Τhe Duty of Constant Care and Data Protection in War

Legal Studies Research Paper Series
The Duty of Constant Care and Data Protection in War, in Big Data
and Armed Conflict: Legal Issues Above and Below the Armed
Conflict Threshold (Laura A. Dickinson & Edward Berg eds.,
forthcoming, 2022)
Asaf Lubin
Research Paper Number 473
This paper can be downloaded without charge from the

Social Science Research Network electronic library at:
http://ssrn.com/abstract=4012023
Electronic copy available at: https://ssrn.com/abstract=4012023

THE DUTY OF CONSTANT CARE AND DATA
PROTECTION IN WAR*
Asaf Lubin **
Military operations have entered a new frontier in the age of cyberspace.

The incorporation of big data and new information technologies in
warfighting has ushered in new possibilities for civilian harms. Our modern
belligerents now endanger a set of digital rights, including the rights to
privacy, anonymity, access to information, online freedom of expression,
digital autonomy and dignity, and intellectual property.
Against this backdrop calls have been made to find restraints within
existing frameworks of IHL to militaries’ emerging data-invasive practices.
In this chapter I explore one such restraint: the Duty of Constant Care as
established under the general customary principle of precautions in attack. I
argue that this duty applies to the entire gamut of a belligerent party’s
informational activity against its adversaries. In fact, I go as far as to suggest
that the “precautions in attack” principle, as was originally envisaged by the
drafters of the First Additional Protocol to the Geneva Conventions (API),
reflects, at least in part, a primeval and elementary data protection rule.
The chapter proceeds in the following order: First it discusses the binding
nature of the Duty of Constant Care and its temporal and subject matter
scope. Second, it examines the Duty’s possible data protection applications,
focusing specifically on two primary categories of obligations: legality and
transparency and storage specification and data integrity. Ultimately, I
propose that the Duty of Constant Care might prove a temporary gap-filler
to the lacuna of wartime data protection, at least until such time as more
expansive and restrictive data protection regimes are implemented through
treaty evolution and custom formation.
*
This is a draft of a chapter that has been accepted for publication by Oxford University
Press in the forthcoming book, BIG DATA AND ARMED CONFLICT: LEGAL ISSUES ABOVE AND
BELOW THE ARMED CONFLICT THRESHOLD, edited by Laura A. Dickinson & Edward Berg,
due for publication in 2022.”
**
Dr. Asaf Lubin is an Associate Professor of Law at Indiana University Maurer School
of Law, Fellow at IU’s Center for Applied Cybersecurity Research, Faculty Associate at the
Berkman Klein Center for Internet and Society at Harvard University, Affiliated Fellow at
the Information Society Project at Yale Law School, and a Visiting Scholar at the Federmann
Cyber Security Center at Hebrew University of Jerusalem. I wish to thank both Laura
Dickinson and Edward W. Berg for inviting me to contribute to this book and for providing
such excellent feedback on earlier versions of this chapter.

2 Duty of Constant Care and Data Protection [Draft-1/13
Table of Contents
INTRODUCTION ..................................................................................................................... 3
I. THE DUTY OF CONSTANT CARE .................................................................................. 7
A. THE BINDING NATURE OF THE DUTY ...........................................................................................7
B. THE DUTY’S GENERAL SCOPE ........................................................................................................9
1. What military activities trigger the duty? ....................................................... 10
2. When does the duty apply? .................................................................................... 11
3. What Harms is the Duty Meant to Prevent? ................................................... 13
4. When is the Duty Breached? ................................................................................. 14
II. THE DUTY OF CONSTANT CARE AND DATA PROTECTION ............................ 16
A. THE DUTY OF CONSTANT CARE AS A DATA PROTECTION RULE ........................................... 16
B. SPECIFIC APPLICATIONS OF THE DUTY IN THE AGE OF BIG DATA .......................................... 17
1. Legality and Transparency ................................................................................... 18
2. Storage Specification and Limitation and Data Integrity......................... 19
CONCLUSION ......................................................................................................................... 20

Draft-1/13] Duty of Constant Care and Data Protection 3
INTRODUCTION
Militaries have always operated in data-intensive environments. In fact,

one of the earlier usages of the English word “computer” was in reference to
“the (mostly) women in charge of ‘computing’ target coordinates for military
assaults.” 1 But belligerents’ fascination with data has morphed in recent
years. As processes of data production, collection, and assessment have
become more ubiquitous and pervasive in everyday life, militaries have
begun responding to new challenges and new opportunities in the datasphere.
Wartime actors are now employing “machine learning and artificial
intelligence to enhance their military capabilities and decision-making.” 2
They use “big data” and algorithmic tools to both predict enemy actions 3 and
to enhance their own command-and-control capacities.
The White House defines “big data” as the “growing technological ability
to capture, aggregate, and process an ever-greater volume, velocity, and
variety of data.” 4 Together these three Vs introduce endless opportunities for
algorithmic research that may highlight previously undiscovered correlations
in large and complex datasets. As the Federal Trade Commission noted “the
present scope and scale of data collection enables cost-effective, substantial
research of even obscure or mundane topics.” 5 Militaries can use big data
solutions and associated technologies to improve their procurement,
transportation, and redeployment of material and personnel. They can also
use it to engage the varied aspects of warfare: manage detention facilities,
launch targeted killing operations, and automate the collection and analysis
of military intelligence, if to name but a few applications. This fast-paced
evolution in the development and deployment of big data in the military is
not free of casualties.
Consider, for example, recent reports concerning action taken by the

Canadian Military, the U.S. Department of State, and the U.S. Agency for
International Development, in the wake of the Taliban takeover of
1
STEPHANIE RICKER SCHULTE, CACHED: DECODING THE INTERNET IN GLOBAL POPULAR
CULTURE 43 (2013).
2
Ashley S. Deeks, Predicting Enemies, 104 VIRGINIA L. REV. 1529, 1531.
3
Id.
4
EXEC. OFFICE OF THE PRESIDENT , BIG DATA: SEIZING OPPERTUNITIES, PRESERVING
VALUES, THE WHITE HOUSE, 2 (May 2014),
https://obamawhitehouse.archives.gov/sites/default/files/docs/big_data_privacy_report_ma
y_1_2014.pdf.
5
FED. TRADE COMM’N, BIG DATA: A TOOL FOR INCLUSION OR EXCLUSION?, 2 (Jan.
2016), https://www.ftc.gov/system/files/documents/reports/big-data-tool-inclusion-or-
exclusion-understanding-issues/160106big-data-rpt.pdf.

Afghanistan. Following the takeover, the US and Canada began a complex

process of scrubbing the digital presence of Afghan supporters from their
websites out of fear of retribution by the new regime. 6 Even more troubling
is that the U.S.-led coalition forces have previously relied on “portable
scanners that collect eye, fingerprint, photographic and biographical data,”
which are also being used by the Taliban, further threatening the safety of
those Afghans who’ve been left behind. 7 The story is a surreal example of
where privacy, data protection, biometric information, and armed conflict
intersect.
Another troubling example is illustrated by Israeli data collection policies

in the occupied Palestinian territories. Consider in this regard the decision of
the Israeli Coordinator of Government Activities in the Territories
(COGAT) 8 to mandate the downloading of the al-Munasiq (‫اﻟﻤﻨﺴﻖ‬, Arabic for
“The Coordinator”) phone app by Palestinian workers. 9 In the days following
1F
the decision, “more than 50,000 Palestinians” downloaded this app and used
it to access a set of digital services, including for example, the ability to check
on the status of their applications for entry permits into Israel. 10 As part of
12F
their registration, these Palestinians were forced to consent to COGAT

accessing their geolocation, phone’s camera, and other “messages and files
stored on the phone.” 11 Only after a civil society organization in Israel
13 F
petitioned against the terms of use of the app in court, did Israel officially
commit to making changes to both the terms and practice. 12 14 F
6
Colin Freeze, Fearing reprisals, Afghans rush to scrub digital presence after Taliban
takeover, GLOBE & MAIL CANADA (Aug. 21, 2021),
https://www.theglobeandmail.com/canada/article-fearing-reprisals-afghans-rush-to-scrub-
digital-presence-after-taliban/.
7
Id.
8
COGAT is a unit within the Israeli Ministry of Defense responsible for implementing
the government’s civilian policy within the west bank and Gaza strip. For further reading see
COGAT’s website at https://www.gov.il/en/departments/coordination-of-government-
activities-in-the-territories/govil-landing-page.
9
Hagar Shezaf, Israel Tells Court Would Stop Forcing Palestinian Laborers to Give
Access to Phone Data, HAARETZ (May 15, 2020), https://www.haaretz.com/middle-east-
news/palestinians/.premium-over-50-000-palestinians-forced-to-give-phone-data-to-israel-
1.8844580.
10
Id.
11
Id.
12
Following HaMoked’s demand: the military amended the invasive terms of use of the
mobile app enabling Palestinians to check the status of permit requests, HAMOKED (June 2,
2020), http://www.hamoked.org/Document.aspx?dID=Updates2175 (the “petition explained
that the application’s terms of use constitute a severe infringement of the users’ right to
privacy and dignity, were contrary to Israeli and international law; and compelled
Palestinians to disclose information that could be exploited by the occupying power.” In light
of the petition “COGAT announced that the terms of use had been substantively changed, so

Even more drastically, Israel has relied on data governance policies for
years as a tool for enhancing its oppression of the territories. Israeli
authorities “remain in total control of the electromagnetic waves as well as
[the] importing and installation of any equipment by Palestinian telcos and
ISPs.” 13 Israel has relied on national security claims to delay Palestinian
adoption of 3G networks and has yet to authorize the setup of either 4G or
wireless broadband networks. 14 One driver of this policy is Israel’s own
intelligence capacity in penetrating the existing networks, and its desire to
maintain this level of surveillance and control within the occupied
territories. 15
What these examples highlight is that the possibility for humanitarian

mistreatment and abuse of human rights by militaries has fully extended into
the digital realm. Individual rights to privacy, anonymity, access to
information, online freedom of expression, digital autonomy and dignity, and
intellectual property––can all be eroded in a myriad of ways with the growing
ability of militaries to effectuate digital harms. It is for this reason that some
scholars have proposed a “paradigm shift,” calling to reconceptualize the
place of data protection frameworks in war. For example, Geiß and Lahmann
have advocated the following:
Given the significance of data for modern digitalised

societies, we propose a paradigm shift: To date, the prevalent
debate has taken the rules and principles of existing IHL and
applied them to “data”. A novel approach would be to take,
as a starting point, the principles of existing data protection,
data security, and other pertinent legal frameworks and
attempt to apply them to contemporary armed conflict. 16
as to make clear that a person’s consent upon downloading the application relates strictly to
the provision of the specific data required for the service in use, and that the application has
no access to files, contacts, photos and so on.” The petition itself was ultimately dismissed
outright with the Court finding that “actual harm remained unproven.”).
13
Exposed and Exploited: Data Protection in the Middle East and North Africa, ACCESS
NOW, 24 (Jan. 2021), https://www.accessnow.org/cms/assets/uploads/2021/01/Access-Now-
MENA-data-protection-report.pdf.
14
Connection Interrupted: Israel’s Control of the Palestinian ICT Infrastructure and Its
Impact on Digital Rights, 7AMLEH, 16 (Dec. 2018) https://7amleh.org/wp-
content/uploads/2019/01/Report_7amleh_English_final.pdf
15
Id., at 30 (citing to a 2014 letter by 43 reserve Israeli intelligence officers which
confirms that Palestinians are currently “completely exposed to espionage and surveillance
by Israeli intelligence.”).
16
Robin Geiß & Henning Lahmann, Data Protection in Armed Conflict,
VERFASSUNGSBLOG (Feb. 15, 2021), https://verfassungsblog.de/data-protection-in-armed-

Unfortunately, as I have discussed in prior work, such a paradigm shift is

difficult to implement wholesale. Existing data protection regimes (and
broader digital rights frameworks) are limited in their wartime application as
a lex lata matter. 17 As a result, they are unable to properly restrain the
negative externalities of these evolving data-invasive military practices.
Three primary limitations are worth repeating: (1) data protection regimes are
generally understood as local or regional and non-customary; (2) data
protection regimes are generally perceived as peacetime frameworks, thereby
raising questions about their concurrent and extraterritorial application; and
(3) data protection regimes have built-in provisions which allow for
derogation and exclusion for national security reasons. 18
While we should, of course, continue to call for the urgent evolution and
expansion of data protection frameworks into military operations, as a matter
of future and desired law, 19 we must also look for practical intermediate
solutions. We therefore should ask what data protection restraints, if any, may
be found in existing frameworks of IHL. In this chapter I explore one such
restraint: the duty of constant care as established under the general customary
principle of precautions in attack.
It was Eric Jensen who proposed, almost a decade ago, that “all cyber
operations are governed by the constant-care standard” 20 and that the
standard requires, as a baseline, that commanders take into account the
“effects on civilian population” from their cyber activity. 21 This position was
reaffirmed by the international group of experts (IGE) who drafted Tallinn
Manual 2.0. The IGE noted that the constant care standard introduces a
conflict/.
17
See generally Asaf Lubin, The Rights to Privacy and Data Protection Under
International Humanitarian Law and Human Rights Law, in RESEARCH HANDBOOK ON
HUMAN RIGHTS AND HUMANITARIAN LAW: FURTHER REFLECTIONS AND PERSPECTIVES
(Robert Kolb, Gloria Gaggioli & Pavle Kilibarda eds., Edward Elgar, Forthcoming, 2021);
Asaf Lubin, Big Data and the Future of Belligerency: Applying the Rights to Privacy and
Data Protection to Wartime Artificial Intelligence, in HANDBOOK ON WARFARE AND
ARTIFICIAL INTELLIGENCE (Geiss & Lahmann eds., forthcoming, 2022).
18
Id.
19
See for example a recent imitative by the NATO Cooperative Cyber Defense Centre
of Excellence (CCDCOE) to conduct “a pioneering study on the interplay between different
legal regimes regulating privacy and data protection in conflict situations.” See The Rights
to Privacy and Data Protection in Armed Conflict, CCDCOE (Mar. 2021),
https://ccdcoe.org/research/data-protection-and-privacy-in-armed-conflict/.
20
Eric Talbot Jensen, Cyber Attacks: Proportionality and Precautions in Attack, 89
INT’L L. STUD. 198, 204 (2013).
21
Id., at 202.

“general duty to ‘respect’ the civilian population, that is, to consider

deleterious effects of military operations on civilians,” and that such a duty
also applies in cyberspace. 22
In this short essay I hope to expand and build on Jensen’s proposal as

reaffirmed in the Tallinn Manual. While both Jensen and the IGE focused
solely on cyber-attacks, I argue that the duty applies to a larger universe of
informational activity conducted by belligerents. Such activity may even
extend temporally to periods before the armed conflict had broken out. This
could include broader acts of data collection, processing, analysis, storage,
and dissemination, that go beyond direct offensive operations. Such an
extension is necessary to operationalize the duty of constant care in the digital
age. In fact, I go as far as to suggest that the “precautions in attack” principle,
as was originally envisaged by the drafters of the First Additional Protocol to
the Geneva Conventions (AP), itself reflects, at least in part, a primeval and
elementary data protection rule. I thus argue that the duty of constant care
may serve as a temporary gap-filler to the lacuna that exists around data
protection in IHL, at least until more expansive and restrictive data protection
regimes are implemented through treaty evolution and custom formation.
The chapter proceeds in the following order. Section I describes the

binding nature of the duty of constant care and its temporal and subject matter
scope. Section II then examines the duty’s possible data protection
applications, focusing specifically on two primary obligations: legality and
transparency and storage specification and data integrity.
I. THE DUTY OF CONSTANT CARE 23
A. The Binding Nature of the Duty
The duty of constant care is enshrined in Article 57(1) of API and reads
as follows: “In the conduct of military operations, constant care shall be taken
to spare the civilian population, civilians and civilian objects.” 24 This
provision imposes an “important duty on belligerents” 25 and is part of the
22
TALLINN MANUAL 2.0 ON THE INTERNATIONAL LAW APPLICABLE TO CYBER
OPERATIONS 477 (Michael Schmitt ed., 2nd ed., 2017) [hereinafter: TM2.0]
23
Section I.A. and certain limited parts in section I.B. were first produced and published
in Asaf Lubin, The Reasonable Intelligence Agency, 47 YALE J. INT’L. L. 119 (2022).
24
Protocol I additional to the Geneva Conventions of 1949, and relating to the
Protections of Victims of International Armed Conflicts, 1125 U.N.T.S 3, Article 57(1)
(1977) [hereinafter: API].
25
INTERNATIONAL COMMITTEE OF THE RED CROSS, COMMENTARY ON THE ADDITIONAL
PROTOCOLS OF JUNE 8 1977 TO THE GENEVA CONVENTIONS OF 12 AUGUST 1949, at 680, ¶

broader principle of precautions in attack. The ICRC Customary International

Humanitarian Law Study (CIHL) confirms in rule 15, that Article 57 reflects
“a norm of customary international law applicable in both international armed
conflicts [IACs] and non-international armed conflicts [NIACs].” 26 Notably,
the United States, a non-party to API and one of its most vocal opponents,
has never once challenged the binding nature of the principle of
precautions. 27 Indeed as the ICTY noted in Prosecutor v. Kupreškić, Article
57 reflects custom not only because it specifies “general pre-existing norms”
but also because it does “not appear to be contested by any state, including
those which have not ratified the Protocol.” 28
While the duty of constant Care only applies to those parties engaging in
offensive operations it is matched by a parallel (albeit not identical) 29 duty
for defenders. Article 58(c) of API confirms that parties to a conflict must “to
the maximum extent feasible” adopt “necessary precautions to protect the
civilian population, individual civilians, and civilian objects under their
control against the dangers resulting from military operations.” 30 The ICRC
CIHL study confirms that this rule too is reflective of custom and applicable
in both IACs and NIACs. 31 I stress the similarities between the two sister
duties only because we may be able to learn more about the scope of the
obligation under Article 57 by comparing it to the obligation under Article
58. 32
2191 (1987) [hereinafter: Commentary to API].

26
ICRC, CUSTOMARY INTERNATIONAL HUMANITARIAN LAW, Rule 15 (vol. I, 2005)
[hereinafter: ICRC CIHL].
27
See e.g. Michael J. Matheson, The United States Position on the relation of Customary
International Law to the 1977 Protocols Additional to the 1949 Geneva Conventions, 2 AM.
J. INT’L. L. & POL’Y 419, 427 (1987) (accepting the precautions principle as binding on the
United States); COL. THEODORE T. RICHARD, UNOFFICIAL UNITED STATES GUIDE TO THE
FIRST ADDITIONAL PROTOCOL TO THE GENEVA CONVENTIONS OF 12 AUGUST 1949, 117-129
(May 2019) (providing an array of citations all confirming the U.S. commitment to the
precautions principle); OFF. GEN. COUNSEL DEP’T OF DEFENSE, LAW OF WAR MANUAL, §
5.11 (June 2015, Updated Dec. 2016) (confirming the obligation of combatants to “take
feasible precautions in planning and conducting attacks”).
28
Prosecutor v. Kupreškić et al., Case No. IT-95-16-T T.Ch.II, Judgment, para. 524
(2000).
29
Since Article 58 begins with the caveat “to the maximum extent feasible,” some
commentators have viewed this article as introducing a general recommendation rather than
a strict obligation (see YORAM DINSTEIN, THE CONDUCT OF HOSTILITIES UNDER THE LAW OF
INTERNATIONAL ARMED CONFLICT 145 (2nd ed., 2010).
30
See API, supra note 24, at Art. 58(c).
31
See ICRC CIHL, supra note 26, at Rule 22.
32
William Boothby has in fact suggested that an equivalent duty of constant care also
extends to all defensive preparations. See WILLIAM BOOTHBY, THE LAW OF TARGETING 119
(2012). But cf. Eric Talbot Jensen, Cyber Warfare and Precautions against the Effects of

B. The Duty’s General Scope
The drafting of Article 57 “required lengthy discussions and difficult

negotiations” with the final wording being the “fruit of laborious
compromise.” 33 It is therefore not surprising that Article 57 ultimately only
“prescribes generic precautions and is not prescriptive as to exactly how they
should be accomplished.” 34 This was to the dismay of some states, who
considered the provision “deficient in clarity” and “vague” in wording. 35 The
ICRC representative to the Diplomatic Conference, Mr. Mirimanoff-
Chilkine, saw this flexible terminology as a feature, not a bug. His belief was
that belligerents will over time produce more “precise” guidance for how
these rules are to be applied in real time. 36 Mr. Mirimanoff-Chilkine never
got his wish. As one commentator notes, contemporary military manuals and
rules of engagement do little to provide guidance, let alone “list criteria for
commanders” as to how to apply Article 57. 37
One thing is certain though, the principle of precautions in attack is not

limited to the specific list of precautions provided in Article 57 (e.g. the
obligation to verify the objects of attack, the obligation to minimize incidental
civilian harm in the choice of means and methods, the obligation to suspend
or cancel apparently disproportionate attacks, and the obligation to provide
advance warning). 38 Quite the opposite, it was always intended that Article
57(1) affirmed a general and flexible duty that applied as a catch-all
provision. Such interpretation is further reaffirmed by the general maxim of
“Verba accipienda ut sortiantur effectum” (words are to be construed so that
they obtain effect). Under this surplusage canon, Article 57(1) “should not be
construed as useless or redundant,” and therefore should not be interpreted in
a way which empties it from meaning. If the entirety of the obligations that
Article 57(1) imposed were subsumed by the following provisions of Article
Attacks, 88 Tᴇx. L. Rᴇᴠ. 1533, 1553 (2009). (acknowledging that “it is not feasible to protect
everything all the time” and applying that notion in cyberspace).
33
Commentary to API, supra note 25, at 678, ¶ 2191.
34
WILLIAM H. BOOTHBY, THE LAW OF TARGETING 123 (2012).
35
Italy, Statement at the CDDH, Summary Record of the 42nd Plenary Meeting:
Adoption of the Articles of Draft Protocol I, Vol. VI, CDDH/SR. 42, 231 (May 27, 1977).
36
ICRC, Statement at the CDDH, Committee III Summary Record of the 21st Meeting:
Consideration of Draft Protocols I and II, Vol. XIV, CDDHI III/SR. 21, 182 (Feb. 17, 1975).
37
TETYANA KRUPIY, A TOOLBOX FOR THE APPLICATION OF THE RULES OF TARGETING
129 (2016).
38
For further reading on these obligations see e.g. STUART CASEY-MASLEN & STEVEN
HAINES, HAGUE LAW INTERPRETED: THE CONDUCT OF HOSTILITIES UNDER THE LAW OF
ARMED CONFLICT 197-207 (2018).

57, then the clause would have no independent function.
Having concluded that Article 57(1) establishes a general, broad, and

flexible duty, we should explore its specific scope of application for
informational and data-intensive activities.
1. What military activities trigger the duty?
The duty to spare the civilian population applies “in the conduct of
military operations.” 39 The reference to “military operations” indicates that
the duty extends beyond “attacks,” and applies to “any movements,
manoeuvres, and other activities whatsoever carried out by the armed forces
with a view of combat.” 40 As Eric Jensen writes the term military operations
“imposes a general legal requirement on militaries even when not
attacking.” 41 This is an expansive definition that captures all military
activities with a general nexus to combat.
What this means for military operations in the digital age is still subject
for evolving interpretation. One possible reading, the one I advocate for in
this chapter, is that the rule encompassed in Article 57(1) should cover all
informational operations necessary to support military activity. In this regard,
intelligence collection, in any of its form and conducted by any actor (private
contractors, civilian intelligence agencies), as well as other broader data
collection and management activities should trigger the application of the
duty, so long as the information in question is collected, stored, processed, or
disseminated with the general purpose of advancing combat.
This is a question of proximity. Whether the informational activity in

question is sufficiently connected in space, time, and relationship with the
goals of advancing military combat will be subject to some discretion, and
there will certainly be quite a few close calls. On the other, there will also be
cases that squarely and clearly fall outside the margins of this rule. For
example, a criminal investigation against a soldier for drug use or sexual
assault within the military––even where it involves certain data collection as
part of the investigation––is not the kind of informational activity that will
trigger the application of the duty as it is too far removed and disassociated
from the zone of active or future combat.
As noted, it may not always be easy to determine whether a particular
39
See supra note 24 and accompanying text.
40
Commentary to API, supra note 25, at 678, ¶ 2191.
41
See Jensen, supra note 20, at 202.

informational operation meets this “proximity test.” The fluidity surrounding

data collection and processing––the fact that information may serve different
masters for different purposes at different times––makes the assessment
particularly complex. Data transfers between agencies and across borders,
common in the age of big data, only further compound the problem. While
this poses an evidentiary challenge it does not negate from the reasonableness
of the interpretation as a textual matter, nor from its normative appeal as a
possible built-in check within IHL on military cyber powers.
I recognize that this is a controversial argument, but such an interpretation

is in line with the purpose the Conventions and Additional Protocols to
provide minimum protections to victims of armed conflict by setting
standards of humane treatment. In fact, any interpretation of the rule that
would set artificial distinctions based on the entity doing the collection and
processing (civilian vs. military, contractor vs. members of the armed forces)
or the nature of the collection and processing (commercial vs. governmental)
muddies the waters and dilutes the function that the drafters intended for the
duty of constant care as a tool for sparing civilians from the harms of war.
2. When does the duty apply?
The duty is a duty of constant care. As is alluded to by the adjective, it

means that the duty has no temporal limitations; it simply applies “at all
times.” As the IGE noted in Tallinn Manual 2.0, the duty has a “continuing
nature,” and as such “[t]he law admits no situation in which, or time when,
individuals involved in the planning and execution process may ignore the
effects of their operations on civilians or civilian objects. In the cyber context,
this requires situational awareness at all times, not merely during the
preparatory stage of an operation.” 42
One important derivative conclusion is that the obligation extends beyond

situations of active armed conflict and applies in peacetime, both before the
armed conflict begins, and after it ceases. Whenever the military engages in
certain informational operations that support its war efforts, the duty of
constant care will latch on. I have written about this phenomenon in the
context of “targeting banks.” 43 These are archives where the air force stores
and routinely updates intelligence cards with information about future targets
in preparation for war. 44 As one Israeli major describes, the target bank must
42
See TM2.0, supra note 22, at 477.
43
See generally Lubin, supra note 23, at ___.
44
Interview with Major S., the deputy commander of the Israeli Air Force 200 Squadron,
reprinted in Ann Rogers, Investigating the Relationship between Drone Warfare and Civilian

be routinely checked to ensure continued accuracy:
“[e]very few months, it is essential to check that the target is

still relevant. If you find a weapons storage facility today,
tomorrow they could take all of the weapons out of the
building and build a kindergarten. If I don’t know about that
change, I might accidentally target it. That’s why we don’t
only find new targets; we also keep track of the existing
ones.” 45
In other words, the duty of constant care, and the specific precaution of
target verification (enshrined in Article 57(2)(a)(i)) introduce peacetime
obligations on the party collecting and processing that data. Specifically in
this example, the collector and processor of the data is required to monitor
the database to ensure the accuracy of the data stored. Accuracy of personal
data is a common data protection standard. The principle of accuracy in data
protection establishes “a qualitative requirement and entails a responsibility
that the data be accurate, and necessarily complete and up to date for the
purpose intended.” 46 By requiring the military to take every reasonable step
to rectify inaccurate or incomplete data in targeting, Article 57’s verification
standard is an early articulation of a data protection concept. This is a crucial
finding. If Article 57 is truly a data protection regime in disguise, what other
standards might be hiding at plain sight between its four corners? It may
therefore be in line with the drafters’ intuitive intention that we interpret the
duty of constant care as one that shines a data protective light the military’s
informational activity.
But while this inquiry may ultimately lead to new data protection
obligations on militaries, it may also raise new and complex questions. Here
is one: The “targeting banks” example speaks directly to intelligence
Casualties in Gaza, 7 J. Strategic Sec. 94, 101 (2014); THE 2014 GAZA CONFLICT (7 JULY –
26 AUGUST 2014): FACTUAL AND LEGAL ASPECTS, ISRAELI MINISTRY OF FOREIGN AFFAIRS,
¶ 246 (May 2015), https://mfa.gov.il/ProtectiveEdge/Pages/default.aspx (noting that the
“target planning process begins with the collection of intelligence” and describing how that
intelligence is preserved in a “Target Card.” The card includes operational directives and is
subject to legal review that takes into account, among other things, precautions that could be
taken upon execution).
45
See Interview with Major S., id., at 103-104.
46
Report of the International Law Commission on the Work of its Fifty-Eighth Session,
Annex IV: Protection of Personal Data in Transborder Flow of Information (2006) UN Doc
Supplement No 10 (A/61/10) (2006), 503
https://legal.un.org/ilc/reports/2006/english/annexes.pdf [hereinafter: ILC Data Protection
Report].

collected by the military for a clear wartime purpose. How far along the data
supply chain should we extend Article 57’s data protection reach? What
about intelligence originally collected for a non-combat purpose that is later
found of use for a military aim. At what point should the duty of constant
care latch on and should it retroactively introduce certain data protection
standards? I am unable to offer a definitive answer at this point, and can only
suggest that we employ a fact-intensive analysis that takes into account the
varied circumstances surrounding each case.
3. What Harms is the Duty Meant to Prevent?
As some commentators argue the duty of constant care “should be taken

literally” which means that “total avoidance of damage to the civilian
population is the standard that combatants should seek to achieve in all
cases.” 47 But the provision is silent as to the categories of damages that the
duty is meant to prevent. Certainly, in the context of attacks, damage is easily
understood to mean kinetic harm, including loss of civilian life, injury to
civilians, and physical harms to civilian objects.
There could indeed be many cases in which the reckless mishandling of

data will trigger abhorrent physical harms. Suffice to consider the fictional
scenario at the center of this book. The Newtropian AI Targeting System
(NAITS) had a bias against non-Caucasians baked into its facial recognition
algorithms which resulted in civilian casualties based on mistaken
identification by the automated system. Similarly, a failure to properly test an
update to the NAITS targeting algorithm (an update which was ultimately
found to have been developed based on poisoned sets of data) resulted in the
now updated NAITS mistakenly killing the head of a medical NGO. What
both these examples show, is that gross errors in the operating procedures
surrounding the management of data could lead to actual death and injury of
individuals, and physical destruction of property, in a military environment
where data is weaponized.
But the duty of constant care could theoretically be said to extend beyond
physical harms. Indeed, the parallel duty of defenders, in Article 58, refers to
an even broader category of “dangers” and not mere damages. This extension
of the harms prong of the duty also echoes the language of the 1970 UN
General Assembly Resolution 2675. That resolution introduced an obligation
on those engaging in military operations to make “every effort… to spare the
47
FRITS KALSHOVEN & LIESBETH ZEGVELD, CONSTRAINTS ON THE WAGING OF WAR:
AN INTRODUCTION TO INTERNATIONAL HUMANITARIAN LAW 113 (4th ed., 2011).

civilian population from the ravages of war.” 48
It may be suggested that the “damage” prong behind the duty should be
read broadly to include a range of “dangers” and “ravages of war” that go
beyond the physical. If our goal is to “dimmish the evils of war as far as
military requirements permit” 49 then it follows that commanders must
comply with “the laws of humanity, and the dictates of the public
conscience” 50 wherever possible – even where the harms are dignitary rather
than kinetic. In my introduction I listed a set of individual rights which have
digital manifestations—privacy, anonymity, access to information, online
freedom of expression, digital autonomy and dignity, and intellectual
property. As the examples I discussed in the introduction show, these rights
are constantly at risk of abuse in the age of informational warfare. It seems
to me that the duty of constant care may be able to serve a protective role for
some of these digital rights at this intermediate stage, until more developed
prescriptive frameworks take hold.
4. When is the Duty Breached?
It is true that the duty of constant care is “poorly defined” 51 and therefore
that extracting actual requirements may be difficult. Nonetheless, it is well
established that the duty introduces a general obligation on a commander “to
bear in mind the effect on the civilian population of what he is planning to do
and take steps to reduce that effect as much as possible.” 52
The duty thus imposes a balancing act between “both the humanitarian
considerations in favor of taking a precaution and the military considerations
against taking that precaution.” 53 In balancing between the two
considerations “there may be occasions when a commander will have to
accept a higher level of risk to his own forces in order to avoid or reduce
48
Basic Principles for the Protection of Civilian Population in Armed Conflicts, UNGA
Res. 2675, U.N. Doc. A/RES/2675(XXV), para. 3 (1970) (adopted by 109 votes in favor,
none against and 8 abstentions) (emphasis added).
49
Convention (IV) Respecting the Laws and Customs of War on Land, 36 Stat. 2277,
207 Consol. T.S. 277, 18 October 1907 (Hague Convention IV), Preamble. See also
Convention (II) with Respect to the Laws and Customs of War on Land, 32 Stat. 1803,
Martens Nouveau Recueil, Series 2, Vol. 26, 29 July 1899, Preamble.
50
Hague Convention IV, Preamble; AP I, Art. 1(2) (the Martens Clause).
51
Michael N. Schmitt, Wired warfare 3.0: Protecting the civilian population during
cyber operations, 101 INT’L REV. RED CROSS 333, 354 (2019).
52
UK Ministry of Defence, The Manual of the Law of Armed Conflict, 2004 (UK Law
of War Manual), para. 5.32.1.
53
ADIL AHMAD HAQUE, LAW AND MORALITY AT WAR 155 (2017).

collateral damage to the enemy’s civilian population.” 54 In other words,

“[m]ilitary necessity cannot always override humanity.” 55
Given the ambiguities surrounding “care” and lack of specific

jurisprudence on its application as a standard we may draw some inspiration
from yet another historically ambiguous obligation. The obligation of “due
regard” in the EEZ and high seas under UNCLOS. After all, the words “care”
and “regard” are synonymous, and a familiar balance of interests test is
expected under both. In the Chagos Marine Protected Area Arbitration
(Mauritius v. United Kingdom), the Annex VII Tribunal clarified the
following:
“[T]he ordinary meaning of “due regard” calls for [State A]

to have such regard for the rights of [State B] as is called for
by the circumstances and by the nature of those rights. The
Tribunal declines to find in this formulation any universal
rule of conduct. The Convention does not impose a uniform
obligation to avoid any impairment of [State B’s] rights; nor
does it uniformly permit the [State A] to proceed as it wishes,
merely noting such rights. Rather, the extent of the regard
required by the Convention will depend upon the nature of
the rights held by [State B], their importance, the extent of
the anticipated impairment, the nature and importance of the
activities contemplated by [State A], and the availability of
alternative approaches.” 56
This multi-factor test perfectly aligns with the Duty of Constant Care
under IHL. Lacking specific criteria, States are left with a general “zone of
reasonableness” 57 within which they are called to “employ reasonably
available resources and to gather reasonably available information.” 58 Those
states are merely asked to exercise basic due diligence, to do what is
“practicably possible, taking into account all circumstances ruling at the
time.” 59
54
Id., at 158 (citing a British defense doctrine).
55
APV Rogers, Conduct of Combat and Risks Run by the Civilian Population, 21 MIL.
L. & L. WAR REV. 293, 310 (1982).
56
In re The Chagos Marine Protected Area Arbitration, ¶519 (March 18, 2015),
http://www.pcacases.com/pcadocs/MU-UK%2020150318%20Award.pdf.
57
AMICHAI COHEN & DAVID ZLOTOGORSKI, PROPORTIONALITY IN INTERNATIONAL
HUMANITARIAN LAW: CONSEQUENCES, PRECAUTIONS, AND PROCEDURES 199.
58
Krupiy, supra note 37, at 126.
59
ICRC CIHL, supra note 26, Practice Relating to Rule 15.

A breach of the duty may be found where a commander fails to consider

these factors, in relation with the civilian population, at any point throughout
the life cycle of an informational operation. For example, consider a
belligerent occupier who collects extensive personally identifiable
information on the civilian population in the occupied territory to advance
the goals of the occupation. Now what if that occupier fails to introduce even
the most basic of cybersecurity practices, and as a result of its gross
negligence, the data is ultimately breached or exposed and certain economic,
societal, and reputational harms ensue. It would seem to me to be the case
that that occupier was in breach of its basic duty of care. The failure to
introduce basic security measures over the data, where those measures are
feasible and not burdensome, reflects a failure by the occupier to take
reasonable precautions to spare the civilian populations from harm and thus
a possible breach of the duty of contact care has occurred.
II. THE DUTY OF CONSTANT CARE AND DATA PROTECTION
A. The Duty of Constant Care as a Data Protection Rule
Another obligation derived from the duty of constant care is the

obligation on commanders “to set up an effective intelligence gathering
system to collect and evaluate information concerning potential targets. The
commander must also direct his forces to use available technical means to
properly identify targets during operations.” 60 In this sense, Article 57 is the
primary (if not only) “information collection” provision of the treatises of
IHL. It thus makes great sense to rely on this provision as a potential gateway
through which to introduce data protection norms into doctrinal IHL
discourses.
Put another way, Article 57 mandates militaries to establish effective data

collection, processing, verification, assessment, and dissemination
frameworks and agencies. Those data arms, formed in response to this
requirement, operate year-long to produce data to all echelons of the military
machine. The effectiveness of this apparatus will be determined by
objectively examining the methodologies of data management it employs. In
this data-intensive environment, which Article 57 singlehandedly erected, the
duty of constant care stands as the only possible lighthouse that could guide
militaries in discharging of their duties.
60
Final Report to the Prosecutor by the Committee Established to Review the NATO
Bombing Campaign Against the Federal Republic of Yugoslavia, ¶ 29 (June 2, 2000)
https://www.icty.org/sid/10052 (hereinafter: ICTY Expert Committee Report) (emphasis
added).

In the final section of this chapter, I try to propose specific ways by which
the duty of constant care may serve to restrain particular types of
informational activity. To be clear, I do not argue that the duty of constant
care as currently understood already encompasses a sufficiently clear menu
of lex lata rules and obligations on member States. I only think that it may be
read to encompass such rules through progressive interpretation. I argue that
this interpretation would be textually reasonable and in line with the historical
function that the duty of constant care was intended to serve since its drafting.
I also think that such an interpretation could serve as a temporary gap-filler,
either as a matter of recommended best practice or as a matter of binding law,
until such time as more formidable treaty frameworks are introduced by the
international community.
B. Specific Applications of the Duty in the age of big data
For this final section I suggest that we follow an actual case study that
might help demonstrate important ways by which a progressive interpretation
of the duty of care could assist in constraining certain military informational
activities. Consider in this regard biometric data processing. The UN Security
Council introduced a Chapter VII resolution which required Member States,
as part of the fight against terrorism, to “develop and implement systems to
collect biometric data, which could include fingerprints, photographs, facial
recognition, and other relevant identifying biometric data.”. 61
Responding to this obligation, the German Federal Government “has

admitted that German soldiers collected biometric data in Afghanistan as part
of the International Security Assistance Force (ISAF). It was stated that
biometric data consisting of fingerprints, iris images and ‘face geometry’ has
been collected from Afghan citizens and handed over to U.S. authorities.
Mobile devices were afterwards used to identify people by matching the
collected biometric data against a U.S. database.” 62
In conducting this operation, the German government applied no data

protection standards. Quite the opposite, the government concluded that its
domestic data protection law “did not apply to foreigners abroad,” 63 and
61
Threats to International Peace and Security Caused by Returning Foreign Terrorist
Fighters, UNSC Res. 2396, U.N. Doc. S/RES/2396, para. 15 (2017) (voted unanimously).
62
Sebastian Cymutta, Biometric data processing by the German armed forces during
deployment, CCDCOE, 4 (2021), https://ccdcoe.org/uploads/2021/05/Cymutta_Biometric-
data-processing-by-the-German-armed-forces-during-deployment_05.2021.pdf.
63
Id.

therefore that there was no need to consider data protection law in the context
of collecting this biometric data. But the recent developments in Afghanistan
with which this article began highlight the potential horrific consequences to
the civilian population from poorly managing data. The way personally
identifiable information is collected, stored, disseminated, and ultimately
deleted matters. Especially before, during, and after war. Not only that, but
the specific features of this operation—(1) the fact that data was transferred
between multiples members of a coalition force; (2) the fact that data was
processed against another external dataset; (3) the fact that the data
processing involved automated features; and (4) the fact that the data in
question included particularly sensitive and personally indefinable
information—make the lack of data protection standards particularly
troubling. Many of these features are typical to the big data age. They
demonstrate just how little attention militaries have given to data protection
in their rush to incorporate big data solutions in every segment of their
activities.
So far, I have tried to show that a progressive interpretation of the duty of

constant care could require commanders to take reasonable steps to reduce,
where feasible, the negative effects on the civilian population from their
informational operations. To determine what is reasonable and feasible we
have no choice but to rely on existing well-tested benchmarks. The only way
to determine whether alternative precautions were available and reasonable
to employ, is by examining those alternatives. Existing data protection
regimes offer us a rich menu from which to build on. I therefore suggest that
the adoption of my progressive interpretation of the duty of constant care
would allow us to import data protection principles currently excluded from
IHL discourse. These principles could set clearer guidelines to belligerents
who engage in big data practices, of the kind that the German biometric data
processing involved. Below I offer two possible examples: (1) how the duty
of constant care may introduce the data protection requirements of legality
and transparency; and (2) how the duty of constant care may introduce the
data protection requirements of storage specification and limitation and data
integrity. This is not an exhaustive list. Rather, I hope my chapter begins a
necessary conversation about the way existing IHL could further cement data
protection rules for military operations.
1. Legality and Transparency
A foundational data protection principle is the obligation of data

processors to respect the rule of law and ensure transparency around the
collection, processing, and dissemination of data, wherever feasible. This

entails the adoption of primary or secondary legislation, and often additional

other public-facing regulation that grounds the scope and nature of these data
collection efforts, further establishing procedural safeguards to prevent
abuse. 64 One such safeguard is the promulgation of ex post reviews which
ensure greater transparency and accountability surrounding these efforts and
increases societal trust.
In certain circumstances military data collection programs may not be

disclosed to the data subjects, nor is seeking their consent practicable, for
national security reasons. Certainly, where the very purpose of the operation
will be hindered by the disclosure, rules of effectiveness should control and
may justify some degree of secrecy. But this does not mean that a State must
keep silent on all aspects of the operation. “While there may be legitimate
public interest reasons for maintaining the secrecy of technical and
operational specifications, these do not justify withholding from the public
generic information.” 65 As the Special Rapporteur on Counterterrorism
noted, “without such information it is impossible to assess the legality,
necessity, and proportionality of these measures.” 66
Information about German practices on biometric data collection in

Afghanistan only came to light through ex post parliamentary inquiries. 67 The
failure to articulate the policy, even at the most general level, through ex ante
public statements and external policies shows a lack of care not in compliance
with my proposed interpretation of the general duty enshrined in Article 57.
2. Storage Specification and Limitation and Data Integrity.
Another common data protection principle is the data minimization

principle. Under this principle “the purpose for which the data are collected
should be specified… Data should not be disclosed, made available or
otherwise used for purposes other than those specified.” 68 This principle
establishes that “the data collected is not intended to be more far-reaching
than is necessary for the purposes for which the data will be used. The test
should be that the least intrusive method is used to achieve a legitimate
64
See generally ICRC Rules on Personal Data Protection, ICRC) (2019),
https://www.icrc.org/en/publication/4261-icrc-rules-on-personal-data-protection.
65
Report of the Special Rapporteur on the Promotion and Protection of Human Rights
and Fundamental Freedoms While Countering Terrorism, U.N. Doc. A/69/397, para. 40 (23
September 2014).
66
Id.
67
See Cymutta, supra note 62, at 4.
68
See ILC Data Protection Report, supra note 46, at 503.

aim.” 69 A second data protection principle is the principle of data integrity.

Under this principle personal data, especially sensitive data, as well as the
infrastructure used to collect and store that data, “should be protected by
security safeguards against risks such as unlawful or unauthorised access, use
and disclosure, as well as loss, destruction, or damage of data.” 70
These sister principles of data minimization and data integrity may

introduce a set of corollary and derivative obligations on the data processor
depending on the circumstances. Commanders will need to assess what
cybersecurity measures as well as data retention and storage limitation rules
they wish to employ to reduce the risk of possible abuses. Such decisions will
be based, in part, on capacity and available resources. This is a fact-intensive
analysis that can only be applied on a case-by-case basis. One obvious
general minimum threshold which could be easily applied is the following: a
military should not use less security measures to protect the data it collects
on foreigners than that which it uses to protect its own information. Where a
military has already demonstrated a capacity to protect data at certain level
high level (H), there should be a presumption against applying a second lower
level (L) for foreign data that it collected. Like all presumptions it may be
rebutted. There certainly could be reasons to apply diverging degrees of
protection in certain circumstances (say due to certain resource limitations)
but then any choice of application either level H or level L should depend on
objective and non-discriminatory criteria.
In the context of the German operation, no information was ever provided

about the kind of measures the German authorities employed in the context
of collecting and storing these biometric records. Again, the total lack of
transparency as exemplified by a failure to publicly state basic security
measures that were employed to protect highly sensitive data demonstrates a
potential abdication of my proposed interpretation of the duty of care.
CONCLUSION
In this short chapter I tried to suggest that IHL already possess a set of
legal hooks on which we may be able to rest contemporary data protection
best practices, thereby futureproofing the Geneva Conventions and
Additional Protections. I clarified that my proposal is one of progressive
interpretation and that its utilization should be temporary, until such time as
69
Data Protection Principles: A Guide for Policy Engagement on Data Protection,
Privacy International, 41 https://privacyinternational.org/sites/default/files/2018-
09/Part%203%20-%20Data%20Protection%20Principles.pdf.
70
Id., at 45.

more robust frameworks and rules are developed to guide militaries in

developing and deploying big data solutions.
To conclude let us revisit for one final time to the fictional countries
of Newtropia and Outlandia from the book’s underlying hypothetical.
Consider operation “Full Wrap” as described in the scenario. The operation
was launched 18 months before the war broke out. It involved private
contractors collecting huge amounts of data both domestically and globally
to feed the algorithms developed by the military. The operation further relied
on foreign commercial servers and a corporate cloud service provider for
storing the data. The operation thus perfectly demonstrates yet another
feature of the big data revolution––an over-reliance on public/private
partnerships. Contracting with the tech sector expands and speeds up existing
trends in the privatization of warfare. But where the corporate sector has been
the primary target of data protection rules, and therefore an early adopter of
data protection language (not least because of the Brussels Effects of
European data protection rules, like the GDPR), the military complex and
intelligence agencies have mostly persisted in their objections to it. 71 Here
lies the danger. By contracting with the military, certain corporate activity
which was up until recently prohibited under evolving data protection norms,
may be shielded under a cloak of national security. The introduction of data
protection rules for the military, through the duty of constant care, could thus
have the positive consequence of nipping this growing reality in the bud.
This chapter has offered a very technical and surgical expansion of an

IHL obligation through a progressive interpretation of the treatises of IHL.
But I do not want to end this chapter with only “desiccated concepts, devoid
of connection.” 72 Instead I wish to end this short essay with a passionate plea.
As Naz Modirzadeh has noted “passionate reasoning gives the reader a sense
of why the author cares about the topic… Contextual, connected, passionate
writing allows, and even demands of, the author to reflect upon the
responsibilities that law, legal structures, and wartime legal scholars
themselves may bear in seemingly endless war.” 73
So here goes. I spent roughly five years as an intelligence analyst

71
See e.g. Theodore Christakis & Kenneth Propp, How Europe’s Intelligence Services
Aim to Avoid the EU’s Highest Court—and What It Means for the United States, Lawfare
(Mar. 8, 2021), https://www.lawfareblog.com/how-europes-intelligence-services-aim-
avoid-eus-highest-court-and-what-it-means-united-states (exploring the current EU debates
around the scope of the national security exception in data protection regimes).
72
Naz K. Modirzadeh, Cut These Words: Passion and International Law of War
Scholarship, 61 HARV. INT’L. L. J. 1, 64 (2020).
73
Id., at 62.

within the Israeli military. My daily routine consisted of a myriad of

assignments: identifying new potential intelligence sources, guiding
collection efforts, analyzing raw surveillance material, developing and
publishing intelligence briefs and larger research memos, consulting on
specific ground and aerial operations, and (mostly towards the end of my
service) training new generations of intelligence cadets. It has been argued
that: “service in the intelligence profession [...] involves doing things that in
other times and places most would agree would be horribly immoral.” 74 In
all my years of service, not once have I felt like I’ve done anything unethical
or illegal. Quite the opposite. Entering the profession at the age of 18, I
accepted as inherent the “cloak and dagger” nature of the trade and rarely
challenged my superiors. I saw each of my assignments as a Rubik’s Cube or
a 1000-piece puzzle that I was entrusted with solving. Once fully immersed
in the work, I did not trouble myself with questions of law or morality (nor
did I possess the vocabulary and mental stamina to understand them fully).
Instead, I focused all of my energy on finishing the task at hand. At times, it
felt like occupational therapy.
I understand perfectly well how churning data as a clog in a massive

data churning machine can distance and disassociate. Data protection rules
and procedures are therefore not a panacea for all the ills and misfortunates
that could materialize in this complexly wired and layered process. But the
alternative is looking at an abyss of nothingness, embracing a false
assumption that treaties that were written in a different time have nothing to
teach us about the technological challenges of tomorrow. I vehemently
oppose the thought that we will let the lacuna control and suffer the
consequences of an unregulated infowar. This chapter is part of a broader
research agenda which seeks to understand where privacy and data protection
intersect with international humanitarian law. It is a research project and
mission that will quite likely outlive me.
***
74
Tony Pfaff, Bungee Jumping off the Moral Highground: Ethics of Espionage in the
Modern Age, in 1 ETHICS OF SPYING: A READER FOR THE INTELLIGENCE PROFESSIONAL 66,
68 (Jan Goldman ed., 2006). Elsewhere Pfaff writes: “not only have [intelligence agents] felt
that the deceiving and harming they have done in service to their country have corrupted
their integrity, they feel this corruption is exacerbated by the “cloudy moral purpose” their
agency serves.” (Id.).

Τhe Duty of Constant Care and Data Protection in War

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Τhe Duty of Constant Care and Data Protection in War

Uploaded by

Copyright:

Available Formats

Legal Studies Research Paper Series

Conflict Threshold (Laura A. Dickinson & Edward Berg eds.,

Research Paper Number 473

This paper can be downloaded without charge from the

Electronic copy available at: https://ssrn.com/abstract=4012023

Military operations have entered a new frontier in the age of cyberspace.

Electronic copy available at: https://ssrn.com/abstract=4012023

Electronic copy available at: https://ssrn.com/abstract=4012023

Militaries have always operated in data-intensive environments. In fact,

Consider, for example, recent reports concerning action taken by the

Electronic copy available at: https://ssrn.com/abstract=4012023

Afghanistan. Following the takeover, the US and Canada began a complex

Another troubling example is illustrated by Israeli data collection policies

their registration, these Palestinians were forced to consent to COGAT

Electronic copy available at: https://ssrn.com/abstract=4012023

What these examples highlight is that the possibility for humanitarian

Given the significance of data for modern digitalised

Electronic copy available at: https://ssrn.com/abstract=4012023

Unfortunately, as I have discussed in prior work, such a paradigm shift is

Electronic copy available at: https://ssrn.com/abstract=4012023

“general duty to ‘respect’ the civilian population, that is, to consider

In this short essay I hope to expand and build on Jensen’s proposal as

The chapter proceeds in the following order. Section I describes the

I. THE DUTY OF CONSTANT CARE 23

A. The Binding Nature of the Duty

Electronic copy available at: https://ssrn.com/abstract=4012023

broader principle of precautions in attack. The ICRC Customary International

2191 (1987) [hereinafter: Commentary to API].

Electronic copy available at: https://ssrn.com/abstract=4012023

B. The Duty’s General Scope

The drafting of Article 57 “required lengthy discussions and difficult

One thing is certain though, the principle of precautions in attack is not

Electronic copy available at: https://ssrn.com/abstract=4012023

57, then the clause would have no independent function.

Having concluded that Article 57(1) establishes a general, broad, and

1. What military activities trigger the duty?

This is a question of proximity. Whether the informational activity in

As noted, it may not always be easy to determine whether a particular

Electronic copy available at: https://ssrn.com/abstract=4012023

informational operation meets this “proximity test.” The fluidity surrounding

I recognize that this is a controversial argument, but such an interpretation

2. When does the duty apply?

The duty is a duty of constant care. As is alluded to by the adjective, it

One important derivative conclusion is that the obligation extends beyond

Electronic copy available at: https://ssrn.com/abstract=4012023

be routinely checked to ensure continued accuracy:

“[e]very few months, it is essential to check that the target is

Electronic copy available at: https://ssrn.com/abstract=4012023

3. What Harms is the Duty Meant to Prevent?

As some commentators argue the duty of constant care “should be taken

There could indeed be many cases in which the reckless mishandling of

Electronic copy available at: https://ssrn.com/abstract=4012023

civilian population from the ravages of war.” 48

4. When is the Duty Breached?

Electronic copy available at: https://ssrn.com/abstract=4012023

collateral damage to the enemy’s civilian population.” 54 In other words,

Given the ambiguities surrounding “care” and lack of specific

“[T]he ordinary meaning of “due regard” calls for [State A]

Electronic copy available at: https://ssrn.com/abstract=4012023

A breach of the duty may be found where a commander fails to consider

II. THE DUTY OF CONSTANT CARE AND DATA PROTECTION

A. The Duty of Constant Care as a Data Protection Rule

Another obligation derived from the duty of constant care is the