Sunday, January 15, 2017

Cyber Crime, or Not Cyber Crime

I came across this interesting hypothetical recently. It poses some fertile ground for debate.

A man - we'll call him P - received a message over the Internet.  It really doesn't matter if it was an email, a tweet, a Facebook message, or whatever. What was important was that, embedded in the message, was a strobing light. He opened the message, the light started to flash and P had a seizure. The hypothetical poses the question, "is there a tort (or, perhaps, a violation of the law) here?"

Let's start with the issues.  First, there is the act of D subjecting P to a strobe light that, in some people - certainly in P it would appear - triggers seizures.

Second, the "delivery" mechanism was the Internet message.

Now the rules.  Assault and battery come to mind. Assault is placing P in apprehension of an imminent harmful contact while battery is the contact itself.

Analysis.  Certainly, assuming that P is aware of what is going to happen but is unable to avoid it, there is a brief period of fear of the consequence of the light. That sounds like assault to me.

However, we may assume that not everyone in the world will suffer seizures from a flashing light. That is a unique response and it is tied to certain types of brain/nervous system disorders. So D had no way of knowing that P would respond as he did. It doesn't matter.  This is an example of the "eggshell skull" that says, basically, D has to take his or her victims as he or she finds them. D is just as liable for an eggshell P as if P was not uniquely susceptible to the flashing light.

It also is battery because the contact occurred.  Now comes the first opportunity for debate... first, is a strobe light flashing in the face of P a "contact"? Let's start with the Restatement (Second) of Torts, §18 cmt c, Battery: Offensive Contact:
Since the essence of the plaintiff's grievance consists in the offense to the dignity involved in the unpermitted and intentional inviolability and not in any physical harm done to his body, it is not necessary that the plaintiff's actual body be disturbed.
We could argue lack of intent given that D did not intend to harm P. However, he did intend to send the message with the flashing light so the best face we can put on this is negligence on the part of D. There also may be an argument that, while battery might have occurred, it is an open question as to whether it was preceded by an assault.

The next point of debate is whether or not a battery can be delivered over the Internet since there was no direct - or one might argue - indirect contact with P's person, even in the context of Rest. 2d §18 cmt. c. One also might argue, however, that the light did make contact with P, through his eyes, certainly a part of his body. The light was initiated by D and delivered over the Internet so the Internet becomes only a delivery mechanism.

Moving into the theory of law that addresses this hypothetical, we might query such things as legislative and judicial intent in defining the legislative acts and judicial interpretation in case law. Certainly, the intent of laws prohibiting battery is to insure that people can be safe in their persons. 

Also, if we are to consider negligence, we must address foreseeability. Was it reasonably foreseeable that sending a message with flashing lights would cause harm? There is no requirement of which I am aware that requires foreseeability of a specific outcome of a negligent act.  In this case we could consider a number of scenarios where harm might be caused without resorting to an analysis of epilepsy.  

Suppose that a person was driving while reading messages on her mobile phone - never a good idea, of course, and illegal in some jurisdictions - and is pulled up at a stop light. She is so surprised when she opens the message that she takes her foot off of the brake and strikes a pedestrian with her car. There probably are several other scenarios as well.  I think that we can consider that some consequence of D's action is foreseeable.

This hypothetical is an excellent example of those knotty problems that we encounter as the law moves into the realm of cyberspace. An extension of this hypothetical is, can one commit murder over the Internet? For, example, suppose D hacks into a hospital system, accesses critical instruments for preserving life during surgery, and during surgery on victim V the equipment fails and V dies as a result.

The point here is that we need to rethink much of our system of law in the context of cyber science. Knee-jerk reactions to cyber-related crimes or torts is not adequate and there is a real danger of making bad - and, certainly, inconsistent - law as a result.

Monday, November 21, 2016

Tools of Analysis: Proving the IRAC - A Request for Comments

IRAC is a familiar construct to law students.  It is a method for analyzing a fact pattern in the context of potentially applicable law.  It consists or identifying the elements of a fact pattern and playing them against the elements of a law, tort, contract, and so on.  IRAC stands for:
  • Issue - the issue within the fact pattern that you wish to test
  • Rule - the rule or element of law against which you want to test the issue
  • Analysis - Your analysis of the Issue in the context of the rule that you've selected
  • Conclusion - Your conclusion based upon your analysis
While this is very common fare in law school, it almost never is used by lawyers except as a way of seeing things based upon years of using it in school.  In short, it is a way of looking at the law that becomes subconscious habit after "IRACing" hundreds of fact patterns.

As we move forward with our development of a cyber jurisprudence, we will be analyzing issues - cases, law, and so forth, formally.  In formal analysis we need a set of starting points.  We call those axioms.  When we can prove a proposition to be formally - i.e., mathematically or logically - correct we can apply it axiomatically.

We need a starting point for the logical framework that we will develop and I have chosen the IRAC because of its universal applicability to our deliberations.  Using IRAC we can develop theories, test hypotheses and, in short, arrive at a framework for applying the law to cyber science. What follows is a proof of the IRAC.  Once we have established its correctness, it becomes available for us to use as our Axiom 1.

I should add, at this point, that, as far as I know, nobody has done this so it is quite conceivable that I am wrong in one or more steps.  If you believe that to be the case, please ring in with your proposed correction. I am viewing this as a draft at this point so feel free to pick nits.

IRAC Proof


·        I = Issue
·        R = Rule
·        A = Analysis
·        C = Conclusion

The terms “plaintiff” and “defendant” in tort or contract law equate to “prosecution” and “defendant” in criminal law for the purposes of this proof.

Proposition 1:

A conclusion may be drawn as to the legal consequences for a plaintiff or a defendant by analysis of a rule applying to an element of a fact pattern.


S1.  An issue is an element of a fact pattern.
S2.  If an analysis of the issue shows that there is a rule that applies to the issue, the issue has legal relevance.
S3.  A conclusion as to legal consequences may favor a plaintiff or a defendant.
S4.  A conclusion cannot favor both the defendant and the plaintiff simultaneously. (Impossibility thesis)
S5.  If the relevant actions by the defendant are described by a rule, the defendant may bear the legal consequences.
S6.  If  the relevant actions by the defendant are not described by a rule, the defendant may not bear the legal consequences.
S7.  Therefore, based upon analysis of an issue in light of a rule, a conclusion may be reached (from S1, S2, S3)
S8. Therefore, analysis of the relevant rule and the issue enables a conclusion that favors either the defendant or the plaintiff. (from S2, S3, S4)
S9.  Therefore, if analysis of the rule relevant to the issue concludes that the rule describes the defendant’s actions in the fact pattern as culpable is true, then that the defendant must bear the legal consequences is true. (from S3, S4, S6, S8)
S10.  Therefore, if the conclusion is that the defendant must bear the legal consequences is true, the conclusion that the plaintiff must bear the legal consequences is false. (from S4, S8, S9)

This does not take into account extensions such as shared liability. Those are for further proof once the IRAC as it sits is established as our Axiom 1.  Axioms should be as simple as possible to allow for universality without losing the capability of specificity.

About Cyber Law

This posting is certain to be controversial.  The reason is that we have allowed the notion of cyber law to evolve in a serendipitous manner, sort of "...growin' like Topsy" until we have an interpretation that admits of any law that has anything to with computing or activities in cyberspace as being in the purview of cyber law. That, really, from a jurisprudential perspective is an oversimplification.

In my first posting I quoted the Cyber Laws web site ( as defining cyber law a bit more concisely:

... legislation, legality, and practice of lawful, just, and ethical protocol involving the internet, as well as alternate networking and informational technologies.

This sounds a lot like aspects of cyber science.  But it also could mean just about anything - taken very broadly - that happens in cyberspace. We were pretty specific - and will be much more formal in a future posting - about what we mean by cyber science.  You may recall that cyber law is an aspect - an element - of the family Cyber-Social.  If we look closely at our working definition of cyber science, we are reminded that:

Cyber science is concerned with the study of phenomena caused or generated by the cyberworld and ... cyber-social ... world[s], as well as the complex intertwined integration of cyber physical, social and mental worlds.

So, we begin with the premise that the phenomena with which we are concerned are "...caused or generated by the cyberworld and ... cyber-social ... world".  What that says, on its face, is that some phenomenon spawned in physical space and transported to cyberspace is not cyber science nor is it subject, exclusively, to controls present in cyberspace.

That is not to say that such controls may not have a place here - think about the intersection of the cyber and physical spaces - however, that does not mean that we are describing cyber law.  In fact, accepted law from physical space might be perfectly applicable without any changes explicitly to accommodate cyberspace.

To complicate matters, however, there may be constraints present in cyberspace that do not exist in physical space. I am speaking about events in cyberspace that could not have occurred in physical space.

For example, I cannot remotely hack a computer in physical space unless there is a cyber component present.  However, if I hack the same computer sitting on my cube-mate's desk by sitting in his chair and hacking his password I really don't need much of a cyber component (that's arguable, I know, but let's save the debate for another time after we have roughed out the concepts here).

So do I need a cyber law to cover this eventuality? Let's blue-sky a bit.... what if I submit that the local hack - sitting at my cube-mate's desk - really is trespass? If so, trespass to what? Chattels? Land?  Is the computer a sort of virtual land? If I get in, is it burglary? If I steal his credit card information is it larceny? Robbery? Theft?  Something else?

But in any case, do I need a cyber law to tell me that I have committed a computer crime? Or, do I need an informed way to interpret the facts in light of existing law?

The FBI for years - it may still for all I know - defined a computer crime as a crime against a computer. In my book Investigating Computer Related Crime (CRC Press) I took the position that a crime against a computer was just that: a crime against the computer itself... not the data in it, nor the person who owns the data. So if this is not a computer crime - and we'll take that up in a future posting - does it need a cyber law? Or is this a crime, not against the computer, but against the user's password?

The specificity of the password as a unique object is settled in law. A password may exist only in its owner's mind or it may exist as a written notation or document. (In re Grand Jury Subpoena (Boucher), 2007 U.S. Dist. LEXIS 87951 (D. Vt. Nov. 29, 2007)) In either case, the law acknowledges the existence of a password and, thus, it can be attacked as an entity separate from the device it protects.

Now, let's move our hacker out on the Internet.  There is no way that the hacker can reach the victim computer without resorting to cyberspace, at least for transport.  This, clearly, meets our definition of cyber science. We have the intersection of phenomena that is generated by the interaction of the cyber-physical (the Internet, victim computer and the hacker's computer) and cyber-crime (among other elements in the Cyber-Social family).

We have no specific law in the physical space that admits of these elements without some fairly broad interpretation.  There are elements that are not necessarily present in similar endeavors in physical space such cracking the password.  "Wait!" you say. "A burglar using a set of pick-locks to break through a locked door is exactly the same." Is it? Can the burglar use her pick-locks from Michigan to Moscow without visiting Moscow physically? This is more analogous to the example of the computer on my cube-mate's desk while I'm sitting in his chair and, in that example, I would agree.

But the remote hack of a computer on the other side of the world could not take place outside of cyberspace so specific provisions of the law must be a consideration. We tried that with the Computer Fraud and Abuse Act (18 USC § 1030) and the long-term benefits have yet to show themselves. Why? Simply because the Act is too specific (OK... this will generate another debate I'm sure).  It was not built to anticipate very rapid advances in technology and societal changes in how that technology is used.

In terms that Detroit automakers would understand since they have been the target of those terms, § 1030 had built-in obsolescence. Like Detroit, that was an unintended consequence of other actions. But consequence it was and the law is hopelessly out of date since its enactment in 1986, 30 years ago. Written as it was, it would have been nearly impossible to write a law that would anticipate the state of technology or of the societal uses of it 30 years hence.

Taking a jurisprudential view of the development of cyber law that actually fits and grows with a living technology is critical to avoiding obsolescence, planned or not.  It also is necessary in parsing the difference between sitting at a computer and accessing the computer from across the world, even though the act at the victim computer itself might be the same.

So, in a nutshell, cyber law must address cyber science directly or it is not cyber law.  If it must address an intersection of events that have one foot in cyberspace and one in the physical space, we need a way of interpreting the cyber pieces consistently with the physical pieces and always in keeping with the theory and philosophy that developed the law(s) in the first place.

Saturday, November 19, 2016

About Cyber Science

One of the issues - among others - in cyber jurisprudence is what we mean by cyber science.  In the first posting I gave a pretty good working definition (you can go back to that posting for the informal citation):

Cyber science is concerned with the study of phenomena caused or generated by the cyberworld and cyber-physical, cyber-social and cyber-mental worlds, as well as the complex intertwined integration of cyber physical, social and mental worlds.

Now we need to elaborate on that and the paper from which that quote came is a very good starting point.  The problem is that there is a connection between cyberspace and physical space (or what used to be called "the real world" before we started accepting, de facto, that the real world includes cyberspace)  that is hard to ignore.

For example, before we dive back into the paper quoted from in my first posting, lets look at cyber criminology.  I debated for some time - and at least once in a formal debate - with my criminal justice colleagues at Norwich University whether the discipline of cyber criminology even exists.  Their position was that criminology is criminology.  Period.  Full stop.  There can be but one criminology and, while there may be specific specialized skill sets in play from subject area to subject area, it all is criminology.

However, K. Jaishankar in Cyber Criminology - Exploring Internet Crimes and Criminal Behavior (CRC Press, 2011) begs to differ. Jaishankar defines cyber criminology very specifically (page xxvii):

The study of crimes that occur in cyberspace and its impact in the physical space.

He goes on:

I academically coined the term cyber criminology for two reasons. First, the body of knowledge that deals with cyber crimes should not be confused with investigation and be merged with cyber forensics; second, there should be an independent discipline to study and explore cyber crimes from a social science perspective.

So, why should we care about Jaishankar's definition and reasoning in the context of cyber science? Simply because it acknowledges some important points. First, there is a sociological component to cyber crime that should be considered in cyberspace, physical space and their intersection.  Second, and perhaps most important to our consideration of cyber science, although cyberspace and physical space interact and influence each other, they are separate domains, each with its own constraints.

Even though there may appear to be similarities, similar is not the same as equal.  Events in cyberspace are unique.  Events in physical space are unique.  Where they overlap we have decisions to make.  In the law those are jurisprudential - philosophical and theoretical - decisions and they help us parse the cyber from the physical just as Jaishankar has with cyber criminology.

Hopefully, by this jurisprudential parsing of the cyber from the physical with due consideration for their intersection(s), we can arrive at legal constructs that assist jurists, litigators and legislators in interpreting existing law and, where necessary, creating new or modified laws to address cyber science as necessary.

Returning to cyber science

The authors of the paper divide cyber science into four broad categories, or families, each of which has sub-categories, or elements, based upon specific disciplines.  The families are:

  1. Fundamental
  2. Cyber-Physical
  3. Cyber-Social
  4. Cyber-Mental

The relationships between the families is shown in a table which I quote directly from the paper (Table 1 in the paper).

As we can see, this definition of cyber science broadly fits the criteria established by Jaishankar as prerequisites for cyber criminology and offers a rich field of exploration for jurisprudential analysis. For example, the authors explicitly call out Cyber-Law as an element of the family, Cyber-Social.

This legitimizes - but only as a starting point - a rough definition of cyber science.  It leaves us some room both to refine and grow into a solid, formal definition of cyber science and that we will do in a future posting.

Thursday, November 17, 2016

Driving a Stake in the Ground: What is Cyber Jurisprudence?

Cyber jurisprudence is not well-defined as a discipline and, moreover, is not at all well-understood. To get to a useful definition of the term we need to understand some other terms and where they fit (or don't fit).

Cyber Science

This is a term that was, arguably, coined by the US Naval Academy but now seems to be used by Annapolis as a synonym for cyber operations. A better definition has been suggested by Wiktionary (

Any scientific discipline that relates to cyberspace, such as cyberpsychology.

Perhaps the best characterization comes from a paper on the IEEE Explore database called Perspectives on Cyber Science and Technology for Cyberization and Cyber-enabled Worlds. Their definition is:

Cyber science is concerned with the study of phenomena caused or generated by the cyberworld and cyber-physical, cyber-social and cyber-mental worlds, as well as the complex intertwined integration of cyber physical, social and mental worlds.

The implication is that in order to be cyber science, a discipline must be totally integrated with cyberspace.  That means that - even though there might be antecedents in other natural sciences or mathematics, in order for a discipline to be considered a cyber science it must have a primary dependency that is carried out exclusively in relation to cyberspace.

Cyber Law

Cyber law seems to be inclusive of everything that has anything to do with computers.  That, unfortunately, is such an oversimplification as not to be useful. The Cyber Laws website ( has a definition that approaches usefulness:

... legislation, legality, and practice of lawful, just, and ethical protocol involving the internet, as well as alternate networking and informational technologies.

In short, cyber law deals exclusively with cyber science.

Unfortunately, there are other definitions that blur the point of defining cyber law by including anything that happens in cyberspace.  So a case of defamation - carried out on a Facebook page - becomes a cyber tort simply because it occurred online. However, where is the difference between printing the defamatory statement on Facebook (or Twitter or any other social media site) and in the Wall Street Journal?

One might argue that Facebook has a broader audience than the Journal, but that is of no import. Defamation requires publication only to a third party.  Damages might well be decided by the breadth of dissemination, but there is no difference, prima facie, between defamation on Facebook and in a widely-distributed newspaper.

In short, cyberspace neither was a necessary nor a sufficient means for determining that the example required a special cyber law to prosecute the tort of defamation.


Jurisprudence, simply put, is the science, philosophy and theory of the law.  It often is taken by lay persons as a synonym for the law itself but, in reality, it is a more philosophical approach to why we have laws, what does it mean to have (or be) laws and what is the theory behind such laws.

Returning to Cyber Jurisprudence

With those supporting definitions in mind, we return to the question of what cyber jurisprudence is. Stitching the definitions together we get that it is the theory and philosophy of cyber law. Since cyber law deals exclusively with cyber science we get that cyber jurisprudence deals with the theory and philosophy of the law as it relates to cyber science.

Thus, to be included in a study of cyber jurisprudence we must address cyber science, the law and the theory and philosophy of their intersections.  That is what we will do as this blog progresses.