattacks against the hackers. The letter is necessary, as such attacks are normally not allowed as this in itself constitutes illegal hacking. The author visualises the process as follows:

"If defensive measures fail and the bank is hacked, the cyber security firm would invoke its standing Cyber Letter of Marque to conduct a hack back operation against the aggressor. The goals of the hack back would be first to stop the attacker’s ongoing exploits and then degrade the attacker’s infrastructure. This degradation would impose a cost, to dissuade the attacker from further malicious activity. The information gleaned from the hack back operation would be reported to the Department of Homeland Security to support public-private data sharing to improve the U.S. cyber security posture."

As we can already deduce from the Shehabi case mentioned above, such a letter of marque will involve a number of difficult delimitations, but the debate and the proposed legislation are illustrative of the times we live in.

The legal issues discussed here cover a wide range of topics, including privacy, freedom of expression, cybercrime and the principle of sovereignty under international law. These are major and important principles, while at the same time those affected may be private organisations or individuals who have little ability to protect themselves against this type of action. It will be interesting to follow legal developments in this area, and not least the final outcome of this specific case.