The Right to Privacy in the Era of Cyber Espionage:  A Threat to Human Right

Introduction

Under Article 12[1], International Law guarantees the right to privacy as a fundamental human right protected and guaranteed under the Universal Declaration of Human Rights (UDHR). But, in the contemporary interconnected world, the right to privacy is becoming a myth in cyberspace because of the unprecedented challenges that have been faced at both the global level and the national level, particularly in the context of cyber espionage.  With the advancement of technologies and the expansion of the digital world, unauthorised access to personal and sensitive data has become a real threat to individual freedoms and national security, resulting in the offences of stealing the right to privacy increasing daily. The shifting of the trend to the digital world or the meta world has made personal data very vulnerable, easy to exploit and easy to access without any authority, which is known to be a breach of data privacy and leads to exploitation, and this is what results in Cyber Espionage. And this article will explore how it has become a threat to basic human rights.

The Cyber Espionage

Cyber Crimes, as the name suggests, are crimes committed on the Internet Web. There is an abundance of cybercrimes, which include identity theft, cyber fraud, cyber terrorism, cyber espionage, and the list goes on. Firstly, let us understand the importance of the meaning of privacy, although it does not have any specific definition, it could be understood with layman's language as a person’s right to control the usage mechanism of their data.

Espionage, which means spying, has existed for a very long period, and it has continued to persist and evolved with time, it is also referred to as the “World’s Second Oldest Profession[2]”, and the evolution of spies has taken place from time to time with the advancement of the technologies. At first, there came Electronic Espionage, which means “an unauthorised cyber-acquisition of private data, often by state-sponsored organisations or advanced persistent threats (APTs), is known as electronic espionage[3]”.  Then came Cyber Espionage, which is the advanced version of Electronic Espionage. The prefix Cyber Espionage can be understood as cyber-spying, in which there is “an attempt to access sensitive, personal and confidential data or proprietary information without the knowledge or consent of an owner[4]” of that information for the motive of economic gain or getting an advantage in the competitive world of spying done for political reasons.

Cyber Crime is a genius, and Cyber Espionage is a species, but a dangerous one, that can start a cyber war and could be used as a weapon deployed by one nation against another because of the clattered availability of information, either by individuals, businesses, or government officials. The availability of other’s data indeed is a growing concern, and the reason behind the availability of private individual data is “third party consent to retrieve data of e-mails, given access to the third party in the phone, or laptops, or computers, also include social media, GPS tracking, browsing history, acceptance of cookies, and in many other ways.[5]”

Tactics involved in the cyber espionage

The common tactics or methods used by the attackers to gather information include “phishing attacks. Advanced Persistent Threats (APTs), Malware and Spyware.” And their targets vary from corporations, governmental agencies, and individuals to critical infrastructures,

Moreover, these tactics could vary as the technology is getting advanced. Some have been discussed in the following manner, but there is a possibility there is more than these mentioned tactics. But the most common and important tactics have been discussed below:

1. Exploiting Software & Website Vulnerabilities: Attackers leverage unpatched security flaws and weak authentication mechanisms to gain unauthorised access.
2. Spear Phishing Attacks: Targeted emails trick individuals into revealing sensitive data or granting elevated network privileges.
3. Supply Chain Attacks: Cybercriminals infiltrate less-secure third-party vendors to compromise the primary target.
4. Malware, Trojans & Worms: Malicious software is used to steal data, disrupt operations, or create backdoors for future intrusions.
5. Compromising Software Updates: Attackers inject malware into legitimate updates for commonly used third-party applications.

Steps Cyber Espionage takes to Access the Data

The Hacker's access to the data involves various steps, herein we will discuss the most common steps used by the hacker for unauthorised access to the data in the following manner:

1. Target Identification: It involves selecting an individual of an organisation or a system for the attack that is deemed vulnerable and valuable.
2. Information Gathering: For information gathering, the hacker could use the collecting intelligence via OSINT, social engineering, or reconnaissance tools.
3. Finding Vulnerabilities: It involves identifying weak points in software, networks, or human security, for instance, using third-party access granted when an app is installed.
4. Infiltration: Exploiting weaknesses using phishing, malware, zero-day exploits, or supply chain attacks.
5. Executing Objectives: The main and where the hacker accesses the data with the person's consent, i.e., involves offences like Data theft, surveillance, sabotage, or system manipulation.
6. Clearing Tracks: Erasing logs, using encryption, and deploying self-destructing malware.
7. Maintaining Access: Implanting backdoors and adapting to security countermeasures.

Lastly, it involves storing the data, whether to sell it to the person or authority interested or use it to blackmail the target party for monetary gain.  

The main reason behind this is mostly the monetary gain, where the offender can sell that information to any country for money in return, and it could be counted as a part of cyber terrorism when it is done with military operations. There is no regulatory body to regulate the information available in the metaverse. That is the main reason Cyber Espionage is a threat to privacy. Another rising concern is that, unlike traditional criminal offences, it is very difficult to identify the offender. “Whether the criminal is a hacker or the nation-state.[6]”

This article will be an exploratory study on the effect of cyber espionage and how it has been a threat to the right to privacy in the International legal framework, with the help of international cases, it will try to understand the impact on the same and will also cover the Indian perspective on this burning issue.

Cyber Espionage: A Rising Threat

The major concern that has risen with Cyber Espionage is that there could be an intention of accessing data to have cyber terrorism or start cyber-warfare by interfering with law enforcement bodies or harm the opponent or other nations, as their focus could be to attack governmental agencies, institutions like education or research centres and to access the confidential data of intellectual properties.

Main targets of the Cyber Espionage

Recently, it has been witnessed that hackers have tried to access data from official websites in many countries. It could be easily said that the main target of cyber espionage is innocent citizens who threaten governmental officials.

Hence, their main targets can be easily categorised as:

1. Firstly, for political reasons, the main target in the present time is government agencies, as these organisations have sensitive data that could affect national security and foreign policies and contain the plans regarding military operations, it became the main goal of the cyber espionage to get the unauthorised data of the countries.
2. After that, the other major target is big corporations from fields like pharmaceutical, aerospace, and technology. In this, they could use insider trading-like offences, which lead to playing an important role for a competitor. This leads to results in damaging the company’s market reputation, can advantage the competitors, and majorly leads to financial losses to the company as well as affecting the economy of the nation.
3. In the contemporary world, they are also targeting Intellectual information/ intellectual properties; by getting the important data disclosing intellectual properties, they could easily blackmail the person for the money to not disclose the information, which could be very confidential.  

These could lead to two main outcomes in society: one is cyber espionage, which is purely for monetary reasons, and the other is cyber warfare, behind which there is a possibility of involvement of the nation also.

There have been many various instances of cyber-espionage reported worldwide, which directly raise questions on the protection of the personal data of individuals across the globe. According to the report of 2019 by NATO headquarters, & the U.S. Military, “there are now more than 100 daily cyber intrusion attempts on the headquarters and approximately 10 times more intrusions attempt on the US military.[7] ”

 The first documented cases were reported in the year 1986-1987[8], was executed by a German who interfered with the network of American Defence, including their universities, contractors and military bases and gathered the confidential information and sold it to the Soviet KGB.

The rise of cyber spying was reported during the Covid- 19 or in pandemic duration, especially reported in India. The main reason behind this rise was people were forced to stay at home instead of work from home and conducted meetings through online platforms like Zoom, which made information and data vulnerable to hackers.

The main nations behind this cyber espionage are Russia, China, Iranian, and Pakistan. to attack other nations, as recently it has been reported that Russia attacked Ukrainian Military devices used in the operation through the cyber espionage group Turla in the year 2024, and there was another instance reported in the same year that China is doing Cyber spy on the US government. 

To understand the rise of the threat, there have been some real examples of cyber espionage discussed, which have been reported at the global level:

1. The 2013 NSA Data Breach[9], Edward Snowden disclosed classified information revealing extensive U.S. surveillance programs, sparking a global debate on privacy and government overreach. This revelation raised crucial questions about national security and the ethical justification for mass surveillance, fuelling discussions on the delicate balance between security and individual rights in the digital age.
2. Between November 2018 and 2021, the hacker group known as RedCurl[10] Conducted over 30 corporate espionage attacks across multiple countries, including the “United Kingdom, Germany, Canada, Norway, Russia, and Ukraine[11]”. Utilising custom-developed malware in conjunction with advanced social engineering techniques, RedCurl successfully infiltrated numerous companies to exfiltrate sensitive data. Their operations compromised business operations and exposed confidential information across various industries.
3. In 2020, U.S. organisations and government agencies fell victim to a nation-state cyberattack linked to a massive supply chain compromise[12]. Security researchers discovered that attackers had implanted a backdoor in SolarWinds' Orion IT monitoring software, affecting up to 18,000 customers, including key U.S. government agencies.
4. FireEye, a cybersecurity firm and one of SolarWinds' 300,000 customers[13], was the first to disclose the attack, revealing that it was part of a sophisticated nation-state operation. Multiple reports attributed the breach to APT29 (Cozy Bear), a Russian state-sponsored hacking group. The attack highlighted the vulnerabilities of supply chain security, emphasising the need for stronger cybersecurity measures in critical IT infrastructure.

Human Rights & Cyber Espionage

Human rights principles are crucial in the context of cybercrime investigations, particularly concerning cyber espionage, impacting various rights such as “privacy, fair trial, freedom of expression, and protection of property”. States have the responsibility to respect, protect, and fulfill these rights of an individual which are also protected as a fundamental right, so that a state can ensure that domestic legislation complies with human rights standards.

Same, in the present time human rights also work to regulate and protect the individual data that extend to the digital space also. It is commonly denoted as digital privacy, and in the contemporary world the, “right to privacy of users of digital media raises such concerns for users as unpermitted use of personal information gathered from users.[14]”

However, it violates the various fundamental human rights covered in different charters in international law, which have been discussed below:

1. Article 19[15] of the Universal Declaration of Human Rights (UDHR) recognizes the right to access information but acknowledges that this right is not absolute and may be subject to limitations. These limitations often serve as the foundation for data protection regulations. While non-state actors may seek access to information, it remains the state's responsibility to safeguard privacy rights through appropriate legal restrictions. However, these restrictions must be carefully balanced to prevent unjustified limitations on the fundamental right to access information.
2. Article 8[16] of the European Convention on Human Rights (ECHR) provides broad protection for various human rights, particularly the right to private life, which encompasses a wide range of aspects. This investigation primarily examines the right to privacy, which is safeguarded as an integral part of the broader right to private life. Under the same article, the right to private life also encompasses and creates an umbrella that protects personal data.
3. Article 12[17] of the Universal Declaration of Human Rights (UDHR) protects individuals from arbitrary interference with privacy, family, home, or correspondence, and from attacks upon their honour and reputation. It asserts that everyone has the right to legal protection against such interference or attack[18].
4. The UDHR's Article 12 is highly relevant in the digital age, where nearly every aspect of life leaves a digital footprint[19]. Governments seeking access to this data threaten autonomy, dignity, and basic democratic value. Which is also conferred by “Article 17 of the International Covenant on Civil and Political Rights of 1966[20]”.

States often invoke Article 51[21] of the UN Charter, which recognizes the right to self-defence, to justify measures against cyber espionage. However, cyber espionage typically falls short of the threshold of an 'armed attack' required to trigger this provision. While Article 2(4)[22] of the UN Charter prohibits the use of force against the territorial integrity or political independence of any state, cyber espionage is generally not classified as a use of force under international law. As a result, states must rely on alternative legal frameworks, such as countermeasures, diplomatic responses, and domestic cybersecurity laws, to address and mitigate cyber espionage threats.

Conclusion

As cyber espionage continues to evolve, posing significant threats to privacy and human rights, it is imperative to implement stricter legal and policy measures. Governments must strengthen cybersecurity frameworks, enforce stricter regulations on surveillance practices, and establish clearer international norms to prevent the misuse of digital surveillance tools. Without decisive action, the right to privacy will remain vulnerable to exploitation, jeopardizing democratic values and individual freedoms. A more stringent and accountable approach is necessary to safeguard privacy in the face of escalating cyber threats.

[1] The Right to Privacy. Article 12 of the Universal Declaration of Human Rights (UDHR).

[2] Paul Reynolds, The World's Second Oldest Profession, BBC NEWS (Feb. 26, 2004), https://perma.cc/B9KM-E5E5. 

[3] Mustafa A. O. Abo Mhara, Abdullah A. A. Abdulrahman, Abdulhakim A. S. Baroud, Cyber Attacks And Threats: Study Of The Types Of Cyber Attacks: Hacking, Viruses, Targeted Attacks, And Electronic Espionage, International Journal of Electrical Engineering and Sustainability (IJEES), ISI 2023-2024: (0.557).

[4] Ibid.

[5] Ibid.

[6]Sigholm, J., & Bang, M. (2013). Towards offensive cyber counterintelligence. 2013 European intelligence and security informatics conference. Retrieved from: http://www. ida.liu.se/~g-johsi/docs/EISIC2013_Sigholm_Bang.pdf .

[7]Siobhan Gorman & Stephen Fidler, CyberAttacks Test Pentagon, Allies and Forces, WALL ST.J. (Sept. 25, 2010), http://www.wsj.com/articles/SB10001424052748703793804575511961264943300.

[8] SentinelOne, What is Cyber Espionage, types & Examples,(October 14, 2024), https://www.sentinelone.com/cybersecurity-101/threat-intelligence/cyber-espionage/

[9] What is Cyber Espionage? Types & Examples, https://www.sentinelone.com/cybersecurity-101/threat-intelligence/cyber-espionage/.

[10] The APT Group RedCurl Attack Enterprise Companies, Group-IB Report.

[11] Cyber Espionage, Proofpoint UK (Apr. 8, 2024), https://www.proofpoint.com/uk/threat-reference/cyber-espionage.

[12] Supra note 8.

[13] Gillis, A. S. (2023, March 23). cyber espionage. Search Security. https://www.techtarget.com/searchsecurity/definition/cyber-espionage.

[14] Everyone has the right to freedom of opinion and expression

[15] Right to privacy​​ Everyone has the right to respect for his private and family life, his home and his correspondence.

[16] Supra no. 1.

[17] Ibid.

[18] Ibid.

[19] Article 12: The right to privacy – Digital Freedom Fund. https://digitalfreedomfund.org/digital-rights-are-human-rights/article-12-the-right-to-privacy/

[20] The right to privacy and its protection by the law.

[21]  Supra note 1.

[22]  Id. at art. 2(4).