Human Rights Watch welcomes the opportunity to provide the following comments on the "[Draft] Policy on Cyber-enabled Crimes under the Rome Statute (March 2025)" (hereafter "draft policy") of the Office of the Prosecutor (OTP or the Office) of the International Criminal Court (ICC).
This submission is divided into three parts. The first part concerns elements of the draft that Human Rights Watch particularly welcomes and supports ("Positive elements"). This part highlights those elements and concepts that we believe should be retained and for which reasons. The second part concerns elements of the draft that we believe could usefully be clarified, amended or expanded ("Recommendations on specific elements"). This part focuses both on language and concepts, which would benefit from further clarification or specificity. The third part concerns elements that Human Rights Watch believes should be included in the final policy that are currently absent from the draft ("Recommendations for additions").
- Positive elements
The draft policy recognizes the increasing relevance of technology in facilitating the commission of crimes under the Rome Statute. It sets out an important commitment by the OTP to use its mandate and powers to investigate and prosecute cyber-enabled crimes within the court's jurisdiction.
The draft policy does not attempt to create new categories or definitions of cybercrime. Rather it uses the term 'cyber-enabled crimes' to mean the perpetration by cyber means of the crimes set out in the Rome Statute - war crimes, crimes against humanity, genocide, the crime of aggression, as well as offences against the administration of justice - and the facilitation by cyber means of such crimes.[1]
The draft policy is clear that the ICC does not have jurisdiction over ordinary 'cybercrimes' that are punishable under domestic law.[2] As Human Rights Watch has documented in our research, there is no commonly held definition of cybercrime internationally, and many domestic laws have broad definitions of "cybercrime" that are incompatible with state obligations under international human rights law.[3]
The draft policy also covers situations where no crime has been carried out or facilitated by cyber means, but where cyber conduct is correlated with the commission of a crime within the jurisdiction of the court and therefore can provide evidence of that offence.[4] Human Rights Watch welcomes the inclusion in the draft policy of the reference to this link between cyber conduct and the OTP's investigative mandate. However, as noted below, the final policy would benefit from additional considerations on this issue, particularly regarding the right to privacy in investigations.
- Recommendations on specific elements
2.1 Support for national efforts to address "ordinary cybercrime"
The draft policy explains how the Office's mandate to investigate and prosecute crimes within the jurisdiction of the court may intersect with national efforts to combat "ordinary cybercrimes."[5] It refers to ways in which the OTP's work may potentially support such efforts including by participating in joint investigations and enhancing cooperation in evidence sharing. While supporting the important role that the Office of the Prosecutor can and should play in strengthening domestic efforts to investigate and prosecute crimes under the jurisdiction of the court under the principle of complementarity,[6] Human Rights Watch sees some risk to the approach outlined in the draft policy.
As noted above, national approaches to addressing "cybercrime" differ considerably both in terms of how a cybercrime is defined, and what human rights safeguards apply to the investigation and prosecution of, and international cooperation around such crimes. Human Rights Watch has documented the abuse of cybercrime laws to crack down on journalists, technologists, human rights defenders, and others engaged in behavior that is protected under international human rights law.[7] Additionally, a lack of consistency at the national level around human rights safeguards applying to investigations, prosecutions and international cooperation on cybercrime creates risks that cooperation may exacerbate or give rise to violations of privacy, non-discrimination, and due process rights.[8] Concerningly, the draft policy contemplates such open-ended cooperation between the OTP and national authorities that it could entangle the OTP in national efforts to address crimes that do not fall under the court's jurisdiction and which raise serious human rights concerns. Human Rights Watch recommends removing references to Office's potential support for national efforts to address ordinary cybercrimes in paragraphs 1, 29, 107, 131, and 145, and clarify that such support will be limited to advancing domestic efforts to investigate and prosecute Rome Statute crimes.[9]
2.2. Territorial jurisdiction
The draft policy does not presently anticipate that it would regard the mere transit of data through a state party's territory as a sufficient basis to assert the court's territorial jurisdiction.[10] It notes that the use of cloud computing technology to commit or facilitate crimes under the Rome Statute may constitute a situation in which the cyber conduct in question took place in the territory of more than two states simultaneously.[11] Human Rights Watch generally supports this approach. However, the draft policy would benefit from further clarification of the principle underlying the assertion of the ICC's territorial jurisdiction over a crime premised on the transit, storing, and processing of data through cyber infrastructure physically located in its territory. Specifically, in the final policy, the OTP should explicitly adopt the Tallinn Manual 2.0 standard. According to this standard, a state will have territorial jurisdiction over a cybercrime where infrastructure in that state constitutes an "integral facet" of the crime in question, excluding explicitly and more comprehensively all de minimis use of infrastructure physically within a state as a basis for territorial jurisdiction.[12]
2.3 Investigative powers
The draft policy indicates that the OTP will make appropriate and diligent use of all its investigative powers under the Statute. It indicates that the Office will rely on the national law of states requested to assist it in accordance with Article 93 of the Rome Statute and may request private entities to voluntarily cooperate within the framework of their applicable legal obligations.[13] Investigations of cyber conduct can be particularly intrusive and implicate the privacy of many individuals aside from the target of an investigation. Yet many states fail to meet human rights standards for the protection of privacy in their national investigative practices. Human Rights Watch recommends that the final policy be aligned with international human rights standards regarding the right to privacy and investigative techniques, including by adding the following measures[14]:
- Requiring national authorities to ensure that any steps taken when requested by the OTP to assist an investigation by obtaining digital evidence will be in line with international human rights standards, including an assessment of whether the country being asked to carry out digital surveillance can do it in a manner that respects the rule of law.
- Explicitly stating that the OTP will not rely on state use of specific intrusive techniques that are inconsistent with international human rights standards, including those that obtain digital evidence by undermining encryption, installing commercial spyware on people's devices, or through mass surveillance of communications.
- Explicitly stating that the OTP will not request private entities to provide personal data that will identify users of their services in the absence of prior authorization by the competent judicial authorities.
2.4 Hacker groups
According to the draft policy, "hacker groups" may in principle qualify as an "organization" for the purpose of Article 7 of the Rome Statute, putting them on the same level as rebel and terrorist groups.[15] There is no commonly held definition under international law or among governments of "hacker groups" and governments and companies label a range of activities that are in the public interest as "hacking". While the draft policy does note that the OTP will always carry out a fact-specific, contextual assessment as to whether a hacker group qualifies as an organization for the purpose of Article 7, it fails to recognize that some hacker groups may also carry out legitimate public interest activities, like exposing security vulnerabilities and government abuse. Human Rights Watch recommends that the final policy include the potential freedom of expression concerns[16] to be considered when assessing whether a "hacker group" qualifies as an organization under Article 7 of the Rome Statute and that a proportionate approach will be taken by the OTP in making such assessment.
- Recommendations for additions
3.1 Cyber enabled campaigns of persecution
The draft policy recognizes that conduct in cyberspace, including mass surveillance of, for example, an ethnic or religious group and social media postings with discriminatory intent, can form part of a campaign of persecution, as defined by Article 7(1)(h) of the Rome Statute.[17] Human Rights Watch supports this position and recommends that the final policy go further to include other disproportionate forms of surveillance and censorship, like the use of targeted spyware and internet shutdowns, which violate multiple human rights, interfere with evidence collection for international accountability efforts, and could potentially amount to offences against the administration of justice. Human Rights Watch recommends that the final policy expand its discussion of digital repression that can form part of a campaign of persecution to acknowledge that these actions can also amount to obstruction of justice offences, particularly if directed at OTP staff or at individuals and civil society organizations on the basis that they are attempting to assist the OTP in conducting an investigation.
3.2 The role of technology companies
The draft policy avoids the question of the role of technology companies in enabling crimes under the Rome Statute. As noted by the explanatory report to the Budapest Convention on Cybercrime, service providers do not incur criminal liability "by virtue of the fact that a crime was committed on its system by a customer".[18]Criminal liability should be contemplated only when the actions of a service provider directly facilitate international crimes under the Rome State and can be linked to an individual at the company with the requisite knowledge, intent, and responsibility. However, the policy should also reflect that companies have human rights responsibilities[19] and should face regulatory requirements and steep fines for their failings, including when their action or inaction contributes to crimes under the Rome Statute. Human Rights Watch recommends that the final policy address the potential individual criminal responsibility under the Rome Statute arising from the role played by technology companies in the commission or facilitation of crimes under the jurisdiction of the court.
- 3 Artificial intelligence
The draft policy's discussion of artificial intelligence should address military use of artificial intelligence and specifically decision support systems and other digital tools that are already shaping the use of force in armed conflicts and are the focus of significant levels of investment and rapid development.[20] The policy should make clear that there is significant risk that these technologies will cause harm including indiscriminate attacks on civilian populations or individual civilians of great magnitude. The draft policy acknowledges that "autonomous AI tools […] produce effects that are not intended, or even foreseen, by those who designed or" operate them,[21] but should also reflect the reality that they are being designed and used despite a general awareness of the risk that these effects will occur, and will have grave consequences when being used to inform life-or-death decisions. Digital decision-making tools risk violating international humanitarian law, in particular the laws of war concerning distinction between military targets and civilians, and the need to take all feasible precautions before an attack to minimize civilian harm.[22]Human Rights Watch recommends that the final policy's discussion of artificial intelligence address the significant risk that digital decision-making tools and other military uses for artificial intelligence can cause concerning indiscriminate attacks on civilians and the serious challenges they pose when attempts are made to attribute individual criminal responsibility for the harms they cause.
3.4 Monitoring and Evaluation
The draft policy recognizes that cyber conduct increasingly forms a significant part of all the Office's investigations and that many if not all investigations will likely have a cyber component. Yet, to date it has only arisen at the margins of the court's work and has not been addressed in any detail. According to the draft policy, in every investigation, the Office will take due account of the possibility of cyber-related crimes.[23] Given the increasingly relevance of cyber conduct in the court's work, the policy would benefit from a monitoring and evaluation framework, including to better understand and assess to what extent the cases that the Office decides to investigate and prosecute include cyber-enabled crimes. This would shed light on the nature and use of cyber technologies in international crimes and help inform resource allocation moving forward. Human Rights Watch recommends that the final policy incorporate a monitoring and evaluation framework and a commitment to publicly report on the outcome of this analysis.
3.5 Civil society's role in implementing the policy
A stated objective of the draft policy is to cooperate and coordinate with civil society organizations, corporations, and other non-state actors, whose expertise or access to information enables them to support law enforcement action at the international and national level. The draft policy outlines extensive plans and opportunities for collaboration with the private sector. However, it is rather silent on how it will engage with civil society moving forward. Human Rights Watch recommends that the final policy elaborate further on opportunities for civil society to contribute to and inform the OTP's implementation of the policy.
[1]Office of the Prosecutor of the ICC, "(Draft) Policy on Cyber-enabled Crimes under the Rome Statute (March 2025)", https://www.icc-cpi.int/sites/default/files/2025-03/250306-OTP-Policy-on-Cyber-Enabled-Crimes-for-public-consultation.pdf, para. 2..
[2] Draft policy, para. 4.
[3] "Abuse of Cybercrime Measures Taints UN Talks," Human Rights Watch news release, May 5, 2021 https://www.hrw.org/news/2021/05/05/abuse-cybercrime-measures-taints-un-talks;
[4] Draft policy, paras. 24-25.
[5] Draft policy, paras. 1, 4, 12, 29, 107, 131, and 145.
[6] Maria Elena Vignoli and Danya Chaikel, Two Tracks, One Destination? The Importance of Getting the Balance Right on Complementarity, Just Security (June 20, 2024), https://www.justsecurity.org/96955/getting-the-balance-right-complementarity/; Human Rights Watch Comments on the International Criminal Court Office of the Prosecutor"[Draft] Policy on Complementarity and Cooperation (September 2023)" , November 13, 2023, https://www.hrw.org/news/2023/11/14/human-rights-watch-comments-international-criminal-court-office-prosecutor
[7] "Abuse of Cybercrime Measures Taints UN Talks," Human Rights Watch news release, May 5, 2021 https://www.hrw.org/news/2021/05/05/abuse-cybercrime-measures-taints-un-talks; "Tunisia: Cybercrime Decree Used Against Critics," Human Rights Watch news release, December 19, 2023, https://www.hrw.org/news/2023/12/19/tunisia-cybercrime-decree-used-against-critics; Rasha Younes, "Jordan's New Cybercrime Law is a Disaster for LGBT People," Human Rights Watch dispatch, August 14, 2023, https://www.hrw.org/news/2023/08/14/jordans-new-cybercrime-law-disaster-lgbt-people; "Libya: Revoke Repressive Anti-Cybercrime Law," Human Rights Watch news release, April 3, 2023, https://www.hrw.org/news/2023/04/03/libya-revoke-repressive-anti-cybercrime-law;
[8] "Human rights and the draft Cybercrime Convention," United Nations Office of the High Commissioner for Human Rights, July 25, 2024, https://www.ohchr.org/sites/default/files/documents/issues/civicspace/DRAFT-CYBERCRIME-CONVENTION.pdf
[9] Specifically, delete the second sentence of para. 1, delete the final sentence of para. 29, delete the final sentence of para. 107, and delete paras. 131 and 145 in their entirety.
[10] Draft policy, para. 42.
[11] Draft policy, para. 41.
[12] Schmitt, Michael N. Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations, Cambridge: Cambridge University Press, 2017. https://ilmc.univie.ac.at/fileadmin/user_upload/p_ilmc/Bilder/Bewerbung/Case_2/Michael_N._Schmitt_-_Tallinn_Manual_2.0_on_the_International_Law_Applicable_to_Cyber_Operations Cambridge_University_Press__2017_.pdf Rule 9, para 2, p 55.
[13] Draft Policy, para 125.
[14] Benedik v Slovenia, App No 62357/14, April 24, 2018 (ECtHR, Fourth Section, 2018); Fifth Periodic Report on the Republic of Korea, CCPR/C/KOR/CO/5, paras 49-50; Podchasov v Russia, App No 33696/19, May 13, 2024 (ECtHR, Third Section, 2024); CCPR/C/USA/CO/4, paras 22; CCPR/C/ZAF/CO/1, paras 42-43; CCPR/C/GBR/CO/8, paras 50-51; Office of the High Commissioner for Human Rights, The Right to Privacy in the Digital Age, A/HRC/39/29, August 3, 2018, para 17; Office of the High Commissioner for Human Rights, The Right to Privacy in the Digital Age, A/HRC/51/17, August 4, 2022; A/HRC/29/32, May 22, 2015, https://undocs.org/A/HRC/29/32.
[15] Draft policy, para. 53.
[16] Organisation for Economic Co-operation and Development, Non-governmental Perspectives on a New Generation of National Cybersecurity Strategies, DSTI/ICCP/REG(2012)7, November 16, 2012, (OECD, 2012), https://ccdcoe.org/uploads/2018/11/OECD-121116-CybersecurityPolicyMaking.pdf, pp 108-110.
[17] Draft policy, para. 59.
[18] Budapest Convention, Explanatory Report, para 125: "A service provider does not incur liability by virtue of the fact that a crime was committed on its system by a customer, user or other third person, because the term "acting under its authority" applies exclusively to employees and agents acting within the scope of their authority."
[19] Guiding Principles on Business and Human Rights: Implementing the United Nations "Protect, Respect and Remedy" Framework, in Human Rights Council, Report of the Special Representative of the Secretary-General on the Issue of Human Rights and Transnational Corporations and Other Business Enterprises, John Ruggie, U.N. Doc. A/HRC/17/31, annex, https://www.ohchr.org/sites/default/files/documents/publications/guidingprinciplesbusinesshr_en.pdf
[20] Human Rights Watch, A Hazard to Human Rights Autonomous Weapons Systems and Digital Decision-Making, April 2025 https://www.hrw.org/report/2025/04/28/hazard-human-rights/autonomous-weapons-systems-and-digital-decision-making;
[21] Draft Policy, para 87.
[22] Human Rights Watch, "Questions and Answers: Israeli Military's Use of Digital Tools in Gaza," September 10, 2024, https://www.hrw.org/news/2024/09/10/questions-and-answers-israeli-militarys-use-digital-tools-gaza
[23] Draft policy, para. 117.
