The Legality of Watering-Hole-Based NITs Under International Law

Cite as: 2 GEO. L. TECH. REV. 67 (2017)


Between February 20 and March 4, 2015, the United States Federal Bureau of Investigation (FBI) administered and monitored a child pornography website in an effort to identify those who accessed the website’s illicit content.1 This website, “Playpen,” had more than 150,000 users worldwide.2 The FBI’s investigation was known as “Operation Pacifier.”3

Playpen was configured as a Tor hidden service.4 From a practical perspective, this means that visitors were able to access Playpen without revealing their true identities.5

To identify the visitors, the FBI used what is called a “network investigative technique” (NIT).6 The technique involved configuring the Playpen server to install software on the computers that were used to access it.7 This style of NIT has been referred to as a “watering hole.”8

Once the software was downloaded from Playpen, it transmitted identifying information from those computers to the FBI.9 This enabled the FBI to identify the site’s visitors by locating their computers.10 The use of this NIT resulted in the software being installed on computers all around the world.11

The global reach of watering-hole-based NITs like the one used by the FBI in Operation Pacifier has led some to note the ambiguity of their legality in the context of international law.12 Indeed, as scholar Ahmed Ghappour explains, the “unilateral[] exercise of law enforcement functions in the territory of another state . . . has not been adequately addressed by courts or scholarship in the context of cyberspace.”13 Professors Orin Kerr and Sean Murphy challenged Ghappour by offering a “plausible” interpretation of contemporary customary international law that law enforcement is permitted to use NITs to determine where a computer is located in order to learn which state to approach for consent in future investigation.14

In light of the arguments these parties raise, this paper will address the narrow question of whether watering-hole-based NITs are permissible under international law. In addressing this question, this paper will offer a deeper analysis of application of customary international law to watering-hole-based NITs than Kerr and Murphy’s. This paper will conclude that, while Kerr and Murphy might be right that the use of watering-hole-based NITs is permissible generally, state practices thus far only appear to demonstrate their permissibility in child pornography investigations.

Part I will discuss the technology behind these NITs. Part II will introduce the reader to general concepts of international law that are relevant to this discussion. Finally, in Part III, this paper will explain why watering-hole-based NITs are governed by customary international law and thus permissible in the context of child pornography investigations.


A. Anonymization Using Tor

To understand the need for the NIT used in Operation Pacifier, it is necessary to understand how Internet users can mask their identities using Tor. An Internet user browses the web by using her computer to send and receive discrete bundles of data (called packets) to and from other computers.15 These packets contain a subset of information (called a header) that is used to route the data from its source to its destination.16 Within the header is the source Internet Protocol (IP) address of the sender.17 Under normal circumstances, the source IP address remains unchanged as the packet makes its way to the destination computer and can be read by the destination computer as well as the devices that route the packets to the destination computer.18 Since all of these routers and the destination computer see the same source IP address, they know where the packet came from and, therefore, can identify the computer that generated the packet.

For both innocent and nefarious reasons, Internet users have sought ways to anonymize their identities on the. One tool to do so is the Tor network.19 The Tor network protects the anonymity of its users by routing packets from a source computer through a series of routers; each router only sees the IP address of the devices immediately preceding and following it in the packet’s path.20 Therefore, while the router that receives the packet from the source computer sees the source computer’s IP address, this router will only know the destination IP address of the next router in the packet’s path.21 Similarly, while the last router in the path will know the IP address of the destination computer, it will only know the source IP address of the router preceding it in the packet’s path.22 Since neither the routers in the path nor the destination computer know both the user’s source IP address and the destination computer’s IP address, there is no way to link the data accessed at the destination computer to the user, and the user is therefore free to obtain this data anonymously.23

B. Network Investigative Techniques (NITs)

Because Tor enables user anonymity, law enforcement has used NITs that circumvent Tor and identify users who access illicit material. Broadly speaking, NITs are “methods or tools [the government] uses to access computers of individuals that have taken steps to obscure or mask certain identifying information, like an IP address.”24 Many of these techniques function by “surreptitiously installing software on a target’s computer,”25 which “cause[s] the computer receiving it to transmit data that will help identify the computer, its location, other information about the computer, and the user of the computer.”26 This software is known by different names;27 however, this paper will use the term NIT throughout for consistency.

To understand the application of international law to watering-hole-based NITs like the one used in Operation Pacifier, one must understand the various components of this NIT. These components include: (1) a “generator,” (2) an “exploit,” (3) a “payload,” and (4) a “logging server.”28

The generator is software that delivers the exploit and the payload to the target computer.29 The generator also creates a unique identification number, associates it with a logged-in user of the website, and delivers it to the target computer so that the user’s activity on a website can be tracked in the website’s logs.30 In the case of a watering-hole attack31 like that used in Operation Pacifier,32 the delivery program is run on the server hosting a website and delivers the exploit and the payload to each of the website’s visitors.33

The exploit is a piece of software that, when run on the target computer, causes the computer to behave in a manner unintended by the user.34 This unanticipated behavior can include various steps that result in granting a third party—for instance, the government—control over the target computer.35 While the FBI has managed to keep the precise workings of Operation Pacifier’s exploit secret,36 exploits used in similar cases have functioned by taking advantage of vulnerabilities in a user’s browser.37 In one such case, the exploit existed as code on a server.38 When a user visited a specific website hosted on that server, the user’s browser ran the code, which ultimately loaded and executed the NIT’s payload on the target computer.39

“The payload is the software that conducts the actual search on the visitor’s computer.”40 Among the things the payload revealed in Operation Pacifier was the target computer’s actual IP address and the unique identifier transmitted to the target computer by the generator.41

Finally, the logging server is a computer that collects the data transmitted by the payload.42 This data can later be analyzed and used as evidence when the government charges the suspect.

As the descriptions above indicate, the generator, exploit, and payload all contain software or data run or installed on the target computer in the process of searching that computer. Given the government’s assertion that “the identities of the . . . users of [Playpen] would remain unknown without the use of [network] investigative techniques,”43 the NIT could have searched the computer of a visitor located in any country. Indeed, some of these searches have led to arrests in countries including Israel, Turkey, Peru, Malaysia, Chile, and Ukraine.44 This means that the government’s NIT necessarily installed software on computers in all of these countries.


To understand whether cross-border searches like those that occurred during Operation Pacifier are permissible under international law, it is first necessary to determine which provisions of international law govern these searches. Making this determination requires a brief introduction to international law and its sources.

Article 38 of the Statute of the International Court of Justice is generally regarded as listing the sources of international law.45 It lists the following as primary sources: (1) international conventions, whether general or particular, establishing rules expressly recognized by the relevant states; (2) the general principles of law recognized by civilized nations; and (3) international custom as evidence of a general practice accepted as law.46 Article 38 also provides that “judicial decisions and the teachings of the most highly qualified publicists of the various nations, [shall provide] subsidiary means for determination of the rules of law.”47

A. Treaties

Treaties, sometimes called international conventions,48 consist of state commitments that would not be legally required of them in the absence of the convention.49 These commitments are to be executed in good faith,50 and states are generally free to make such commitments so long as they do not require violating certain “peremptory norms.”51

B. Customary International Law

The second source, customary international law, will be the most applicable to the later discussion of whether watering-hole-based NITs conform with international law. To become customary international law, a rule must be evidenced by consistent state practice and opinio juris: the subjective belief by “the States concerned . . . that they are conforming to what amounts to a legal obligation.”52 The contours of these two required conditions will be explored later in the context of watering-hole-based NITs.

C. Municipal Laws

The final source, general principles of law recognized by civilized nations, consists of municipal laws that are “applicable to [the] relations of states.”53 This is the least favored of the three primary sources of international law.54 In fact, it has been considered by some to be a secondary source of international law.55 Its purpose is to close gaps in international law, primarily when the tribunal confronts procedural or evidentiary issues.56 Given the limited applicability of this source, this paper will only address the legality of watering-hole-based NITs in view of international treaties and customary international law.


The first step in determining the permissibility of watering-hole-based NITs is to determine the governing international law. This section will first show that no treaties govern the use of these NITs. Next, it will show that the use of such NITs is permissible under the current state of customary international law.

A. Treaties

Currently, there is no treaty that completely prohibits cross-border searches like the one used in Operation Pacifier.57 However, the Council of Europe’s Convention on Cybercrime, also known as the Budapest Convention, does contain provisions on how such cross-border searches should be conducted.58 Specifically, it requires each party to adopt measures that enable it to search computer systems and seize data from within its own territory and provides that other parties may request this data.59 It also provides that parties may obtain data from persons in another party-state “if the Party obtains the lawful and voluntary consent of the person who has the lawful authority to disclose the data.”60 These provisions provide state-parties with instructions on what actions to take when the information they seek is in another party’s territory, but they do not expressly address how parties should conduct searches when they do not know the location of a suspect.

The Vienna Convention on the Law of Treaties, which represents a “starting point for any description of the modern law and practice of treaties,”61 provides that subsequent practice of parties to a treaty shall be taken into account when interpreting the terms of that treaty.62 In the case of Operation Pacifier, the FBI’s watering-hole-based NIT has led to at least 368 arrests in Europe and the dissemination of “[i]ntelligence packages . . . to law enforcement authorities in countries including Colombia, Croatia, Czech Republic, France, Ireland, Italy, Slovakia, Spain, Switzerland[,] and the United Kingdom.”63 All of the listed countries, except Ireland, have signed or ratified the Budapest Convention.64 Their apparent acquiescence to receiving information from the United States government’s search may imply that these parties believe that such a search is not a violation of the treaty.65 In light of this subsequent state practice, it is ambiguous whether the Budapest Convention proscribes a government’s use of watering-hole-based NITs. Therefore, it is necessary to look to customary international law for guidance on the permissibility of such a NIT.

B. Customary International Law

Recall that a rule must manifest itself in (1) state practice and (2) opinio juris to become customary international law.66 In situations involving new technology, it is often impractical to wait for these two conditions to develop with regard to the specific technology. Instead, the legality of actions involving the technology can be analyzed under existing legal frameworks.67 Applying existing legal frameworks to new technology can then result in the creation of new rules or changes to existing rules.68

Following the tradition of analyzing actions enabled by new technology under existing customary international law, scholars have considered whether a cross-border computer search would constitute an exercise of a state’s enforcement jurisdiction in a foreign territory.69 This inquiry is significant because customary international law prohibits states from unilaterally exercising enforcement jurisdiction within the boundaries of another state.70

Notably, proponents of applying this rule in the computer-search context have left open the possibility that a unilateral cross-border search will not necessarily violate customary international law when law enforcement does not know where the computer is located prior to conducting the search.71 Others have explicitly stated that the limitations on enforcement jurisdiction in the physical world do not clearly prohibit cross-border computer searches.72

Taking the general prohibition on the exercise of a state’s enforcement jurisdiction in a foreign territory into consideration, this section of the paper will assess the legality of watering-hole-based NITs under customary international law. It concludes that current state practice and opinio juris suggest that such searches are permissible, with the caveat that this acceptance has only been tested in the context of child pornography investigations.

1. State Practice

According to current state practice, watering-hole-based NITs in child pornography investigations are likely permissible under customary international law. State practice can be established through action or inaction.73 Inaction is particularly indicative of state practice when a state would be expected to protest the action of another state.74 Applying this rule to cross-border searches, it would be expected that when such a search violates international law by infringing upon the sovereignty of another state, the infringed state would protest the search.

As described earlier, Operation Pacifier resulted in cross-border searches in multiple countries and resulted in intelligence packages being created for Colombia, Croatia, Czech Republic, France, Ireland, Italy, Slovakia, Spain, Switzerland, and the United Kingdom.75 The result of this cross-border search has been 548 international arrests as of May 5, 2017,76 including arrests in Greece, Denmark, and Chile.77 Therefore, rather than protest the cross-border searches resulting from the watering-hole-based NIT, states have implicitly endorsed such searches by using information obtained from these searches to enforce laws within their own territories.78 Given the breadth of this search, this lack of protest implies that state practice supports a finding that searches resulting from watering-hole-based NITs are permissible under customary international law.

This was not the first time the U.S. government used a watering-hole-based NIT to conduct a search related to a child pornography investigation.79 Indeed, the practice was used at least once in 2012 and again in 2013.80 Moreover, it is known that foreign governments helped the United States conduct these investigations.81 This international help further indicates that states may not object to the use of watering-hole-based NITs to conduct searches, and therefore supports a finding that such searches are permissible under customary international law.

Notably, all of the investigations discussed in this paper were child pornography investigations. That 172 of out of 193 members of the U.N. General Assembly are parties to the Optional Protocol to the Convention on the Rights of the Child on the Sale of Children, Child Prostitution and Child Pornography demonstrates broad international agreement that certain acts related to child pornography are prohibited.82 Relevant to this paper, the Optional Protocol requires state parties to make illegal the acts of “[p]roducing, distributing, disseminating, importing, exporting, offering, selling or possessing . . . child pornography.”83 Considering the widespread agreement to prohibit these acts, it is reasonable to infer that nations might be willing to accept the incursions on their sovereignty caused by watering-hole-based NITs in the limited context of child pornography investigations. Since investigations using watering-hole-based NITs have all been related to child pornography, it is unclear from state practice alone whether watering-hole-based NITs are permissible under international law in other contexts.

2. Opinio Juris

Even though state practice implies that watering-hole-based NITs are permissible under customary international law in the context of child pornography investigations, it is necessary to understand the current state of opinio juris to determine what is permissible under customary international law. This is especially true if, as some commentators assert, modern customary international law tends place greater weight on opinio juris than state practice.84

Recall that for a proposed rule of customary international law to be practiced with the requisite opinio juris, “[t]he States concerned must . . . feel that they are conforming to what amounts to a legal obligation.”85 The difficulty with assessing the presence of opinio juris is that it requires inferring a state’s subjective belief from its actions.86

In light of the difficulty of “proving the existence of the opinio juris, increasing reference has been made to conduct within the international [organizations].”87 For example, the International Court of Justice has adopted codifications of international law by the International Law Commission (ILC) as accurate representations of customary international law.88

Just as the ILC codifies rules of international law, the NATO Cooperative Cyber Defence Centre of Excellence (NATO CCD COE) has attempted to codify the rules of international law as they apply to cyber operations. This effort has resulted in the publication of the Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations (Manual).

It is unclear whether the Manual will become an authoritative recitation of customary international law like the ILC codifications. As the Manual itself explains, “[the Manual] is not an official document, but rather the product . . . of independent experts acting solely in their personal capacity.”89 Furthermore, “[t]he Manual does not represent the views of the NATO CCD COE, its sponsoring nations, or NATO.”90 However, during the drafting of the Manual, over fifty States and international organizations had the opportunity to provide written comments on the proposed Manual.91

This drafting process is quite like the process by which the ILC drafts its codifications of international law in that the process is meant to identify existing international law,92 the drafters sit in their individual capacity and not as representatives of their Governments,93 and the process allows for states to comment on the proposed codification.94 However, significant differences exist as well. For instance, the members of the ILC are selected by the U.N. General Assembly,95 whereas the experts who drafted the Manual were selected by the NATO CCD COE.96 This is significant because there is greater state involvement in the selection of the ILC, which may imply that the ILC is more capable of reflecting these state’s subjective beliefs than the NATO CCD COE’s group of experts. Balancing these considerations, it is unclear whether the Manual will be held to accurately represent opinio juris.

Even if the Manual is taken to reflect opinio juris among states, it does not provide clear guidance on the legality of the use of watering-hole-based NITs. In accordance with the customary international law rules regarding enforcement jurisdiction, the Manual’s Rule 11 proclaims, “a State may only exercise extraterritorial enforcement jurisdiction in relation to persons, objects, and cyber activities on the basis of (a) a specific allocation of authority under international law, or (b) valid consent by a foreign Government.”97 The comments that accompany this rule indicate that it is based on the principle that exercising enforcement jurisdiction in another state’s territory without the proper authority or consent is a violation of that state’s sovereignty, as proscribed by Rule 4.98 Significantly, the commentary to Rule 4 states that “no consensus could be achieved as to whether . . . a cyber operation that results in neither physical damage nor the loss of functionality amounts to a violation of sovereignty.”99 Given that the watering-hole-based NIT used in Operation Pacifier only reported data back to the government and does not seem to have caused physical damage or loss of functionality, it seems as though this style of NIT fits precisely in the gray area of the Rule 4 commentary.

Nevertheless, the Rule 4 commentary is significant because it demonstrates that NATO CCD COE’s group of experts did not overlook the issue as to whether a cyber operation that results in neither physical damage nor the loss of functionality could amount to a violation of sovereignty. Rather, the experts considered the issue and failed to reach consensus. This leaves ambiguous the state of opinio juris regarding watering-hole-based NITs that neither cause physical damage nor loss of functionality.

3. The Rule: Combining State Practice and Opinio Juris

Given the ambiguous current state of opinio juris regarding the use of watering-hole-based NITs, state practice offers the only guidance as to the current state of customary international law. As explained above, the fact that countries have used information from the watering-hole-based NIT to prosecute offenders, coupled with the lack of objections to the use of the NIT, implies that the use of these types of NITs is permissible under customary international law—at least in the context of child pornography investigations.

Indeed, the apparent acquiescence to these searches functions as a form of consent, which, as mentioned above, is one way in which a state can be permitted to exercise extraterritorial enforcement jurisdiction. Because this implied consent, which is demonstrated by state practice, is limited to a specific type of NIT being used to investigate a specific type of act, sovereigns can be confident that extraterritorial searches in their territories will be limited in scope and impact. Therefore, the use of watering-hole-based NITs to conduct child pornography investigations—and perhaps investigations of other acts that are widely prohibited by the international community—seems to strike the proper balance between law enforcement needs and the right of a state to preclude other states from exercising enforcement jurisdiction within its territory.


Watering-hole-based NITs like the one used in Operation Pacifier provide a valuable tool in preventing cybercrime as they enable law enforcement to locate criminals who have anonymized their presence on the Internet. Since it is possible for cybercriminals to hide their locations using anonymization tools, continued use of these watering-hole-based NITs will invariably continue to result in cross-border computer searches. Given the current state practice of using watering-hole-based NITs in the context of child pornography investigations and the apparent acquiescence to the cross-border searches that result from these NITs, such searches are likely permissible under international law.

John Douglass

GLTR Senior Articles Editor; Georgetown Law, J.D. expected 2018; University of California, Los Angeles, B.S. 2007, M.S. 2009. © 2017, John Douglass.