回想2013年，塔林手册首次推出，对网络战的国际法适用问题（the International Law Applicable to Cyber Warfare）在全球范围内首次给出详尽的论述，业内为之轰动。

时隔三年，塔林手册2.0终于问世，主要关注和平时期网络行动的国际法适用（the International Law Applicable to Cyber Operations）。两本手册，做到了战时、和平时期的全方位覆盖，无论我们是否同意其中的观点，必然成为本领域的经典之作。

出于一直以来的兴趣和关注，我从塔林手册2.0中挑出其对数据的主要论述，供大家评论。由于时间紧，本文只述不评，请大家原谅。同时，本文大量地援引英文，首先是为了准确地传达手册原意，更重要的原因还是时间紧。

开始之前，还有一件重要的事得广而告之：此次2.0手册的编写，第一次有了中国专家的声音！武汉大学法学院的黄志雄教授是手册二十位法律专家之一，全程参与了讨论和撰写，实在令人非常振奋！就是最右边的这位帅哥！

【按：应该和黄志雄教授谈独家代理一事。这样以后采访、演讲什么的，都得经过我哈哈！所以大家看到这篇文章知道该怎么做了吧？该打赏打赏，该转发转发！】

问题一：数据在网络空间中的位置？

塔林2.0将网络空间划分为三层：

物理层：The physical layer comprises the physical network components (i.e., hardware and other infrastructure, such as cables, routers, servers, and computers)

逻辑层：The logical layer consists of the connections that exist between network devices. It includes applications, data, and protocols that allow the exchange of data across the physical layer. 注意，数据被划分在逻辑层中。

社会层：The social layer encompasses individuals and groups engaged in
cyber activities. 

问题二：国家是否能对数据行使主权？

塔林2.0中的Rule 2认为，国家对内行使主权的对象，主要是网络空间的物理层和社会层（A State enjoys sovereign authority with regard to the cyber infrastructure, persons, and cyber activities located within its territory, subject to its international legal obligations.）。

逻辑层呢？对此，在Rule 2的述评中，手册是这么说的：the principle of sovereignty affords States the right to control aspects of the logical layer of cyberspace within their territories. 仅仅是一些方面？ 到底包括数据吗？

让我们跳到Rule 9—领土管辖权（Territorial jurisdiction）。Rule 9是这么说的：

A State may exercise territorial jurisdiction over:
(a) cyber infrastructure and persons engaged in cyber activities on its territory;
(b) cyber activities originating in, or completed on, its territory; or
(c) cyber activities having a substantial effect in its territory.

还是没说到数据，真让人捉急。莫非塔林2.0否认了国家能对数据行使主权？可是在Rule 9的评述中，手册来了这么一句： territorial jurisdiction applies to persons, natural and legal, involved in cyber activities that are present within a State’s territory and to cyber infrastructure and data that are located on that territory. 终于，数据浮出了水面。看来国家能对存储于其领土范围内的数据实行管辖权。注意，这里手册用的是locate这个词。后续将有个重要的区分。

问题三：国家是否能对仅仅流经领土的数据行使主权？

对此，塔林2.0的专家之间没能形成统一意见，赞成和反对意见一半一半，手册用的是split这个词。

觉得没权力管的一方认为：仅仅流经本国领土的数据，与一国领土内的网络基础设施仅仅发生了“极其轻微的关联”（here is only minimal connection with cyber infrastructure on that State’s territory），而且互联网的特性导致数据在抵达目的地之前，会途径非常多的国家（data will often traverse the territory of many States en route to its intended destination）。以网络行动为例，A国对C国发起的网络行动途径B国。对B国来说，the connection between the operation and the infrastructure on State B’s territory is de minimis, as are the relevant interests of State B.

觉得有权力管的一方认为：网络行动如果借用了B国的网络基础设施，那么与B国利益之间的关联，就不是“极其轻微的关联”。（In that the operation involved cyber infrastructure located on its territory, its interest vis-à-vis it is not de minimis.）【按：对于这方专家的意图，聪明的读者肯定能立刻心领神会哈。】

问题四：国家对流到领土之外的数据是否还能行使主权？

有些专家提出，在没有国际法明确限制的前提下，国家应当能对存储或传输至域外的政府数据和公民个人数据行使主权权利，包括管辖权。（A few of the Experts were of the view that States are also entitled to exercise sovereign rights, including jurisdiction, over government data and that of their nationals stored or transmitted outside their territory, subject to specific restrictions imposed by international law. ）

对此，多数专家表示不认可。他们认为，数据一旦存储或者传输至域外，就算脱离了领土内的网络基础设施、人、活动，在这样的情况下，国家对这些数据不得行使主权。（For these Experts, a State’s sovereignty over data that is stored or in transit abroad can exist independently of its sovereignty over cyber infrastructure located in its territory and the persons and activities therein. The majority, by contrast, took the position that States do not enjoy such sovereignty over data located abroad unless international law specifically so provides, as in the case of data stored aboard certain objects like warships. ）

是不是非常让人费解？难道这是说，对数据的主权，只能依附于领土内的网络基础设施、人、活动之上？难道没有独立的数据主权这一说？这太不把数据当回事了吧。

问题五：数据的属性到底是什么？

在Rule 100—民用物体和军事目标（Civilian objects and military objectives
）中，手册明确写到，数据不构成目前武装冲突法意义上的“物体”（object），因此，针对数据的攻击，本质上不应当被认定为攻击。（The majority of the International Group of Experts agreed that the law of armed conflict notion of ‘object’ is not to be interpreted as including data, at least in the current state of the law. In the view of these Experts, data is intangible and therefore neither falls within the ‘ordinary meaning’ of the term object, nor comports with the explanation of it offered in the ICRC Additional Protocols 1987 Commentary. Therefore, an attack on data per se does not qualify as an attack.）

在Rule 92—网络攻击的定义（Definition of cyber attack）中，手册又提出不应一概而论，如果针对数据的攻击，可以导致了人员伤亡、物理损害时，则人员和物体构成“攻击的对象”，那么针对数据的攻击可以被当成网络攻击。（The limitation in this Rule to operations against individuals or physical objects
should not be understood as excluding cyber operations against data (which are non-physical entities) from the ambit of the term attack. Whenever an attack on data foreseeably results in the injury or death of individuals or damage or destruction of physical objects, those individuals or objects constitute the ‘object of attack’ and the operation therefore qualifies as an attack. Further, as discussed below, an operation against data upon which the functionality of physical objects relies can sometimes constitute an attack）

在Rule 149—没收和征用财产（Confiscation and requisition of property）中， 手册明确写到，数据不属于财产。（For the purposes of this Rule, the majority of the International Group of Experts agreed that, sensu stricto, data does not qualify as property. ）

得，在上述三条规则对数据的评述中，数据一是不被当做物体，二是不被当做攻击对象。与问题四综合来看，相比于网络基础设施、人、活动，数据确确实实要矮人一节。

再回顾问题二，国家又能对存储在其领土之上的数据做出管辖，可是在规则的正文中又只字不提数据，可见塔林2.0手册并没有把数据当成一个独立的主权对象来看待。

上述五个问题，肯定不能全部覆盖塔林2.0对数据的论述，仅仅是个基本面。还有不少有意思的内容值得细细剖析，请继续关注本公号。

P.S. 塔林手册2.0价格不菲，平装版本需近60美元，可以从剑桥大学出版社订购。感兴趣的读者可点击左下角的“阅读原文”。