Rethinking the Territorial Tort Exception in the Age of Proxy States

Recently, there has been an increase in cybercrimes (see here) and their potential to cause tortious harm. Due to the inherent nature of such actions, they have transboundary effects and are often routed through proxy States with weak cyber infrastructure. In addition to this, international law recognises immunity for all State actions, barring certain exceptions such as the territorial tort exception. This exception strips a foreign State of immunity when the tortious act causing personal injury or property damage occurs within the territory of the State where the claim is being heard. This article interrogates a growing fault line in public international law, which is the inability of the territorial tort exception to State immunity to address transboundary cyber harm routed through proxy States. It argues that this inability occurs because the standard of due diligence in cyberspace depends on proving that a State had “knowledge” that its territory was being used to cause harm. Given the difficulty of tracing cyberattacks, this creates a gap that allows proxy States to avoid liability and leaves victims without effective remedies.

To address this failure, this article argues for a reconceptualization of jurisdictional immunity and due diligence to restore the protective purpose of the territorial tort exception and better address modern cyber harms.

The Territorial Tort Exception and Its Relevance

The United Nations (‘UN’) Charter recognises the sovereign equality of States (Art. 2(1)), preventing them from being subject to another State’s jurisdiction. However, this immunity is limited by the territorial tort exception. State immunity may be compared to white light dispersing into a rainbow, wherein the white light is the customary rule of State immunity, and the territorial tort exception refracts it into differing State interpretations that can be grouped into three categories.

The first group includes States that require the tortfeasor causing the damage to be present in the territory of the State claiming jurisdiction for the exception to immunity to apply. This group includes the States that are party to the European Convention on State Immunity (‘ECSI’) (Art. 11), the United States (“US”) (§ 1605), Japan (Art. 10). This approach has been adopted by the United Nations Convention on Jurisdictional Immunities of States and Their Property (‘UNJISP’). The second group includes the United Kingdom (§ 5), South Africa (§ 6), Australia (§ 3), and Singapore (§ 7). These States recognize that while the tortfeasor need not be physically present within the forum State, the exception will apply if the act or omission causing the injury or damage occurs within that State. The last group includes Canada (§ 6), Argentina (§ 2(e)), and Israel (§ 5). These States recognise that only the loss or damage must occur in their territory for a foreign State to be stripped of its immunity.

Thus, there is insufficient consistent State practice to establish the territorial tort exception as customary international law (CIL). To address this, the UN drafted the UNJISP with a uniform definition of the exception, but it failed to receive the required ratifications. For the UNJISP’s definition of the territorial tort exception to apply, three qualifiers have to be met. First, the injury must be caused by an act/omission that is attributable to a State, second, the act/omission must occur in whole or in part in another State’s territory, and third, the author must be present in the other State (Art. 12). Originally, this exception was intended to cover only ‘insurable risks’; however, the International Law Commission (‘ILC’) has clarified that the exception may cover physical harm such as assault, battery, arson and homicide (p. 45, ¶ 4).

In 2011, the International Court of Justice (‘ICJ’) did not establish whether the UNJISP definition of the territorial tort exception is reflective of CIL (¶ 66) or not. Since neither Germany nor Italy were parties to the UNJISP or the ECSI, the ICJ analysed the contents of these two legislations “in so far as they as their provisions and the process of their adoption and implementation shed light on the content of [CIL]” (¶ 66). Consequently, due to divergent practice and limited ratifications, States are bound to recognise the tort exception primarily through their own national legislations. The next part of the paper addresses the applicability of these legislations to cyber torts and analyses the blind spots.

Application to Cyber Torts

The first approach to the territorial tort exception requires the tortfeasor’s presence in the State where the damage occurs. The UNJISP and the US Foreign Sovereign Immunities Act (“US FSIA”) adopt this approach. The ILC commentary to the UNJISP specifically provides that the tort exception does not apply to “transboundary injuries or trans-frontier torts or damage” (Art. 12, ¶ 7). Similarly, the US courts have imposed the requirement of the “entire tort”, mandating that the tortfeasor, the harmful act, and the damage all occur within US territory. In Doe v. Ethiopia (2017), for example, the claim failed because the Ethiopian government’s wiretapping originated outside the US.

The second approach to the territorial tort exception does not require the tortfeasor’s presence in the State where the damage occurs, and the UK has extended this approach to cyber torts. Although the wording of the UK State Immunity Act (“UK SIA”) appears ill-suited to transboundary cyberattacks, judicial developments suggest otherwise. There has been a shift since the case of Al Adsani v. UK, where the claim failed because Kuwait’s acts occurred outside the UK.  In 2023, UK courts denied immunity to Saudi Arabia and Bahrain in transboundary spyware cases. Judge Knowles interpreted the UK SIA as requiring “an act” causing the damage on a more de minimis basis, rather than “the act” (¶ 30). Although this marked significant progress, it still does not address proxy States.

The third category of States theoretically accommodates cyber torts by virtue of their ‘damage-only’ requirement for applying the territorial tort exception. However, there is a lack of any jurisprudence applying the same to cyber torts. Additionally, even this interpretation fails to accommodate proxy States due to the significant gap created by the due diligence obligation in cyberspace.

Due Diligence and Proxy States

State sovereignty grants States control over their territory while imposing a corresponding duty of due diligence (p. 16, ¶ 12). In the Corfu Channel case, the ICJ held Albania responsible for damage caused to the UK by a minefield. The court’s reasoning was that the minefield could not have been laid without the State’s knowledge, establishing that States must not “knowingly” allow their territory to be used to cause harm (p. 244).

In cyberspace, due diligence remains uncertain due to the absence of binding international obligations, although States generally accept that international law applies to cyberspace (p. 89). Recent non-binding norms adopted through a General Assembly Resolution require States not to “knowingly” allow non-State actors to use their territory for internationally wrongful acts (“IWAs”) or to use proxies. Similarly, the Tallinn Manual recognises that due diligence obligations arise only in situations where States have knowledge of harmful activity (p. 33, ¶ 13). Additionally, the internet’s structure was not designed for today’s security threats, and attackers often route operations through proxy States with weak cyber infrastructure. This makes it impossible to trace the origin of cyberattacks (p. 34, ¶ 14).

As cyber activities can cause personal injury and property damage, it is pertinent to assess available remedies. Victims of cyber torts generally must seek relief in domestic courts, unless their State espouses the claim before the ICJ. The absence of such cases being heard before the ICJ represents the jurisdictional challenge, as only States may be parties to ICJ proceedings (Art. 34(1)). In the scenario where the victim files a claim in his domestic court against the tortfeasor, the Corfu Channel principle suggests that he will be successful in getting his remedy. However, in the context of cyber torts, a victim may only obtain remedy against the tortfeasor’s State and the routing State only if their own State employs the UK SIA approach. Even then, the State whose territory was used to route the attack will likely avoid liability because due diligence requires proof of actual knowledge. Unlike the mines in Corfu Channel, the highly indiscernible nature of cyberattacks makes proving such knowledge extremely difficult. The victim is thus wronged of two counts: the first being if immunity is not stripped for the damage they faced, which depends on the approach to State immunity adopted by their State; and second, where they are unable to hold the routing State accountable for its lax cyberspace standards that made the damage possible.

This unique situation arises because the low standard of due diligence is juxtaposed with the stringent standard of the territorial tort exception to State immunity. Due to this gap, the very purpose of the tort exception to immunity, which is “the protection of injured parties” (p. 31, ¶ 71), is not met. The Special Rapporteur on State immunity has also found that tortious liability of a foreign State should be locally justiciable if the damage to property, personal injury, or death occurred in the territory of the State. It is thus necessary to re-analyse the scope and substance of the territorial tort exception and its interplay with due diligence in cyberspace.

The Way Forward

To ensure that victims of cyber torts are not left without a remedy, a set of amendments must be enacted in tandem.

First, cyber activities can cause personal injury and property damage, yet victims of State-sponsored cyberattacks can currently obtain remedies only if their State employs the approach of the UK SIA. Thus, adopting the interpretation of Judge Knowles or the damage-only approach followed by Canada, Argentina, and Israel is the need of the hour. Employing either of these approaches would ensure that the protective purpose of the territorial tort exception is fulfilled.

Second, the due diligence obligation inadequately addresses attacks routed through proxy States because it depends on knowledge. A possible remedy is to detach due diligence from this requirement of knowledge and instead require States to adopt the highest feasible cybersecurity standards within their available resources. This would not require anticipatory measures like monitoring but would involve establishing global cybersecurity standards with accepted security benchmarks. This proposed system is not foolproof for two reasons. First, States have unequal resources, meaning some will continue to have weaker cybersecurity systems and remain vulnerable to becoming proxy States; and second, even with the highest cybersecurity standards, cybercrime is notoriously untraceable. Keeping this in mind, this proposed system would still reduce the ability of States to exploit claims of lacking knowledge and prevent them from becoming safe havens for cybercrime through weak cybersecurity standards.

Third, as there is a jurisdictional lacunae surrounding cyber torts, a dispute settlement mechanism similar to the UN Cybercrime Convention should be adopted (Art. 63). The Cybercrime Convention provides that if disputes between the parties are not settled through negotiation or other peaceful means, they may be submitted for arbitration at the request of one of the parties. If States are unable to agree on arbitration, States may approach the ICJ. Adopting this dispute settlement mechanism would prevent the jurisdictional lacunae surrounding cyber torts, as it would prevent victims from being left without a judicial forum.

Conclusion

The standards of the territorial tort exception under the ECSI, US FSIA, and UNJISP do not adequately address cyber torts, a gap that is further worsened by the uncertain standard of due diligence in cyberspace. This article argues for moving beyond the UNJISP approach, adopting a global cybersecurity standard, and introducing a dispute settlement mechanism similar to that of the UN Cybercrime Convention. These reforms would enable victims of cyber torts to seek remedies without being constrained by the barriers imposed by State immunity and due diligence. In doing so, the law would better reflect the realities of transnational cyber harm and restore the protective purpose underlying the territorial tort exception.