Dr. Greg Bernstein
April 27th, 2021
CyBOK Chapter 3 Law & Regulation
Handbook on European data protection law 2018 edition
Understanding Law and the Rule of Law: A Plea to Augment CS Curricula, By Mireille Hildebrandt Communications of the ACM, May 2021, Vol. 64 No. 5, Pages 28-31.
From CyBOK Law 1.3.1
Criminal law is the body of law that prohibits behavior generally abhorred by society. Criminal law is normally enforced by an agency of the state. Examples include prohibitions against bank fraud and computer hacking.
From CyBOK Law 1.3.1
Terms such as guilty and innocent are normally reserved as descriptions of verdicts (outcomes) in a criminal case. These terms should not be used when referring to outcomes of civil actions.
From CyBOK Law 1.3.2
Civil law is the area of law that regulates private relationships among and between persons. Examples include the laws of contract and negligence. A person injured as a result of breach of civil law can normally bring legal action against the responsible party.
From CyBOK Law 1.3.2
Dominion Voting Systems files defamation lawsuit against pro-Trump attorney Sidney Powell.
A single act or series of connected acts can create liability simultaneously under both criminal and civil law. Consider the act of Alice making unauthorized access to Bob’s computer. Her actions in turn cause Bob’s LAN and related infrastructure to fail. Alice’s single hacking spree results in two types of liability. The state can prosecute Alice for the relevant crime and Bob can bring a civil legal action against Alice.
From CyBOK Law 1.4
The concept of proof in law is different from the term as it is used in the field of mathematics or logic. This can create confusion in discussions of cyber security topics and the law. In law, to ’prove’ something means simply to use permissible evidence in an effort to demonstrate the truth of contested events to a fact finder to a prescribed degree of certainty.
From CyBOK Law 1.4
Permissible evidence can take a variety of forms. Subject to the rules of different legal systems, evidence might include direct witness testimony, business records, correspondence, surveillance records, recordings of intercepted telephone conversations, server logs, etc.
From Wikipedia: Chain of Custody
Chain of custody (CoC), in legal contexts, is the chronological documentation or paper trail that records the sequence of custody, control, transfer, analysis, and disposition of materials, including physical or electronic evidence. Of particular importance in criminal cases, the concept is also applied in civil litigation and more broadly in drug testing of athletes and in supply chain management…
From CyBOK Law 1.4, also see Wikipedia: Burden of Proof
Beyond a reasonable doubt: Extremely high. Almost incontrovertible. No other reasonable explanation exists to make sense of the evidence. Usually in criminal cases.
Clear and convincing evidence: Reasonably high certainty.Much more than simply ’probable’. Used to overturn a patent, used to challenge a criminal conviction.
From CyBOK Law 1.4
Preponderance of evidence: More probable than not. The most common formulations of the standard of proof required to prevail in a civil case.
Probable cause: The evidence suggests that the target of an investigation has committed a crime, although evidence is not yet conclusive. The standard required in the US to persuade a judicial ofcer to issue a search warrant or arrest warrant.
From CyBOK Law 1.4
Cyberspace enables persons located in different states to communicate with one another in a fashion that is unprecedented in history. Once-unusual international contacts and relationships have become commonplace. Those who face a potential threat of enforcement by a person in a foreign state must consider a few threshold questions before the relevant legal risk can be analysed: jurisdiction and conflict of law.
Jurisdiction describes scope of state authority and the mechanisms used by a state to assert power. Private international law, or conflict of law, examines how to determine which domestic state law(s) will be applied to resolve certain aspects of a given dispute. This section of the knowledge area discusses jurisdiction. Conflict of law is addressed separately in the context of individual substantive headings of law.
Prescriptive jurisdiction describes the scope of authority claimed by a state to regulate the activities of persons or take possession of property. Law makers normally adopt laws for the purpose of protecting the residents of their home state and may declare their desire to regulate the actions of foreign-resident persons to the extent that such actions are prejudicial to home state-resident persons.
Juridical jurisdiction describes the authority of a tribunal to decide a case or controversy. The rules of such jurisdiction vary widely from tribunal to tribunal. In civil cases, courts usually demand a minimum degree of contact between the residential territory of the court and the property or person against which legal action is taken.
Enforcement jurisdiction describes the authority of a state to enforce law. This is sometimes described as police power, power to arrest and detain, authority to use force against persons, etc. In civil matters, this may describe other methods used to project force over persons or property resident in a territory, such as seizing plant and equipment, evicting tenants from property, garnishing wages, seizing funds on deposit with a bank, etc.
Prejudicial: Causing or tending to cause harm, especially to a legal case (many other definitions)
State: Can mean country, state, province, or territory… (it is not referring strictly to a state in the US)
Tribunal: court, grand jury, some kind of organization where legal cases are decided
States adopting computer crime laws often legislate to include cross-border acts. As a result, it is common for a state with such laws on their books to exercise prescriptive jurisdiction over persons – no matter where they are located – who take actions directed to computer equipment located within the state.
Similarly, persons who act while physically located within the state’s territory are often caught within the scope of the criminal law when conducting offensive operations against computers resident in foreign states. Public international law recognizes such exercises of prescriptive jurisdiction as a function of territorial sovereignty.
From FTC
From CyBOK Law section 3
privacy has been described simply as the right for a person to be free from intrusion by others into personal affairs or the right to be left alone.
Privacy is widely recognized internationally as a human right, although not an absolute right. The right to privacy is conditional – subject to limitations and exceptions. The 1948 Universal Declaration of Human Rights states at Art 12 that, ’No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence…’. Freedom from interference with privacy extends only to ’arbitrary’ interference, which clearly contemplates the legitimacy of ’non-arbitrary’ interference.
Privacy laws often treat metadata differently from content data, usually based on the theory that persons have a lower expectation of privacy in metadata. This distinction is increasingly criticized, and policy makers and courts are under pressure to reconsider the nature of metadata given:
State intrusion into electronic communication for purposes of law enforcement or state security is often treated under specialist legal regimes that are highly heterogenous. There is broad agreement in public international law dating to the mid-nineteenth century that each state has the right to intercept or interrupt electronic communications in appropriate circumstances. These principles continue to apply to cyberspace.
From Wikipedia: Mass Surveillance
Mass surveillance is the surveillance of an entire or a substantial fraction of a population in order to monitor that group of citizens. The surveillance is often carried out by local and federal governments or governmental organizations, such as organizations like the NSA and the FBI, but it may also be carried out by corporations (either on behalf of governments or at their own initiative).
From Wikipedia: Mass Surveillance
Depending on each nation’s laws and judicial systems, the legality of and the permission required to engage in mass surveillance varies. It is the single most indicative distinguishing trait of totalitarian regimes. It is also often distinguished from targeted surveillance.
From Wikipedia: Mass Surveillance
Mass surveillance has often been cited as necessary to fight terrorism, prevent crime and social unrest, protect national security, and control the population. Conversely, mass surveillance has equally often been criticized for violating privacy rights, limiting civil and political rights and freedoms, and being illegal under some legal or constitutional systems.
From Privacy International: Mass Surveillance
Today, intelligence agencies and law enforcement conduct mass surveillance through a diverse - and increasing - range of means and methods of surveillance. These include the direct mass interception of communications, access to the bulk communications stored by telecoms operators and others, mass hacking, indiscriminate use of facial recognition technology, indiscriminate surveillance of protests using mobile phone trackers, and more.
From CyBOK Law section 3.3
The interception of communications by a person during the course of transmission over its own non-public network, such as interception on a router, bridge or IMAP server operated by that person on their own LAN for purposes other than providing a public communications service, presents other challenges to analysis. This type of interception activity would not normally expect to fall foul of traditional computer crime legislation, as the relevant person is normally authorized to gain entry to the relevant computer.
From CyBOK Law section 4.1
The overriding purpose of EU data protection law is to protect the interests of data subjects. Data protection law accomplishes this by regulating acts of controllers and processors when processing data that incorporates personal data. Any such processing activity activates the application of data protection law.
From CyBOK Law section 4.1
personal data means any information relating to an identified or identifiable natural person (’data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
Is an IP address considered an identification number or location data?
From CyBOK Law section 4.1
The Court of Justice of the European Union has held that a server log with IP address numbers incorporates personal data, as it remains possible for third parties (telecommunications service providers) to match static or dynamic IP numbers to individual customer premises and from there to a living person. This made some server log entries ’related to’ a data subject.
The term PII is used in the US but has many definitions
Irrespective of how one defines Personally Identifiable Information (PII), European data protection law contains a clear and broad definition of ’personal data’. It is this definition of personal data, not PII, that triggers the application of European data protection law.
From CyBOK Law section 4.1.2
In data protection law, the term processing is defined as: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction
From CyBOK Law section 4.1.3
In data protection law, the term controller is defined as: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;
From CyBOK Law section 4.1.3
In the history of data protection law, many policy makers originally believed that the most effective way to protect individual rights was to focus regulation on persons who operated and maintained computer equipment – processors.
… however, policy makers began to appreciate that the focus should be turned to persons in a position to command and control how the machines were used – controllers.
Handbook on European data protection law 2018 edition
Handbook on European data protection law 2018 edition
Under the GDPR, lawfulness requires either:
Personal data processing should be done in a fair manner.
Personal data processing should be done in a transparent manner.
The principle of storage limitation means that personal data must be deleted or anonymized as soon as they are no longer needed for the purposes for which they were collected.
… controllers of processing operations are obliged to inform the data subject at the time when personal data are collected about their intended processing. This obligation does not depend on a request from the data subject, rather the controller must proactively comply with the obligation, regardless of whether the data subject shows interest in the information or not.
… data subjects have the right to have their personal data rectified. The accuracy of personal data is essential to ensure a high level of data protection for data subjects.
Key additional constraints and requirements include timeliness in the correction and that an “unreasonable burden of proof” not be placed on the data subject.
Providing data subjects with a right to have their own data erased is particularly important for the effective application of data protection principles, and notably the principle of data minimization (personal data must be limited to what is necessary for the purposes for which those data are processed).
data subjects enjoy the right to data portability in situations where the personal data that they have provided to a controller are processed by automated means on the basis of consent, or …
If the right to data portability is applicable, data subjects are entitled to have their personal data transmitted directly from one controller to another if this is technically feasible.
Automated decisions are decisions taken using personal data processed solely by automatic means without any human intervention. Under EU law, data subjects must not be subject to automated decisions which produce legal effects or have similarly significant effects.
Crimes in which cyberspace infrastructure is merely an instrumentality of some other traditional crime (e.g., financial fraud),
Distribution of criminal content (e.g., pornography and hate speech),
Crimes directed against cyberspace infrastructure itself
The UK Parliament adopted the Computer Misuse Act of 1990, which defined a series of computer-related criminal offences. This law has been subsequently amended from time to time.
In 1984, the US Congress adopted the Computer Fraud and Abuse Act, which has also been regularly amended. Many US states have additionally adopted their own statutes to prosecute computer crime.
The Council of Europe Convention on Cybercrime is a multilateral treaty… The Convention opened for signature in 2001, and as of July 2019 had been ratified by 44 member states of the Council of Europe and 19 non-European states including Canada, Japan and the US
Improper access to a system
Improper interference with data
Improper interference with systems
Improper interception of communications
Producing hacking tools with improper intentions
The UK Computer Misuse Act 1990, for example, defines as criminal an action by a person which causes a computer to perform an act with the intent to secure unauthorized access to any program or data. Thus, the mere act of entering a password into a system without authorization in an effort to access that system constitutes a crime under the UK statute whether or not access is successfully achieved.
Improper system interference with data laws criminalize the act of inappropriately ’deleting, damaging, deteriorating, altering or suppressing’ data. (Budapest Convention at Art. 4; Directive 2013/40 at Art 5.)
Many states also define as crimes the production or distribution of tools with the intention that they are used to facilitate other crimes against information systems. (Budapest Convention at Art. 6; Directive 2013/40, Art 7; Computer Misuse Act 1990, s.3A.) These laws can create challenges for those who produce or distribute security testing tools,…