Monday, November 21, 2016

About Cyber Law

This posting is certain to be controversial.  The reason is that we have allowed the notion of cyber law to evolve in a serendipitous manner, sort of "...growin' like Topsy" until we have an interpretation that admits of any law that has anything to with computing or activities in cyberspace as being in the purview of cyber law. That, really, from a jurisprudential perspective is an oversimplification.

In my first posting I quoted the Cyber Laws web site ( as defining cyber law a bit more concisely:

... legislation, legality, and practice of lawful, just, and ethical protocol involving the internet, as well as alternate networking and informational technologies.

This sounds a lot like aspects of cyber science.  But it also could mean just about anything - taken very broadly - that happens in cyberspace. We were pretty specific - and will be much more formal in a future posting - about what we mean by cyber science.  You may recall that cyber law is an aspect - an element - of the family Cyber-Social.  If we look closely at our working definition of cyber science, we are reminded that:

Cyber science is concerned with the study of phenomena caused or generated by the cyberworld and ... cyber-social ... world[s], as well as the complex intertwined integration of cyber physical, social and mental worlds.

So, we begin with the premise that the phenomena with which we are concerned are "...caused or generated by the cyberworld and ... cyber-social ... world".  What that says, on its face, is that some phenomenon spawned in physical space and transported to cyberspace is not cyber science nor is it subject, exclusively, to controls present in cyberspace.

That is not to say that such controls may not have a place here - think about the intersection of the cyber and physical spaces - however, that does not mean that we are describing cyber law.  In fact, accepted law from physical space might be perfectly applicable without any changes explicitly to accommodate cyberspace.

To complicate matters, however, there may be constraints present in cyberspace that do not exist in physical space. I am speaking about events in cyberspace that could not have occurred in physical space.

For example, I cannot remotely hack a computer in physical space unless there is a cyber component present.  However, if I hack the same computer sitting on my cube-mate's desk by sitting in his chair and hacking his password I really don't need much of a cyber component (that's arguable, I know, but let's save the debate for another time after we have roughed out the concepts here).

So do I need a cyber law to cover this eventuality? Let's blue-sky a bit.... what if I submit that the local hack - sitting at my cube-mate's desk - really is trespass? If so, trespass to what? Chattels? Land?  Is the computer a sort of virtual land? If I get in, is it burglary? If I steal his credit card information is it larceny? Robbery? Theft?  Something else?

But in any case, do I need a cyber law to tell me that I have committed a computer crime? Or, do I need an informed way to interpret the facts in light of existing law?

The FBI for years - it may still for all I know - defined a computer crime as a crime against a computer. In my book Investigating Computer Related Crime (CRC Press) I took the position that a crime against a computer was just that: a crime against the computer itself... not the data in it, nor the person who owns the data. So if this is not a computer crime - and we'll take that up in a future posting - does it need a cyber law? Or is this a crime, not against the computer, but against the user's password?

The specificity of the password as a unique object is settled in law. A password may exist only in its owner's mind or it may exist as a written notation or document. (In re Grand Jury Subpoena (Boucher), 2007 U.S. Dist. LEXIS 87951 (D. Vt. Nov. 29, 2007)) In either case, the law acknowledges the existence of a password and, thus, it can be attacked as an entity separate from the device it protects.

Now, let's move our hacker out on the Internet.  There is no way that the hacker can reach the victim computer without resorting to cyberspace, at least for transport.  This, clearly, meets our definition of cyber science. We have the intersection of phenomena that is generated by the interaction of the cyber-physical (the Internet, victim computer and the hacker's computer) and cyber-crime (among other elements in the Cyber-Social family).

We have no specific law in the physical space that admits of these elements without some fairly broad interpretation.  There are elements that are not necessarily present in similar endeavors in physical space such cracking the password.  "Wait!" you say. "A burglar using a set of pick-locks to break through a locked door is exactly the same." Is it? Can the burglar use her pick-locks from Michigan to Moscow without visiting Moscow physically? This is more analogous to the example of the computer on my cube-mate's desk while I'm sitting in his chair and, in that example, I would agree.

But the remote hack of a computer on the other side of the world could not take place outside of cyberspace so specific provisions of the law must be a consideration. We tried that with the Computer Fraud and Abuse Act (18 USC § 1030) and the long-term benefits have yet to show themselves. Why? Simply because the Act is too specific (OK... this will generate another debate I'm sure).  It was not built to anticipate very rapid advances in technology and societal changes in how that technology is used.

In terms that Detroit automakers would understand since they have been the target of those terms, § 1030 had built-in obsolescence. Like Detroit, that was an unintended consequence of other actions. But consequence it was and the law is hopelessly out of date since its enactment in 1986, 30 years ago. Written as it was, it would have been nearly impossible to write a law that would anticipate the state of technology or of the societal uses of it 30 years hence.

Taking a jurisprudential view of the development of cyber law that actually fits and grows with a living technology is critical to avoiding obsolescence, planned or not.  It also is necessary in parsing the difference between sitting at a computer and accessing the computer from across the world, even though the act at the victim computer itself might be the same.

So, in a nutshell, cyber law must address cyber science directly or it is not cyber law.  If it must address an intersection of events that have one foot in cyberspace and one in the physical space, we need a way of interpreting the cyber pieces consistently with the physical pieces and always in keeping with the theory and philosophy that developed the law(s) in the first place.

No comments:

Post a Comment

Leave a Comment