Private technology companies now exercise operational influence in armed conflict, e.g., through control of digital infrastructure, satellite connectivity, artificial intelligence systems, cybersecurity and cloud computing networks that states rely on during hostilities. Existing legal frameworks, such as public international law and corporate social responsibility frameworks, appear institutionally unprepared for this reality, which exposes an uncomfortable concentration of strategic authority in private entities that were never designed to exercise war-related power.

Share

Newsletter Issue 88

The private tech company controversy

Private technology companies now wield operational influence in armed conflict that many states once considered an exclusive sovereign power. Decisions taken inside corporate boardrooms can affect military capability during active hostilities. Law has not fully caught up with this reality, yet the consequences are already visible in current world conflicts.

Public international law was designed with states and armed forces in mind; however, the legal framework governing armed conflict already contains rules that extend far beyond uniformed combatants. The rules contained under article 52 of the Additional Protocol I to the Geneva Conventions establish that objects become military objectives when they make an effective contribution to military action and when their destruction offers a definite military advantage.

Modern digital infrastructure exists directly within that legal logic. Corporate satellite networks, private intelligence platforms, and cloud computing systems can become operational components within a conflict environment even though they remain privately owned.

Technology companies therefore operate in a complex legal and political space where corporate decisions intersect with international humanitarian law, sanctions regulations, and corporate social responsibility.

When a private technology company decides who gets connectivity, cloud computing, satellite imagery, or defensive cyber services during an armed conflict, that company is not merely providing a service; it is exercising a form of power that can affect military operations and diplomatic outcomes.

Existing laws already have mechanisms that can treat parts of that conduct as connected to the conflict.

The argument that the law does not already label technology firms as belligerents, because international humanitarian law still distinguishes civilians from combatants and civilian objects from military objectives. The law still treats civilian protection as the default.

However, the law is also clear that effects and contributions matter, and business and human rights standards likewise focus on adverse impacts and due diligence rather than on corporate self-description.

The private capabilities that now steer conflict

Let us reflect on commercial satellite connectivity. In plain terms, the same terminals and network can connect civilian services and also carry command communications, drone video, and targeting-related data. It was reported in June 2023 that the United States Department of Defense purchased satellite communications services from Starlink for Ukraine, and it was later reported in July 2025 that a global Starlink outage disrupted Ukrainian military communications, which is a reminder that dependence on a single private network can become an operational reality.

Control over that service is not a nominal issue. It was reported on 25 July 2025 that Elon Musk ordered the deactivation of Starlink coverage in specific occupied areas during late September 2022, and that the resulting blackout impaired Ukrainian operations. It was also reported in September 2023 that Elon Musk refused a request linked to Starlink use near Crimea for an attack on Russian forces.

Read our previous newsletter on the use of autonomous weapons and the proliferation of AI in armed conflicts.

Technology Law

The Human Cost of Giving AI the Right to Kill Through Autonomous Weapons

Automation is disrupting the battlefield, and autonomous weapons and AI are getting closer to making life-and-death decisions on their own. This newsletter unpacks what that means for international law, human responsibility, and the future of war. We break down the key takeaways from a recent peer-reviewed journal article on autonomous weapons systems a…

Read more

10 months ago · 2 likes · 1 comment · Technology Law

Commercial earth observation falls into the same strategic category because high-resolution satellite imagery can be public record and intelligence, and providers can decide when imagery is released and who can access it.

On 5 April 2026, it was reported that Planet Labs would indefinitely withhold imagery of Iran and surrounding conflict areas at the request of the United States government, and that a broader effort was underway to limit access to conflict imagery through distribution controls by providers that depend on government demand.

Information control is not only a Western problem. The Washington Post reported in April 2026 that private firms in China were marketing intelligence products on the Iran war, using satellite imagery and open-source data with artificial intelligence analysis, and the report described how private actors can amplify wartime information dynamics while states preserve formal distance.

Access controls also appear through government distribution channels. Reuters reported on 7 March 2025 that the United States government temporarily disabled Ukraine's access to commercial satellite imagery delivered through a United States government distribution programme, with the National Geospatial Intelligence Agency confirming the action, and the reporting described this as a pause implemented via the private provider Maxar.

Technology firms can also become strategic actors when they build systems for intelligence and defence customers, because private capability becomes state capability through procurement.

It was reported in March 2024 that SpaceX was building a network of spy satellites for the National Reconnaissance Office under a contract associated with Starshield, illustrating how corporate infrastructure can become intelligence infrastructure with limited public visibility.

Cyber operations and information operations sit alongside these tech systems. Microsoft describes nation-state cyber threats and influence operations in its Digital Defence Report; the United Nations has endorsed norms of responsible state behaviour in cyberspace through its expert process; and influential legal scholarship has examined how existing international law applies to cyber operations, including through the Tallinn Manual 2.0.

International humanitarian law already has categories for these actions

International humanitarian law applies based on facts, not labels, and a widely cited reference point is the Tadic Appeals Chamber, which described armed conflict as a resort to armed force between states or as protracted armed violence involving organised armed groups.

The rule that matters most for private technology infrastructure is the rule on civilian objects. Article 52 of Additional Protocol I to the Geneva Conventions 1949 states that civilian objects are all objects that are not military objectives, and it defines military objectives as objects that, by their nature, location, purpose, or use, make an effective contribution to military action and whose destruction offers a definite military advantage.

Digital infrastructure fits inside that logic without any need to invent new legal categories.

A satellite ground station, a data centre, or a particular communications link can remain protected as a civilian object in many settings, and that same object can become a military objective when it is used in a way that makes an effective contribution to specific military operations, which is why private assets can enter the targeting calculus even when privately owned.

The human side of the same problem is captured by the rule that civilians lose protection from direct attack for so long as they take a direct part in hostilities, and the International Committee of the Red Cross’s interpretive guidance explains direct participation through a threshold of harm, direct causation, and a nexus to hostilities.

When a company becomes an arm of a state

Responsibility debates often turn on attribution. The International Law Commission Articles on State Responsibility provide that conduct carried out on the instructions of, or under the direction or control of, a state is attributable to that state. The commentaries also underline that attribution can exist even when the conduct is performed through private entities.

Case law illustrates contested thresholds. In Nicaragua v. United States of America, the International Court of Justice rejected attribution of all contra conduct to the United States despite extensive support, relying on an effective control approach focused on control over the specific operations, while the International Criminal Tribunal for the former Yugoslavia Appeals Chamber in Tadic ruled on an overall control concept in its own context, and academic analysis has compared these standards and their implications for state responsibility.

This framing matters when governments use private technology services as policy instruments. A government request to restrict satellite imagery distribution, a government decision to purchase and configure military connectivity from a commercial provider, or a government direction to pause intelligence sharing can become part of the factual record of state action, and those facts frame legal responsibility debates even when the public narrative focuses on the vendor rather than on the state.

Accountability arrives through regulation long before it arrives through courts

Domestic regulation often reaches companies first, because sanctions and export controls are designed for speed. In the United Kingdom, the Sanctions and Anti-Money Laundering Act 2018 is the framework statute for sanctions, and government guidance outlines licensing controls for exports of dual-use items, including software and technology. The European Union also controls exports and related services for dual-use items as part of a peace and security regime.

The United States provide similar leverage. The International Emergency Economic Powers Act provides statutory authority to act against an unusual and extraordinary threat originating outside the United States after a national emergency is declared, and this authority underpins sanctions and restrictions that can affect technology services and cross-border commercial activity.

Read our newsletter on accountability in space.

Technology Law

Space Law Since 1967 With Aspirations Written, But Accountability Missing

International space law has become an uneven patchwork of commitments, voluntary guidelines, and contested interpretations, and yet the newly released United Nations treaty booklet presents it as a comprehensive and reliable framework. Such presentation conceals persistent gaps in compliance, the limits of enforcement, and the reality that non-binding g…

Read more

7 months ago · 6 likes · 2 comments · Technology Law

Corporate responsibility frameworks have become compliance architecture rather than rhetoric. The UN Guiding Principles on Business and Human Rights mention a corporate responsibility to respect human rights through due diligence and remediation. The OECD Guidelines for Multinational Enterprises on Responsible Business Conduct embed risk-based due diligence as a government-backed expectation across products and services. The European Union Corporate Sustainability Due Diligence Directive entered into force in July 2024 with the stated aim of requiring companies to identify and address adverse human rights and environmental impacts across operations and value chains.

Litigation remains a narrower and contested route, particularly in the United States. Kiobel v. Royal Dutch Petroleum Co., 569 U.S. 108 (2013), applied a presumption against the extraterritorial application of the Alien Tort Statute. Jesner et al. v. Arab Bank, PLC, 584 U.S. 241 (2018) held that foreign corporations cannot be defendants under the statute. Nestle USA, Inc. v. Doe et al. 593 US _ (2021) rejected an Alien Tort Statute claim where the conduct relevant to the statute's focus did not occur in the United States, and further commentaries have described how these decisions narrow pathways for civil accountability for overseas harm.

International criminal law focuses on individual responsibility even when corporate structures sit in the background. Article 25 of the Rome Statute sets out individual criminal responsibility, including forms of participation such as aiding, abetting, or otherwise assisting in crimes within the International Criminal Court's jurisdiction. Article 25 significantly limits the ICC's personal jurisdiction to natural persons, which means corporate accountability questions often depend on domestic criminal law, domestic corporate liability rules, or regulatory action rather than on direct international prosecution of companies.

What ordinary people are left holding

Civilians have become users of wartime critical infrastructure whether they want that status or not, because the same services that keep hospitals connected and families communicating can also carry military communications and operational data.

Reporting on Starlink control during the war in Ukraine and on commercial imagery restrictions during the Iran war shows how quickly a commercially marketed service can become an operational dependency, and how quickly access can become subject to executive decisions, government requests, and platform-level restrictions that sit outside most public oversight.

Public regulation is not aligned neatly with conflict realities, and the gaps are sometimes explicit. The European Union AI Act entered into force on 1 August 2024 and will become fully applicable on 2 August 2026, with phased obligations. Importantly, article 2(3) of the AI Act excludes certain military, defence, and national security uses, and the official text explains that public international law is the more appropriate primary framework for military and defence activities involving lethal force.

Recurring governance issues appear across these themes, even when the technologies differ, for example:

• allocation decisions that determine where connectivity or data is available and on what terms;

• contract terms that constrain service refusal or embed security controls for particular government entities;

• access controls that limit who can see high-resolution imagery, threat intelligence, or location data during active hostilities

Private technology companies now sit inside the operational environment of armed conflict. Infrastructure owned and operated through corporate platforms now carries military communications, processes intelligence data, and controls access to digital systems that governments rely upon during hostilities. International humanitarian law, including the rules on military objectives, already recognises that objects which make an effective contribution to military action may enter the legal calculus of war.

Legal responsibility, therefore, extends beyond traditional battlefields and into corporate systems that support modern conflict operations. Corporate conduct, regulatory oversight, and public international law now intersect in ways that affect civilians, governments, and companies simultaneously.

Public debate about warfare rarely includes the legal implications of privately owned technology infrastructure. Greater scrutiny of that relationship encourages a deeper understanding of how modern conflict actually operates and how law responds when corporate power intersects with armed force.

Please post your comments, as this is a subject that deserves public scrutiny rather than remaining buried in contracts and closed briefings.

Leave a comment

This newsletter includes references and links to external sources for informational and educational purposes only. Inclusion of these sources does not constitute endorsement, approval, or verification of their views, accuracy, or conclusions. Responsibility for the content of the referenced materials remains solely with the original authors and publishers.