Sixty-seven years after the ICRC published the so-called “Pictet Commentary” to the 1949 Geneva Convention relative to the Protection of Civilians in Time of War (GC IV), it has completed an updated version that considers, inter alia, State practice, opinio juris, judicial decisions, and scholarly commentary relevant to the evolution of warfare since 1958. That evolution has been driven in great part by technological advances, both in how wars are fought and in their impact on the civilian population. Indeed, the internet, cyber operations, digital data, space operations, autonomous systems, biometrics, artificial intelligence, and countless other technologies were largely inconceivable when the Pictet Commentary was produced.
Developed over five years under the leadership of Jean-Marie Henckaerts, the resulting 2025 Commentary addresses technology not through a single dedicated section but by integrating discussion into the commentary on specific rules. Doing so is consistent with the principle that new technologies are subject to existing law of armed conflict rules. The International Court of Justice (ICJ) confirmed this principle in its Nuclear Weapons advisory opinion, where it observed that to hold otherwise would “be incompatible with the intrinsically humanitarian character of the legal principles in question which permeates the entire law of armed conflict and applies to all forms of warfare and to all kinds of weapons, those of the past, those of the present and those of the future” (¶ 86; see also, e.g., DoD Law of War Manual, § 16.2 on cyber).
But, of course, the very novelty of new technologies sometimes precludes hand-in-glove application of extant rules. This necessitates interpreting the rules in the changed context in which they are to be applied. As Henckaerts has observed, doing so requires States, acting in good faith, to “adapt their interpretations to ensure that the rationale behind the protections remains in place” (see also VCLT, art. 31(1)). It is an observation that finds support in the ICJ’s Gabčíkovo-Nagymaros statement that “[t]he principle of good faith obliges the Parties to apply [treaties] in a reasonable way and in such a manner that its purpose can be realized” (¶ 142). And, as I have asserted elsewhere, an interpretation must not only be made in good faith and reflect the object and purpose of the rule in question, it must also “pass the straight face test.”
In this article, I survey revisions to the 1958 GC IV Commentary that accommodate technologies that did not exist when either the GC IV or the original Commentary drafters were at work, grouping my review across five themes. I do so not only to alert readers to the adjustments, but also to assess whether the ICRC’s Commentaries team applied the aforementioned interpretive approach in a measured fashion, one that remains loyal to the respective rule’s object and purpose without masking an attempt to style lex ferenda (the law that should be) as lex lata (the law as it exists).
Ultimately, the ICRC’s work in the Commentary is highly positive, with just one potentially premature conclusion (regarding the treatment of data as property).
1. Cyber Operations and the Threshold of Armed Conflict
The 2025 Commentary takes on the challenging question of whether cyber operations can trigger an international armed conflict under Common Article 2 of the Geneva Conventions or a non-international armed conflict under Common Article 3. It is a dispositive question, for in the absence of armed conflict, the GC IV’s rules, including those affording protection to civilians, are inapplicable (although other protections apply in peacetime, such as those provided for by international human rights law).
There is universal agreement that cyber operations with a nexus to an ongoing armed conflict, whether international or non-international, are subject to the law of armed conflict (see, e.g., DoD Law of War Manual, § 16.2; ICRC cyber position paper, pages 4-5; and here on the United Nations Groups of Governmental Experts approach). The harder question is whether these operations, standing alone, can initiate armed conflict. As the Commentary notes (¶ 323; see also ¶ 324),
Technological advances, in particular the exponential increase in States’ cyber capabilities and their potential impact on the population and infrastructure as well as on the military capabilities of an enemy State, pose important questions in relation to the applicability of international humanitarian law. More specifically, it is important to determine at what point cyber operations bring an international armed conflict into existence.
With respect to international armed conflict, the commentary to Common Article 2 accurately notes that “[i]t is generally accepted by experts, and reflected in the positions of a growing number of States, that cyber operations having similar effects to traditional kinetic operations would amount to an international armed conflict and would have to be conducted in accordance with the rules on the conduct of hostilities” (¶ 325; see also Tallinn Manual 2.0, rule 82 commentary). Thus, if a cyber operation results in physical damage, destruction, injury, or death of individuals, and all other conditions for qualification as an international armed conflict (especially that Hostilities are between States) are satisfied, an international armed conflict is underway.
As to cyber operations not having these physical consequences, the Commentary is cautious, and rightfully so: “it remains to be seen if and under what conditions states will treat such cyber operations as armed force amounting to armed conflict under international humanitarian law in future operations” (¶ 326). For example, the widespread denial of service operations conducted by a State into another State’s territory would raise the issue.
My own view corresponds with the ICRC’s position that “there is no requirement that the use of armed force between the Parties reach a certain level of intensity before it can be said that an armed conflict exists” (¶ 306). I am also of the opinion that a cyber operation that qualifies as an “attack” under the law of armed conflict suffices to trigger an international armed conflict (see Additional Protocol I, art. 49, for an accepted definition of attack).
But even if this approach is adopted, the threshold dilemma remains unresolved. The Tallinn Manual 2.0 experts struggled mightily with the legal meaning of the term “attack” in the context of cyber operations. Some would require physical effects, while others would treat a non-physical loss of functionality of the targeted infrastructure as sufficient damage to qualify an operation as an attack. But even those in the latter group disagreed on the degree of functional loss that sufficed (rule 92 commentary). This lack of consensus was subsequently mirrored in State positions (see, e.g., Schmitt & Vihul, pages 69-70). The point is that the question of whether non-destructive, non-injurious cyber operations can initiate an armed conflict remains unsettled.
Common Article 3 concerns non-international armed conflicts and sets forth limited protections for civilians. Like Common Article 2 for international armed conflict, the commentary to the article notes that, in principle, the same criteria that are employed to determine whether kinetic operations trigger a non-international armed conflict apply in the case of cyber operations – “protracted armed violence between governmental authorities and organized armed groups or between such groups within a State” (Tadić, para. 70; see also ICTR, Akayesu, para. 619; ICC, Bemba, para. 229).
However, it warns that “[p]articular challenges arise when applying the established classification criteria to cyber operations” (¶ 510), highlighting the same issues that others have consistently singled out (see, e.g., Tallinn Manual 2.0, rule 83 commentary; and here). These include the question of how to treat a group organized entirely online (e.g., how to enforce the law of armed conflict within the group) and the fact that most cyber operations do not generate consequences of a nature and intensity sufficient to satisfy the relatively high threshold required for a non-international armed conflict.
Interestingly, given the centrality of space in contemporary warfare, a footnote notes that Common Article 3 also applies to an existing non-international armed conflict involving operations in space (FN 123). This is consistent with Rule 30 of the Woomera Manual on the International Law of Space Operations: “To the extent that a terrestrial non-international armed conflict that originates on the territory of a State involves military operations from, to, or within space, all relevant rules of the law of armed conflict relating to non-international armed conflicts apply to those operations.” The Woomera Manual experts, however, were pessimistic about a non-international armed conflict occurring entirely in space, for both legal and practical reasons (rule 30, commentary). Such hesitancy is consistent with the commentary’s decision to limit its mention of space to ongoing non-international armed conflict.
With regard to both international and non-international armed conflicts, the ICRC has fairly characterized the state of the law regarding cyber operations that, standing alone, trigger an armed conflict.
2) Protection of Medical Services and Data in Cyberspace
Article 18 of GC IV requires that parties to a conflict “respect and protect” civilian hospitals (see also Customary IHL, rule 28; DoD Law of War Manual). Given their vulnerability to hostile cyber operations, the article’s commentary appropriately discusses the effects such operations may have on the delivery of medical services (Commentary, ¶ 1799).
The obligation to respect civilian hospitals also involves not interfering with their medical functioning by non-physical means, such as cyber or other digital operations. Disrupting the information technology infrastructure of medical services or disabling the functionality of medical equipment would be unlawful. Importantly, such disruption includes manipulating, deleting or otherwise damaging medical data that form an integral part of medical facilities. Relevant data in the medical context include those necessary for the proper operation of medical equipment and for tracking the inventory of medical supplies, as well as personal medical information essential for the treatment of patients.
This is precisely the approach the Tallinn Manual 2.0 experts had earlier taken: “The duty to respect [medical units] is breached by actions that impede or prevent medical … personnel, medical units, or medical transports from performing their medical … functions, or that otherwise adversely affect the humanitarian functions of medical … personnel, units, or transports. It includes, but is not limited to, the prohibition on attacks” (rule 131 commentary). In fact, the commentary’s reference to data draws directly from examples in the commentary to Tallinn Manual 2.0’s Rule 132. Importantly, rule 132 emphasized that the protection did not depend on the cyber operation in question qualifying as an attack under the law of armed conflict.
Article 19 of GC IV deals with situations in which medical facilities lose protection because they are being “used to commit, outside their humanitarian duties, acts harmful to the enemy.” Paradigmatic examples include using a medical facility to store weapons or other military equipment, shelter combatants, or serve as a fighting position. Despite the loss of protection, attack is only permitted “after due warning has been given, naming, in all appropriate cases, a reasonable time limit, and after such warning has remained unheeded.”
As noted in the article’s commentary, “The absence of a further definition of this concept allows for flexibility in determining how to implement this requirement in light of the prevailing circumstances and available technologies.” Thus, it sensibly observes that among the means that can be employed to issue the warning are “an e-mail addressed to the hospital management or competent authorities” (¶ 1855). Other means, such as text messages or taking control of computers to message the hospital concerned, would likewise suffice, since the requirement is not based on the mode of warning but on its effectiveness.
Accommodation has also been made for the possibility of new forms of civilian medical transport, which, like hospitals and other medical facilities, are protected from attack (art. 21 for land and sea transport; art. 22 for medical transport by air; see also Customary IHL, rule 29). Of particular note are uncrewed or autonomous medical transport systems, which are especially well-suited for battlefield evacuation because they dramatically reduce risk to medical personnel who might otherwise be involved. Such ground systems are already in use in Ukraine. Comparable air evacuation systems are under development (e.g., see here and here).
The commentary to Article 21, which extends special protection to land vehicles that are exclusively assigned (temporarily or permanently) to the medical transportation of civilians and are in convoy, anticipates such developments (¶ 1942).
It is increasingly likely that States will develop and employ ground medical evacuation vehicles that are either remotely controlled or autonomous to collect and transport wounded and sick persons. As long as they operate in convoys and are assigned exclusively to medical transportation, either permanently or temporarily, there is no reason to exclude such transports from the scope of Article 21. Their protection can only contribute to the humanitarian objectives of the Convention.
Note that the special protection from attack for medical vehicles applies only when in convoy, as the text makes clear. However, I see no reason the convoys could not be entirely made up of uncrewed or autonomous systems. In any event, such vehicles are already immune from attack as civilian objects, and in my estimation, all medical vehicles, military or civilian, convoyed or not, are specially protected from attack under customary international law (Customary IHL, rule 29; DoD Law of War Manual, § 17.11.1).
Article 22’s commentary emphasizes that “uncrewed aerial vehicles” used for civilian medical treatment are encompassed within the meaning of the term “aircraft” (¶ 1978). In doing so, it mirrors the position taken by the experts who prepared the Program on Humanitarian Policy and Conflict Research at Harvard University (HPCR) Manual on International Law Applicable to Air and Missile Warfare, which defined aircraft as “any vehicle – whether manned or unmanned – that can derive support in the atmosphere from the reactions of the air” (sect. a). The article’s commentary is especially forward-looking, as it adds: “Advances in transportation technology may also result in new types of aircraft (including uncrewed aircraft) falling within the scope of Article 22” (id.). This will allow the commentary to remain current as further advances, such as autonomous medical and AI-enabled evacuation aircraft, become commonplace, as they surely will.
3) Data as Protected Property
Article 53 of GC IV prohibits “[a]ny destruction by the Occupying Power of real or personal property belonging individually or collectively to private persons, or to the State, or to other public authorities, or to social or cooperative organizations… except where such destruction is rendered absolutely necessary by military operations.” This provision relates to a question that has occupied the attention of the law of armed conflict community in a different context since being identified by the Tallinn Manual experts (rule 100 commentary). The issue is whether data qualifies as an object, such that a cyber operation directed at civilian data that destroys, damages, or alters it qualifies as an attack on a civilian object and, therefore, is not only an “internationally wrongful act” by the State concerned but also a war crime by the individuals involved.
Article 53 raises the analogous question of whether data can qualify as property. In its commentary, the ICRC takes the position that data can do so: “the concept of property is not limited to tangible property, and includes intangible property, such as intellectual property, data, and even certain classes of rights. This confirms the interpretation suggested by the ordinary meaning of the term.” In a footnote (37), the commentary adds, “On the specific question of whether data is property protected by this provision, it is the ICRC’s view that it is.”
The view is reasonable but not unassailable. For instance, there is disagreement over whether the intangible nature of data precludes treating it as an object; the majority of the Tallinn Manual 2.0 experts concluded that it does, and therefore, by that view, civilian data does not enjoy the protection that civilian objects do (page 550). The problem, as I have explained multiple times, is that neither view fully accommodates the balance between military necessity and humanitarian considerations that should animate any interpretation of the law of armed conflict. That same reality applies, mutatis mutandis, to the question of whether data is property.
It is a bit disappointing that the ICRC consigned the discussion of this difference of opinion to a footnote, which is itself somewhat problematic. First, Footnote 37 asserts that “the recognition of data as property that is protected under Article 53 has been questioned, albeit without explanation, by a majority of the experts who drafted the Tallinn Manual.” But it failed to acknowledge that, in some circumstances, the experts did treat data as protected property, for instance, in the case of cultural property (Tallinn Manual 2.0, rule 142 commentary).
My primary concern, however, is relegation of this important issue (the distinction between objects and property) to the footnotes. A debate continues to rage among scholars and States over whether data is an object, a fact I hope the ICRC will acknowledge in its forthcoming commentary on Additional Protocol I. But that debate does not necessarily map directly onto the law of armed conflict protections afforded to certain types of property, as the Tallinn Manual experts noted with respect to cultural property. In this regard, Footnote 37 also points out that the question of whether Article 52 protects data is distinct from whether data can be pillaged under Article 33 (see below). It also distinguishes between data as property under Article 53 and data as an object under Article 52 of Additional Protocol I, which prohibits attacks on civilian objects.
Given the centrality of data in the lives of the civilian population, the issue merited somewhat more attention than it received. It would have been useful for the ICRC to provide further support for its position on data as property under Article 53, which was slim and conclusory, and to fully explain its criteria for the distinctions highlighted in the footnote. Moreover, the text in question relies heavily on ICRC publications, whereas State practice provides far greater authoritative interpretive valence. Simply put, the ICRC was too quick to arrive at a definitive conclusion.
As mentioned, GC IV, Article 33, prohibits pillage, which includes the “systematic and violent appropriation of movable public or private property belonging to [inter alia] the enemy State [and] civilians” (see also ICRC Customary IHL, rule 52). Traditionally, the prohibition has been understood to encompass movable physical property. But this raises the question of whether the destruction of data can be considered a form of pillage.
The answer follows from whether data may be treated as property, the issue discussed above. The ICRC believes it may, although my criticism of its thin support for the proposition applies mutatis mutandis here.
Nevertheless, and commendably, the commentary to Article 33 acknowledges that “[i]t is at present unsettled whether the prohibition of pillage extends to computer (digital) data.” In a very fair rendering of the matter, the ICRC cautions (¶ 2580),
it is unclear whether, for example, exfiltrating, leaking or encrypting data stored on a device belonging to another would amount to an act of ‘appropriation’ of such data, given that the original owner would not necessarily be dispossessed of it in the same way as with physical property. Therefore, it remains to be seen whether and under what conditions States will treat such cyber operations as acts of pillage.
I commend the ICRC for addressing this issue with insightful caution, one that we failed to identify during either of the two Tallinn Manuals projects.
4) Protected persons, including internees and families
A key protection of relevance to the use of technology during armed conflict is Article 27‘s prohibition on exposing protected persons to “public curiosity.” In that regard, the article’s commentary points to “the rapid developments in communication technology and the growing involvement of mass media in the coverage of armed conflicts, together with the ubiquity of social media as a means of distributing both images and other digital content.” It concludes, correctly so, that “[w]hile the spread of harmful information is not new, the use of modern technologies to disseminate it has a considerable impact on the scale and speed at which such information reaches multiple target audiences online” (¶ 2276).
Accordingly, “Parties to a conflict must exercise due diligence in preventing the media, including social media platforms, from exposing protected persons to public curiosity” (¶ 2276). The acknowledgement that technology poses a particular risk of public curiosity aligns with observations in the ICRC’s 2020 GC III Commentary regarding the prohibition on making prisoners of war the objects of curiosity (art. 13). It points out that “[p]rohibited images or private data of prisoners leaked to the press or posted on the internet can be quickly picked up and retransmitted by television channels, newspapers or websites all over the world” (¶ 1632).
Along similar lines, the GC IV 2025 Commentary deals with technology in its discussion of multiple articles governing internment. For instance, in addressing the right of internee communication (art. 107), it highlights various forms of communication, including phones, text messaging, e-mail, and video conferencing (¶¶ 5240, 5241, 5245, 5266). And under GC IV, Article 116, internees are “allowed to receive visitors, especially near relatives, at regular intervals and as frequently as possible.” The article’s commentary cautions that the fact that internees are communicating in accordance with Article 107 by telephone or video calls does not deprive them of the right to visits (¶ 5503). This would equally extend, in my view and likely the ICRC’s, to all other means of modern communication. That said, the commentary on the right emphasizes that should actual visits with family members be exceptionally restricted or postponed, the aforementioned modern means of communication “must be considered in order to fulfil, to the degree still possible, the obligation to respect family rights in accordance with Article 27” (¶ 5518).
Although internees have a right to communicate, communications may be censored for valid reasons. But Article 112 imposes limits on censorship that extend, according to its commentary, to communications by “more modern means of communication, such as email, audio and video messages” (¶ 5403).
Internees are also subject to surveillance to maintain order and prevent escapes. Article 100’s commentary mentions, for instance, electronic monitoring bracelets and video surveillance. Such means of surveillance may have “humanitarian advantages by discouraging abuses by guards who may fear the discovery of any violation that may have been committed or that the footage could be used as evidence against them” (¶ 5052). However, as with censorship, GC IV restricts surveillance (art. 100). They are particularly important in light of new technologies (¶ 5053),
Even more recent technological advances enable ever-more intrusive and omniscient surveillance systems. The capacity and speed of biometric and other personal data collection, storage, and automated processing are accelerating exponentially, including for instance through the use of automated facial recognition and artificial intelligence. Sensitive personal data risks becoming exposed to nearly limitless remote access in practice, whether authorized or not.
Accordingly, Detaining Powers “must ensure that the technologies deployed, and the circumstances and manner in which they are used, comply with the requirements of the Convention.” In particular, they have to “ensure that any collection and processing of biometric information is proportionate to a legitimate purpose and subject to a degree of protection, confidentiality and security commensurate with its heightened sensitivity” (¶ 5053). The commentary to Article 120, which, in relevant part, addresses the use of surveillance to prevent escapes (¶ 5653), as well as that on visits under Article 116 (¶ 5524), raises the same sorts of issues.
Advances in technology have also impacted GC IV obligations concerning internee recreation and education, with the Commentary highlighting electronic sources and distance learning (art. 94, ¶¶ 4803 and 4818) and internee valuables and financial resources, which in the modern context can involve electronic money and digital wallets (art. 97, ¶ 4928; art. 98, ¶¶ 4957, 49068).
GC IV also extends protections to family life. During an armed conflict, “all persons in the territory of a Party to the conflict, or in a territory occupied by it, shall be enabled to give news of a strictly personal nature to members of their families, wherever they may be, and to receive news from them (art. 25). To effectuate this right, the article’s commentary suggests (¶ 2139),
States should consider technological developments when interpreting Article 25 to give full effect to its purpose. Article 25 is best realized today by ensuring that the civilian population has access to the widest possible range of communication options – including ordinary post, telephone, text message, email and social media – so that each individual can share personal news with family members using the most convenient and effective means for them.
In support of this right, Article 26 obligates parties to a conflict to “facilitate enquiries made by members of families dispersed owing to the war, with the object of renewing contact with one another and of meeting, if possible.” Moreover, they are to encourage the work of organizations supporting these efforts. The commentary highlights technological advances, like email and “other internet data transfers,” appearing since the Convention was adopted, and maintains that “[s]uch developments should be taken into account in determining the most effective means of facilitating the dispatch, receipt and processing of enquiries in any given context, while also considering questions of reliability, security and integrity” (¶ 2167).
Finally, Article 136 of GC IV provides an important protection for civilians, the establishment of an official Information Bureau by each party to the conflict. The Bureau is “responsible for receiving and transmitting information in respect of the protected persons who are in its power.” Article 137 lays out how that information is to be transmitted. In that regard, its commentary acknowledges that, since the Convention was drafted, “numerous national, regional and international instruments relating to privacy and data protection have been adopted.” Such instruments impose varying obligations and prohibitions, some of which would apply to Information Bureau activities. Accordingly, the commentary to Article 137 cautions (¶ 6163),
While these instruments vary in content and scope, the principles of lawfulness of processing, purpose specification, data minimization and data security they contain are relevant in this context. The collection and transmission of information on protected persons by the bureaux should be reconciled with these principles.
5) Judicial and law enforcement activities
The GC IV Commentary emphasizes the utility of technology in investigations and trials. For example, new technologies can enhance the ability of those accused of crimes during occupation to mount an effective defense (art. 72). As the commentary to the article points out, when witnesses are not physically available, consideration should be given to “the use of communications technology that would allow such witnesses to participate in proceedings remotely” (¶ 4027). This reflects a trend already well established in international criminal proceedings, including at the International Criminal Court, the International Criminal Tribunal for the Former Yugoslavia, and the International Criminal Tribunal for Rwanda.
Along similar lines, Article 146 deals with penal sanctions for acts contrary to GC IV that constitute war crimes. That article’s commentary observes that efforts to investigate and prosecute war crimes “have been facilitated significantly by technological developments that have created new possibilities for conducting investigations extraterritorially” (¶ 6612). It offers as examples the use of digital evidence during investigations and trials in Syria, Iraq, and Ukraine.
Of note in this regard is the potential to leverage open-source intelligence (OSINT), which has played a central role in documenting war crimes. Indeed, independent investigative groups like Bellingcat and the Global Legal Action Network’s Justice and Accountability Unit have demonstrated how geolocation, satellite imagery, social media metadata, and other publicly available digital traces can be systematically analyzed to reconstruct incidents and identify perpetrators of war crimes.
Concluding Thoughts
I have long been impressed with the ICRC’s efforts to clarify the parameters of the law of armed conflict in a slow, methodical, and sophisticated manner. Indeed, as a result of those efforts, I never write on the subject, including this one, without carefully considering its Customary International Humanitarian Law study and the various Commentaries to the Geneva Conventions and Additional Protocols, both original and updated. The 2025 GC IV Commentary will certainly prove an indispensable tool for me and for anyone else doing serious work in the field.
As for the ICRC’s approach to new technologies in the new GC IV Commentary, I find the discussion thorough, balanced, fair, and helpful. My sole concern was its treatment of data as property, a topic I felt the ICRC could have handled with greater granularity and more caution. But even there, my concern was not with the conclusion itself, which is not unreasonable, but rather due to a sense that it was a bit premature in the absence of State practice and opinio juris.
Finally, my congratulations to the entire team that is, and has been, working on all of the updated Commentaries. A project that involves working for half a decade to produce a single Commentary must surely be exhausting. But for the international law community, their contributions cannot be overestimated. And, of course, that community owes a particular debt of gratitude to my longtime friend, Jean-Marie Henckaerts. A project of this magnitude has no hope of success without great leadership, which this one certainly enjoys.
