Can Anonymous Be Prosecuted? A Reflection Under International Law in the Framework of the Current Armed Conflict in Ukraine

Introduction

Cyberspace has been labelled as the “fifth domain of activities” and it is gaining momentum, both in peacetime and in the contexts of armed conflicts. The ongoing war between Russia and Ukraine well testifies to this. Indeed, there has been an escalation of cyber-operations targeting both Ukrainian and Russian networks. Such operations have been carried out by various “hacking actors”. We can recall, among others, Ukraineʼs “IT army”, volunteer hacking forces that have been called by representatives of the Ukrainian government to join together against the Russian network. We can also count in the “Conti team”, who expressly support the Russian invasion, together with a group of Belarusian hackers, the “Cyber Partisans”. Last but not least, Anonymous has declared on Twitter that it is “in cyber war” against Russia.

Particularly the cyber-activities carried out by Anonymous have attracted the attention of the media – the media reported on several operations of the group, which have included, e.g., the disruptions of the websites of state news agencies and online newspapers, the network of the Russian oil giant Gazprom, as well as several Russian government websites.

Anonymous defines itself as “a very loose and decentralized [...] structure”. What does it mean for international law? In particular, to what extent do international (humanitarian) law and the law of armed conflict apply to its cyber-conduct?

Analysis

Who Are Anonymous?

Anonymous are not – and does not consider itself – a (cyber-)state, or an international (non-)governmental organization; rather, it is a decentralized and non-hierarchical movement. Anonymous presents itself with a logo, a motto, and a mask; however, the group does not have any spokesperson, or an official website; rather, it communicates through several Twitter accounts. It describes itself as “a movement by which individuals across the globe can promote access to information, free speech, and transparency”. In the manifesto published on its most-followed Twitter account – which counts 7.9 million followers – it claims that it consists of “activists from different countries [...and with different] political views [...but with an agreement] on a few basic principles [...] freedom of information, freedom of speech, [and] accountability for companies and governments”. Its cyber-operations are claimed to be aimed toward promoting such principles, as they target “those who adhere to [...] oppressive ideologies”.

Individuals that act within the movement cannot be considered “members” of Anonymous – there is no membership procedure to follow, or instructions or guidelines on how to join the movement; rather, everyone “can come and go as they please – they simply […] logon or logoff [sic] the discussion board where members of Anonymous meet (usually 4chan)”. In this regard, “anyone can be [...Anonymous]”. Officially established in 2003 – through the image hosting website 4chan.org – it gained momentum in 2008, when it targeted the Church of Scientology with a massive campaign of cyber-operations. In the following years, it also began to target governments/organizations/big companies around the world: in 2011, it claimed a series of cyber attacks targeting a number of Tunisian governmental websites; in the same year, it also launched a cyber attack against Sony, and it has engaged in a cyber-conflict with the so-called Islamic State of Iraq and Syria (ISIS) since 2015.

The cyber-operations conducted by Anonymous include several forms of hacktivism, which can be defined as “a form of political activism against […] commercial institutions and governments, among other targets”. A prominent example is the case of the distributed denial of service (DDoS) in the cyber-operation campaign against the Church of Scientology. Its cyber-operations may also take the form of acts of information operations (when carried out in peacetime) or even information warfare. The latter is usually considered as being part of war(fare) and is commonly defined as “the battle waged in the news media and on social media to bolster popular support; persuade and induce the sympathy of potential allies; and [...] spread confusion [...] in the enemy’s population”. Moreover, Anonymous has been performing acts of cyber-interference like disabling or leaking data from governmental websites – as daily reported by the media in the context of the ongoing armed conflict in Ukraine.

Anonymous and National and International Law: The National Level of Reference

There is no evidence that Anonymous are acting under the instructions of any state (though there have been allegations of states being behind some of their cyber-operations). Within the framework of the current armed conflict in Ukraine, Anonymous differ from, e.g., the above-mentioned Ukrainian “IT army”, which seems to receive instructions from Ukrainian government representatives through the groupʼs Telegram channel. As Ukraine’s Minister of Digital Transformation has tweeted, Ukraine is “creating an IT
army”. On the English-language Telegram channel of the “IT army”, a 14-page introductory document is available, providing details on how anyone can participate in it. As such, the “IT army” can qualify as a private group “acting on the instructions of […]” Ukraine, i.e. on its behalf. Accordingly, their cyber-operations against Russian websites can be considered as legitimate forms of countermeasures carried out by Ukraine against Russia. Also the “Conti team” and the “Cyber Partisans” seem to be sponsored by Russia and Belarus; as such, their cyber-conducts can be considered as carried out on behalf of the sponsoring state(s).

When it comes to Anonymous, in contrast, it acts as a group of private individuals. As such, each one of them is subject to the relevant national jurisdictions. In particular, here we should rely on the applicable national (cyber-criminal) laws. To date, 156 countries around the world have enacted cyber-crime legislations, with Europe having the highest adoption rate (91% of the countries, with only Belgium and Belarus still lacking cyber-related regulations) and Africa the lowest one (72%). Most countries have cybercrime regulations in place. Moreover, 66 countries to date have also ratified the Council of Europe’s Convention on Cybercrime (or the Budapest Convention), which aims “to pursue […] a common criminal policy aimed at the protection of society against cybercrime”. Nevertheless, in this regard, there are still skills gaps for agencies and prosecutors engaged in law enforcement. To help fill in this gap, in 2015 the United Nations Office on Drugs and Crime (UNODC) launched a Cybercrime Repository, which serves as a central database for legislations, case-law and best practices on cybercrime. Also the European Union is engaged in combating cyber-crime. In this respect, it is worth recalling the European Cybercrime Centre, which was established by Europol (the European Union Agency for Law Enforcement Cooperation) with the aim to “act […] as the focal point in the fight against cybercrime in the Union”.

Media have sometimes reported arrests of individuals allegedly linked to Anonymous, in particular in the United States in the early 2010s; some of them have also been found guilty of cyber-crimes and sentenced under the US federal laws. In 2012, police authorities in Argentina, Chile, Colombia and Spain arrested 25 individuals allegedly involved in cyber-operations against Colombian and Chilean governmental websites that
were claimed by Anonymous.

During the days of the conflict in Ukraine, one video posted by Anonymous on YouTube has expressly acknowledged that some of its cyber-conducts against Russia can be contrary to national laws: “While some of our actions may be considered illegal in the eyes of various governments, we [...] see no reason any western laws should be used against our actions [...] We do understand that using a VPN or Tor in Russia to access restricted content is against the law, so you must do so at your own risk”.

The International Regulations at Stake

National law(s) is (are) not the only relevant legal framework in place, and international law can play a role in this area as well, though “only in limited cases”, as recalled by the Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations. Drafted by an international group of experts at the invitation of the NATO Cooperative Cyber Defence Centre of Excellence, the Tallinn Manual is the “first comprehensive and authoritative attempt to analyze the application of international law to cyber warfare” and, more generally, to cyber operations. Also the United Nations Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security is carrying on a discussion to assess how international law applies to cyberoperations.
Worth mentioning is also the most recent Oxford Process on International Law Protections in Cyberspace, an initiative of the Oxford Institute for Ethics, Law and Armed Conflict in partnership with Microsoft. However, the Tallinn Manual includes almost all aspects of the relevant international cyber-regulations to date, and thus, in terms of comprehensiveness, it is the best. In particular, it offers some useful guidance for assessing
cyber-conducts of individuals.

As the Manual well recognizes, when cyber-conducts carried out by private individuals are not attributable to states, i.e. they do not amount to a state conduct, “[s]tates cannot resort to countermeasures” against them, which means that a state cannot engage in countermeasures against Anonymous. However, a state might consider adopting countermeasures towards the state(s) where the cyber-conducts are carried out, i.e. where Anonymous operates, if the relevant state(s) do(es) not undertake any action for blocking
Anonymous’ cyber operations. As the Manual explains, “the failure of a State to terminate cyber operations conducted by non-State actors on its territory will constitute a breach of the requirement to exercise due diligence”. The due diligence obligation requires a state to “not allow [...] its […] cyber infrastructure […] to be used for cyber operations that […] produce serious adverse consequences for, other States”. In the case of Anonymous, however, since the anonymity of the individuals is one of the core characteristics of the
movement, it is quite challenging to identify from which state(s) the cyber-operations are carried out. The Tallinn Manual also outlined the debate on the possibility for a state to act according to the plea of necessity or in self-defence directly against non-state actors, which would allow the state victim of a cyber-attack to act directly against Anonymous. But again, we should recall that given the fact that it is quite difficult to identify who is carrying out the cyber-operation(s) and from which place, it would be quite challenging for the victim state to act directly against Anonymous.

On the other hand, as specified by the Tallin Manual, “[w]hen non-State actors engage in cyber operations related to an armed conflict, their activities are subject to the law of armed conflict”, and this applies also in the case of cyber-operations carried out by individuals within Anonymous. However, international law does not specify how to identify those cyber-operations “in the context of and associated with the armed conflict” that are carried out by individuals; thus, the evaluation shall be conducted on a case-by-case basis.
In the context of the conflict of Ukraine, almost all the cyber-operations targeting Russian networks that were carried out and claimed by Anonymous can be considered to be “in the context of and associated with the armed conflict” in Ukraine. Accordingly, the movement should be subject to the law of armed conflict. However, it is also true that there has not been a wide academic discussion – or consensus – on the status of Anonymous under the law of armed conflicts so far.

A question arises: namely whether Anonymous’ cyber-conduct can amount to “direct participation in hostilities” under international humanitarian law. The Tallinn Manual recognizes that individuals who engage in hostilities with cyber-operations without being members of any organized group (as in the case of Anonymous), can be considered as participating directly in the hostilities. Accordingly, they can be “liable to be attacked by cyber or other lawful means”. In this respect, the three criteria set forth in the International Committee of the Red Cross’s (ICRC) relevant Interpretive Guidance for the additional protocols of the Geneva Conventions tell us when to qualify an act as direct participation in hostilities. In particular, “the act must be likely to adversely affect the military operations or military capacity of a party to an armed conflict […]; there must be a direct causal link between the act and the harm […]; and the act must be specifically designed to directly cause […] harm […]”. When it comes to the armed conflict in Ukraine, a person who is acting within Anonymous and carrying out cyber-operations against Russia can be considered as taking a direct part in the hostilities. Accordingly, (s)he can become targetable. This is the case with, for example, an individual conducting a DDoS operation against Russia’s computer system network, making it difficult or impossible for Russia to rely on its online network of communication. However, as also outlined by the Group of Experts and recent scholarship, it is not always easy to identify which cyber-operations can be qualified as direct participation in hostilities. For example, elaborating a malware and making it openly available online for anyone to use in any possible way, including in the context of a conflict, may not amount to a direct participation in hostilities.

When Anonymous directly participates in hostilities from a state that is not party to the armed conflict, the question of the neutrality of the relevant state may arise as well. In this respect, the law of neutrality applies, according to which neutral states should not allow belligerents to make use of their territory or resources for military purposes. Anonymous are not considered a belligerent. However, it seems to systemically operate from neutral states. Accordingly, one may argue about whether such states should have a duty to intervene to prevent the use of their (cyber-)infrastructures for conducting operations whichamount to direct participation in hostilities. This possibility has already been answered in
the positive by some scholars with regard to the Anonymous cyber-operations launched
against Israel during its 2014 conflict with Hamas.

In any case, as expressed by the Tallinn Manual, when cyber-operations “amount to war crimes […they may] give rise to individual criminal responsibility under international law”. The assessment should be conducted case-by-case, since “not every violation of the law of armed conflict qualifies as a war crime”.

It is quite apparent that Anonymous does not operate in a vacuum: each individual can be subject to the relevant national (cyber-criminal) law, the law of armed conflict, international humanitarian law and international criminal law.

So when can Anonymous’ cyber-conducts be considered legitimate forms of hacking? Generally, legal cyber-activities targeting external networks include cyber-conducts that are carried out for research purposes, and so-called “bug bounty” activities and professional penetration testing – in which companies ask hackers to find vulnerabilities in their systems. Hacking is legitimate under the applicable legal framework when it is carried out with the consent of the owner of the network that is the target of the cyber-operation(s). However, this does not seem to be the kind of activity carried out by Anonymous – at least not the kinds of cyber-operations that have been reported and publicly claimed by the group so far.

It is also true that the relevant national and international legal frameworks are still lacking a comprehensive understanding of the different forms of hacking. In this regard, some scholars are calling for states to engage more in defining and regulating the different forms of cyber-operations in (national) cyber-related regulations.

Conclusion

In the ongoing war between Russia and Ukraine, cyberspace has become a new battlefield. This brings with it several questions related to national and international law, especially when it comes to conceptualizing the conducts of non-state actors, as in the case of Anonymous.

Gaps still exist in the relevant national and international legal frameworks of reference when it comes to defining and regulating the different forms of cyber-operations that are carried out by non-state actors, and particularly by individuals. Cyber-conducts carried out by Anonymous can be subject to the relevant national cyber-crime regulations as acts of private individuals, and/or to the law of armed conflicts. The current conflict in Ukraine can serve as an (additional) opportunity for states to rethink the current (national and
international) legal framework of reference in order to effectively address the challenges in place.