The use of advanced technologies to commit international crimes is increasing, and thereby raising challenges in framing new accountability mechanisms within the existing legal parameters. For example, there are well-known instances such as the role of Meta in the amplification and promotion of hateful and discriminatory content which lead to the acts of ethnic cleansing of Rohingya Muslims in Myanmar. In fact, even the International Criminal Court (ICC) has been the object of cyber-attacks (which included disruptions to communications and documental archives). These incidents highlight the need for the competent authorities to develop the necessary tools to deal with these new forms of committing crimes – including the offenses against administration of justice contained in Article 70 of the Rome Statute.
According to Karim Khan, Prosecutor of the ICC, even though no provision of the Rome Statute pertains specifically to cyberspace, such conducts may fulfill the elements of the existing core international crimes. In this context, earlier this year, the Office of the Prosecutor (OTP) of the ICC released a draft version of a Policy on Cyber-Enabled Crimes under the Rome Statute. Among its objectives is affirming the rigorous investigation and prosecution of cyber-enabled crimes within the jurisdiction of the Court[1] (namely, aggression, genocide, crimes against humanity, war crimes and crimes against the administration of justice), as well as contributing to the development of international jurisprudence and best practices for the prosecution of these crimes.[2]
In this Draft Policy, ‘cyber-enabled crimes’ is used as an umbrella term to cover crimes being committed (perpetrated in terms of Article 25(3)(a) of the Statute) and facilitated (in terms of the secondary modes of liability in Article 25(3)(b)-(c) of the Statute) through cyber-means. This includes information and digital communications technologies or networks, including AI – a.k.a. non-physical, kinetic or traditional forms.[3] Particularly, the Draft Policy includes the observation that the accessory mode of liability corresponding to contributions to crimes committed by groups acting with a common purpose under Article 25(3)(d) (Common purpose liability or ‘CPL’), might be especially effective in prosecuting conduct facilitating cyber-enabled crimes. This is due to ‘their factual nature and the circumstances in which they may often be committed.’[4] This statement raises certain concerns that are discussed herein: mainly, the unclear factual and legal basis of this generalization, as well as the possible meta-legal considerations driving this assertion.
Firstly, whatever the virtues or pitfalls of CPL as a mode of liability, it is unclear which method or factors the OTP is using to deem CPL as especially effective to prosecute accessories to cyber-enabled crimes. The Policy does not provide specific hypotheticals to back up its claim or demonstrate how it envisions such situations, apart from a mere reference to military units assisted by cyber operators (which also applies in relation to aiding and abetting.) As a general consideration, the Chambers of the ICC have defined CPL as a residual mode of liability, in the sense that it encompasses contributions to a crime that do not fall within subparagraphs (a)-(c) of Article 25(3).[5] This residual characterization stems from the wording of Article 25(3)(d) which refers to contributions ‘in any other way’.
A disputed aspect of CPL is the required level of contribution to the crime. Chambers have debated whether there is indeed a threshold or not.[6] One view is that this type of liability requires at least a ‘significant’ contribution to the crime,[7] as opposed to any type of contribution; another view rejects this requirement.[8] In any case, even the Chambers that have rejected the ‘significant’ standard have recognized the need of a case-by-case analysis of the specific context and the links between the contribution and the commission of the crime.[9]
Furthermore, this form of accessory liability relies on the principal liability of crimes committed by the commission of crimes by a group of persons acting with a common purpose.[10] The ‘common purpose’ that unites the members of the group does not need to be criminal in itself, and the person contributing does not need to be a member of the group. However, the contribution must be made to the crimes specifically rather than to the group in general.[11]
As for the mens rea element, the contribution to the crime must be intentional. Moreover, for the contribution to be criminal the person must (i) intend to further the group’s criminal activity or (ii) at least know of the group’s criminal intention.[12] Thus, the fact that mere knowledge of a group’s criminal activity (and specific crimes) allows for liability presents an opportunity to criminalize outsiders, who where not involved in the common plan.[13] In relation to this, CPL differs from aiding and abetting – another form of secondary liability – in Article 25(3)(c).[14] This mode of liability does not require a specific threshold of contribution but demands a specific type of intent: the purpose to facilitate the commission of the crime. In contrast, it has been argued that CPL (at least the form contained in Article 25(3)(d)(ii)) is the less onerous form of accomplice liability to establish under the current framework.[15]
There are interesting proposals surrounding the potential of CPL as a proper way to address complicity in international crimes, such as that of arms traffickers, as proposed by Tomas Hamilton. However, he argues that those operating electronically and from a location remote from where the crimes take place – for example, via an online platform –, have a stronger claim to be ignorant of specific crimes.[16]
In this light, it is also not clear what the OTP’s definition of effective is. Generally, the quality of being effective refers to the chances of success or of achieving a desired result. How can this be translated into this discussion? The forms of individual criminal responsibility contained in Article 25(3) – modes of liability – are meant to acknowledge that international crimes involve multiple actors whose roles vary in kind and gravity.[17] Moreover, they are inherently linked to the principles of culpability (holding someone accountable for their specific actions) and fair labelling (accurately reflecting their level of involvement in the commission of the crime).[18]
From such a view, the effectiveness of CPL would be accurately portraying the role a person played in the commission of a crime. But one can also argue that determining a priori a mode of liability as the most effective for a certain type of cases on vague parameters such as ‘their factual nature and their circumstances in which they may occur’ precisely fails to recognize the reason why the differentiated modes of liability even exist. There might also be another meaning of effectiveness according to the OTP. Cyber-space presents special challenges for collection of evidence that allows for attribution of criminal conduct, such as anonymity, and horizontal/fluid networks of communication.[19] As has been argued elsewhere, the Draft Policy only briefly addresses the problem of attribution in this specific environment and lacks a substantive solution for this issue.
In light of these challenges, CPL’s status as a residual mode of liability requires the lowest evidentiary standards for a conviction. Is this convenient ‘solution’ what the OTP refers to with effectiveness? After all, the Draft Policy is a reflection of the current Prosecutorial Strategy,[20] which holds as its highest strategic goal: ‘Delivering results in the courtroom’, namely by achieving a ‘higher rate of conviction’.
Be that as it may, CPL has only been applied in two convictions in the history of the ICC: Katanga and Al Hassan. Thus, the empirical test does not particularly hold for the OTP’s affirmation, either. Arguably, a prosecutor should first investigate a person’s action and evaluate their participation in the crime to charge the most appropriate mode of liability, in an objective, independent and impartial fashion.[21] The potentially problematic issue is that the OTP might be taking a utilitarian view of modes of liability for complex cases such as that of cyber-enabled crimes, to achieve a higher number of convictions with the lowest objective evidentiary requirements, circumventing the more difficult questions of individual criminal responsibility.
Professor Marko Milanovic (who currently serves as Special Advisor to the Prosecutor on the matter at hand), pointed out that the drafters of the Policy aimed to balance new interpretations with ‘saying too much’ as that would result in practical problems for future cases on technicalities that have not been settled in the State Parties. On the other hand, the same Policy states that the considerations therein will likewise be of potentially general application to ensure best practices,[22] which justifies further scrutiny.
Finally, in terms of mere legal certainty, we should be cautious in generalizing CPL as appropriate for the complex, ever-evolving paradigm of cyber-enabled crimes. Given its controversial nature and the fact that some key elements of this mode of liability have yet to be materialized in a consistent jurisprudential strand,[23] we might see some relevant changes in the concept as we know it.
[1] Office of the Prosecutor, Draft Policy on Cyber-Enabled Crimes under the Rome Statute (6 March 2025), paragraph 3(a).
[2] idem, paragraph 3(g).
[3] idem, paragraph 20.
[4] idem, paragraph 84.
[5] Prosecutor v Germain Katanga, Judgement pursuant to article 74 of the Statute (7 March 2014) ICC-01/04-01/07 [1618]; Prosecutor v Thomas Lubanga Dyilo, Decision on the Confirmation of Charges (29 January 2007) ICC-01/04-01/06-803 [337]; Prosecutor v Callixte Mbarushimana, Decision on the Confirmation of Charges (16 December 2011) ICC-01/04-01/10-465 [278]; Prosecutor v Ruto et al (Decision on the confirmation of charges) ICC-01/09-01/11 (23 January 2012) [354]; The Prosecutor v Al Hassan Ag Abdoul Aziz Ag Mohamed Ag Mahmoud, Trial judgement (26 June 2024) [1243].
[6] Marjolein Cupido, ‘Group Acting with a Common Purpose’ in de Hemptinne and others (eds) Modes of liability in international criminal law (Cambridge University Press, 2019).
[7] idem, 25.
[8] idem, 325-26.
[9] Al Hassan (n 6) [1244].
[10] Otto Triffterer and Kai Ambos ‘Rome Statute of the International Criminal Court: A commentary’ (C.H. Beck, Hart, Nomos, 2016), 372.
[11] idem, 382.
[12] Elies van Sliedregt, ‘Individual Criminal Responsibility in International Law’ (Oxford University Press, 2012), 146.
[13] idem.
[14] Cupido (n 7), 22.
[15] Tomas Hamilton, in ‘The Arms Trade and International Criminal Law: Reframing Accountability for Complicit Weapon Suppliers’ (Oxford University Press, 2025), 74.
[16] idem, 98.
[17] Miles Jackson, ‘The Attribution of Responsibility and Modes of Liability in International Criminal Law (2016) 29 Leiden Journal of International Law 879, 892-93.
[18] Gerhard Werle and Boris Burghardt, ‘Establishing Degrees of Responsibility: Modes of Participation in Article 25 of the ICC Statute’ in Elies van Sliedregt and Sergey Vasiliev (eds) Pluralism in International Criminal Law (Oxford University Press, 2014).
[19] Marco Rosini, ‘Gravity in the Statute of the International Criminal Court and Cyber Conduct that Constitutes, Instigates or Facilitates International Crimes’ (2019) 30 Criminal Law Forum 247, 256-58.
[20] Regulations of the Office of the Prosecutor, Regulation, 14.2.
[21] Office of the Prosecutor, Policy Paper on Case Selection and Prioritisation (15 September 2016) paragraph 16.
[22] Draft Policy (n 1), paragraph 90.
[23] Cupido (n 7), 321; Hamilton (n 16), 89.
