Microsoft’s Geneva Convention: protecting web users against State irresponsible behaviors in the cyberspace ? {By Darius Fadier, CEIS}

On 14 February 2017, Microsoft, portraying itself as a defender of Internet users, proposed a « Digital Geneva Convention » in response to the proliferation of cyberattacks from states. The digital giant called on states to draw up and sign an internationally binding convention that would aim to protect civilians against cyberattacks from states, in the manner of the 1949 Geneva Conventions.

This was more than a cheap grab for media attention. Brad Smith, Microsoft’s chief legal officer, mapped out this convention and detailed a number of rules that states could apply. While Microsoft’s proposal is consistent with the logic and spirit of the Geneva Conventions regarding civilian protection, it distinguishes itself from its predecessors in putting forth measures tailored to digital affairs; thus it represents a new convention.

First, a key distinguishing feature of this « Digital Geneva Convention » lies in its scope of application. The provisions of the 1949 Geneva Conventions apply within the framework of international or national conflicts — that is to say, in times of war — whereas Microsoft’s proposal is intended to apply in times of peace. This distinction may seem surprising since this proposal concerns cyberattacks from states or « cyber warfare. » It may seem all the more surprising as it could be thought to simply apply the provisions of the 1949 Geneva Conventions to the consequences of cyberattacks. However, Microsoft’s proposal may be understood in view of the fact that cyberattacks not only take the form of inter-state attacks but more generally are the doing of private entities acting on their own behalf, or on behalf of a state, against an entity also belonging to the private sector. The 2014 attack on Sony Pictures attributed to North Korea is a good example of this.

Second, while Microsoft’s proposal, like the 1949 Geneva Conventions, aims to protect civilians, it nevertheless constitutes an independent new convention by virtue of the very content of the international rules that it seeks to implement. Microsoft’s Digital Geneva Convention specifically provides for the protection of civilian property such as underwater cables, servers, computers and even data. To this end, it proposes introducing new international rules particular to this type of protection:

• A ban on the theft of intellectual property by states;
• State assistance to the private sector for digital protection,
• A framework for cyber armament by states that includes a commitment to non-proliferation of cyber weapons, and
• The creation of an independent international organisation bringing together public and private entities responsible for examining cyberattacks and sharing evidence in relation to the attribution of a cyberattack to a state.

It is interesting to note that these different rules put forward by Microsoft have more to do with the strengthening of the recommendations of the United Nations Group of Governmental Experts (GGE) on responsible behaviour of states than with the 1949 Geneva Conventions. For example, the GGE advises states not to use cyberattacks to damage another state’s infrastructure. Microsoft’s convention seeks to strengthen this principle by extending it to private-sector infrastructure. In addition, the creation of an international organisation in charge of examining cyberattacks and attributing them to an entity had been proposed by the GGE and not met with unanimous approval by states.

However, the Geneva Conventions did indeed inspire Microsoft’s ambition to build a « digital Switzerland » in the private sector. Just as the Red Cross acts as a neutral intermediary to ensure the day-to-day protection of civilians worldwide, digital companies must, according to Microsoft, take the necessary measures to protect Internet users and digital infrastructure. It should nevertheless be noted that the Geneva Conventions set out two criteria granting an organisation international legitimacy to intervene in civilian protection: neutrality and adoption of a distinctive emblem. Digital companies cannot necessarily be counted on to readily fulfil these two criteria. This is because, unlike the Red Cross, digital companies engage in for-profit activity and generally are guided by their own commercial interests, which may be very different from the interests of Internet users.