Law and Cybersecurity

Dr. Greg Bernstein

April 27th, 2021

Cybersecurity and the Law


The Law: An Overview

Criminal Law: What is it?

From CyBOK Law 1.3.1

Criminal law is the body of law that prohibits behavior generally abhorred by society. Criminal law is normally enforced by an agency of the state. Examples include prohibitions against bank fraud and computer hacking.

Criminal Law: Purposes

From CyBOK Law 1.3.1

  • deterrence (seeking to deter bad behavior);
  • incapacitation (limiting the ability of the criminal to further harm society);
  • retribution (causing a criminal to suffer some type of loss in response to crime);
  • restitution (causing a criminal to compensate a victim or some related person);
  • rehabilitation (seeking to change the long-term behavior of a criminal).

Criminal Law: Outcomes

Terms such as guilty and innocent are normally reserved as descriptions of verdicts (outcomes) in a criminal case. These terms should not be used when referring to outcomes of civil actions.

Civil Law

From CyBOK Law 1.3.2

Civil law is the area of law that regulates private relationships among and between persons. Examples include the laws of contract and negligence. A person injured as a result of breach of civil law can normally bring legal action against the responsible party.

Civil Law: Remedies

From CyBOK Law 1.3.2

  • an order for the liable party to pay compensation to the injured party;
  • an order to terminate some legal relationship between the parties;
  • an order for the liable party to discontinue harmful activity; or
  • an order for the liable party to take some type of affirmative act (e.g., transferring ownership of property).

Civil Law Example: Libel Lawsuits

Dominion Voting Systems files defamation lawsuit against pro-Trump attorney Sidney Powell.

One act: two types of liability & two courts

A single act or series of connected acts can create liability simultaneously under both criminal and civil law. Consider the act of Alice making unauthorized access to Bob’s computer. Her actions in turn cause Bob’s LAN and related infrastructure to fail. Alice’s single hacking spree results in two types of liability. The state can prosecute Alice for the relevant crime and Bob can bring a civil legal action against Alice.

The nature of evidence and proof 1

From CyBOK Law 1.4

The concept of proof in law is different from the term as it is used in the field of mathematics or logic. This can create confusion in discussions of cyber security topics and the law. In law, to ’prove’ something means simply to use permissible evidence in an effort to demonstrate the truth of contested events to a fact finder to a prescribed degree of certainty.

The nature of evidence and proof 2

From CyBOK Law 1.4

Permissible evidence can take a variety of forms. Subject to the rules of different legal systems, evidence might include direct witness testimony, business records, correspondence, surveillance records, recordings of intercepted telephone conversations, server logs, etc.

Example: Chain of Custody

From Wikipedia: Chain of Custody

Chain of custody (CoC), in legal contexts, is the chronological documentation or paper trail that records the sequence of custody, control, transfer, analysis, and disposition of materials, including physical or electronic evidence. Of particular importance in criminal cases, the concept is also applied in civil litigation and more broadly in drug testing of athletes and in supply chain management…

Standards of Proof 1

From CyBOK Law 1.4, also see Wikipedia: Burden of Proof

  • Beyond a reasonable doubt: Extremely high. Almost incontrovertible. No other reasonable explanation exists to make sense of the evidence. Usually in criminal cases.

  • Clear and convincing evidence: Reasonably high certainty.Much more than simply ’probable’. Used to overturn a patent, used to challenge a criminal conviction.

Standards of Proof 2

From CyBOK Law 1.4

  • Preponderance of evidence: More probable than not. The most common formulations of the standard of proof required to prevail in a civil case.

  • Probable cause: The evidence suggests that the target of an investigation has committed a crime, although evidence is not yet conclusive. The standard required in the US to persuade a judicial of€cer to issue a search warrant or arrest warrant.

Standards of Proof 3

From CyBOK Law 1.4

  • Reasonable suspicion: The standard typically required in the US to justify a police officer temporarily stopping and questioning a person. This phrase has also been suggested as a threshold for justifying state electronic surveillance.

What has Changed

Cyberspace enables persons located in different states to communicate with one another in a fashion that is unprecedented in history. Once-unusual international contacts and relationships have become commonplace. Those who face a potential threat of enforcement by a person in a foreign state must consider a few threshold questions before the relevant legal risk can be analysed: jurisdiction and conflict of law.

General Notion

Jurisdiction describes scope of state authority and the mechanisms used by a state to assert power. Private international law, or conflict of law, examines how to determine which domestic state law(s) will be applied to resolve certain aspects of a given dispute. This section of the knowledge area discusses jurisdiction. Conflict of law is addressed separately in the context of individual substantive headings of law.

Aspects of Jurisdiction

  • Prescriptive jurisdiction
  • Juridical jurisdiction
  • Enforcement jurisdiction

Prescriptive Jurisdiction

Prescriptive jurisdiction describes the scope of authority claimed by a state to regulate the activities of persons or take possession of property. Law makers normally adopt laws for the purpose of protecting the residents of their home state and may declare their desire to regulate the actions of foreign-resident persons to the extent that such actions are prejudicial to home state-resident persons.

Juridical Jurisdiction

Juridical jurisdiction describes the authority of a tribunal to decide a case or controversy. The rules of such jurisdiction vary widely from tribunal to tribunal. In civil cases, courts usually demand a minimum degree of contact between the residential territory of the court and the property or person against which legal action is taken.

Enforcement Jurisdiction

Enforcement jurisdiction describes the authority of a state to enforce law. This is sometimes described as police power, power to arrest and detain, authority to use force against persons, etc. In civil matters, this may describe other methods used to project force over persons or property resident in a territory, such as seizing plant and equipment, evicting tenants from property, garnishing wages, seizing funds on deposit with a bank, etc.

Terminology Explained 1

  • Prejudicial: Causing or tending to cause harm, especially to a legal case (many other definitions)

  • State: Can mean country, state, province, or territory… (it is not referring strictly to a state in the US)

  • Tribunal: court, grand jury, some kind of organization where legal cases are decided

Jurisdiction and Computer Crime 1

States adopting computer crime laws often legislate to include cross-border acts. As a result, it is common for a state with such laws on their books to exercise prescriptive jurisdiction over persons – no matter where they are located – who take actions directed to computer equipment located within the state.

Jurisdiction and Computer Crime 2

Similarly, persons who act while physically located within the state’s territory are often caught within the scope of the criminal law when conducting offensive operations against computers resident in foreign states. Public international law recognizes such exercises of prescriptive jurisdiction as a function of territorial sovereignty.

Enforcement Mechanisms

  • Asset seizure and forfeiture
  • Arrest and/or extradition of natural persons
  • Technological Content Filtering
  • (court) Orders to turn over data under ones control

Privacy Law

Example Facebook FTC Fine 2019

From FTC

FTC Press Release 2019

General Notions

From CyBOK Law section 3

privacy has been described simply as the right for a person to be free from intrusion by others into personal affairs or the right to be left alone.

Human Rights

Privacy is widely recognized internationally as a human right, although not an absolute right. The right to privacy is conditional – subject to limitations and exceptions. The 1948 Universal Declaration of Human Rights states at Art 12 that, ’No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence…’. Freedom from interference with privacy extends only to ’arbitrary’ interference, which clearly contemplates the legitimacy of ’non-arbitrary’ interference.

Privacy and Metadata 1

Privacy laws often treat metadata differently from content data, usually based on the theory that persons have a lower expectation of privacy in metadata. This distinction is increasingly criticized, and policy makers and courts are under pressure to reconsider the nature of metadata given:

Privacy and Metadata 2

  • the private quality of some information disclosed by modern metadata
  • the incredible growth in the volume and types of metadata available
  • the growing volume of otherwise-private information that can be inferred from metadata using modern traffic analysis and visualization techniques.

Example Cell Phone/App Data

From Capitol Attack Cell Data: NY Times

DC insurrection cell data

Interception by a State

State intrusion into electronic communication for purposes of law enforcement or state security is often treated under specialist legal regimes that are highly heterogenous. There is broad agreement in public international law dating to the mid-nineteenth century that each state has the right to intercept or interrupt electronic communications in appropriate circumstances. These principles continue to apply to cyberspace.

Mass Surveillance 1

From Wikipedia: Mass Surveillance

Mass surveillance is the surveillance of an entire or a substantial fraction of a population in order to monitor that group of citizens. The surveillance is often carried out by local and federal governments or governmental organizations, such as organizations like the NSA and the FBI, but it may also be carried out by corporations (either on behalf of governments or at their own initiative).

Mass Surveillance 2

From Wikipedia: Mass Surveillance

Depending on each nation’s laws and judicial systems, the legality of and the permission required to engage in mass surveillance varies. It is the single most indicative distinguishing trait of totalitarian regimes. It is also often distinguished from targeted surveillance.

Mass Surveillance 3

From Wikipedia: Mass Surveillance

Mass surveillance has often been cited as necessary to fight terrorism, prevent crime and social unrest, protect national security, and control the population. Conversely, mass surveillance has equally often been criticized for violating privacy rights, limiting civil and political rights and freedoms, and being illegal under some legal or constitutional systems.

Mass Surveillance 4

From Privacy International: Mass Surveillance

Today, intelligence agencies and law enforcement conduct mass surveillance through a diverse - and increasing - range of means and methods of surveillance. These include the direct mass interception of communications, access to the bulk communications stored by telecoms operators and others, mass hacking, indiscriminate use of facial recognition technology, indiscriminate surveillance of protests using mobile phone trackers, and more.

Interception by Others

From CyBOK Law section 3.3

The interception of communications by a person during the course of transmission over its own non-public network, such as interception on a router, bridge or IMAP server operated by that person on their own LAN for purposes other than providing a public communications service, presents other challenges to analysis. This type of interception activity would not normally expect to fall foul of traditional computer crime legislation, as the relevant person is normally authorized to gain entry to the relevant computer.

Data Protection Law

New Laws and Rights

From CyBOK Law section 4.1

The overriding purpose of EU data protection law is to protect the interests of data subjects. Data protection law accomplishes this by regulating acts of controllers and processors when processing data that incorporates personal data. Any such processing activity activates the application of data protection law.

Data subject, personal data

From CyBOK Law section 4.1

personal data means any information relating to an identified or identifiable natural person (’data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person

Question: IP Addresses?

Is an IP address considered an identification number or location data?

Server Logs

From CyBOK Law section 4.1

The Court of Justice of the European Union has held that a server log with IP address numbers incorporates personal data, as it remains possible for third parties (telecommunications service providers) to match static or dynamic IP numbers to individual customer premises and from there to a living person. This made some server log entries ’related to’ a data subject.

Personal data and/or PII

The term PII is used in the US but has many definitions

Irrespective of how one defines Personally Identifiable Information (PII), European data protection law contains a clear and broad definition of ’personal data’. It is this definition of personal data, not PII, that triggers the application of European data protection law.


From CyBOK Law section 4.1.2

In data protection law, the term processing is defined as: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction


From CyBOK Law section 4.1.3

In data protection law, the term controller is defined as: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;

Controllers and Processors

From CyBOK Law section 4.1.3

In the history of data protection law, many policy makers originally believed that the most effective way to protect individual rights was to focus regulation on persons who operated and maintained computer equipment – processors.

… however, policy makers began to appreciate that the focus should be turned to persons in a position to command and control how the machines were used – controllers.

Key Principles 1

Handbook on European data protection law 2018 edition

  • lawfulness, fairness and transparency;
  • purpose limitation;
  • data minimization;

Key Principles 2

Handbook on European data protection law 2018 edition

  • data accuracy;
  • storage limitation;
  • integrity and confidentiality.

Lawfulness Principle

Under the GDPR, lawfulness requires either:

  • consent of the data subject;
  • necessity to enter a contract;
  • a legal obligation;
  • necessity to protect the vital interests of the data subject or of another person;
  • necessity for performing a task in the public interest;
  • necessity for the legitimate interests of the controller or a third party, if they are not overridden by the interests and rights of the data subject.

Fairness Principle

Personal data processing should be done in a fair manner.

  • The data subject must be informed of the risk to ensure that processing does not have unforeseeable negative effects.

Transparency Principle

Personal data processing should be done in a transparent manner.

  • Controllers must inform data subjects before processing their data, among other details, about the purpose of processing and about the identity and address of the controller.
  • Information on processing operations must be provided in clear and plain language to allow data subjects to easily understand the rules, risks, safeguards and rights involved.
  • Data subjects have the right to access their data wherever they are processed.

Purpose Limitation

  • The purpose of processing data must be defined before processing is started.
  • There can be no further processing of data in a way that is incompatible with the original purpose, though the General Data Protection Regulation foresees exceptions to this rule …
  • … the principle of purpose limitation means that any processing of personal data must be done for a specific well-defined purpose and only for additional, specified, purposes that are compatible with the original one.

Data Minimization Principle

  • Data processing must be limited to what is necessary to fulfil a legitimate purpose.
  • The processing of personal data should only take place when the purpose of the processing cannot be reasonably fulfilled by other means.
  • Data processing may not disproportionately interfere with the interests, rights and freedoms at stake

Data Accuracy Principle

  • The principle of data accuracy must be implemented by the controller in all processing operations.
  • Inaccurate data must be erased or rectified without delay.
  • Data may need to be checked regularly and kept up to date to secure accuracy.

Storage Limitation Principle

The principle of storage limitation means that personal data must be deleted or anonymized as soon as they are no longer needed for the purposes for which they were collected.

Data Security Principle

  • The security and confidentiality of personal data are key to preventing adverse effects for the data subject.
  • Security measures can be of a technical and/or organizational nature.
  • Pseudonymization is a process that can protect personal data.
  • The appropriateness of security measures must be determined on a case-by-case basis and reviewed regularly.

Accountability Principle

  • Accountability requires controllers and processors to actively and continuously implement measures to promote and safeguard data protection in their processing activities.
  • Controllers and processors are responsible for compliance of their processing operations with data protection law and their respective obligations.
  • Controllers must be able to demonstrate compliance with data protection provisions to data subjects, the general public and supervisory authorities at any time. Processors must also comply with some obligations strictly linked to accountability (such as keeping a record of processing operations and appointing a Data Protection Officer).

GDPR Rights

Data Subjects Rights 1

  • Right to be informed
  • Right to rectification
  • Right to erasure (“the right to be forgotten”)

Data Subjects Rights 2

  • Right to restriction of processing
  • Right to data portability
  • Right to object
  • … right not to be subject to decisions based solely on automated processing…

Right to be informed

… controllers of processing operations are obliged to inform the data subject at the time when personal data are collected about their intended processing. This obligation does not depend on a request from the data subject, rather the controller must proactively comply with the obligation, regardless of whether the data subject shows interest in the information or not.

Right to rectification

… data subjects have the right to have their personal data rectified. The accuracy of personal data is essential to ensure a high level of data protection for data subjects.

Key additional constraints and requirements include timeliness in the correction and that an “unreasonable burden of proof” not be placed on the data subject.

Right to erasure (‘the right to be forgotten’)

Providing data subjects with a right to have their own data erased is particularly important for the effective application of data protection principles, and notably the principle of data minimization (personal data must be limited to what is necessary for the purposes for which those data are processed).

Right to data portability

data subjects enjoy the right to data portability in situations where the personal data that they have provided to a controller are processed by automated means on the basis of consent, or …

If the right to data portability is applicable, data subjects are entitled to have their personal data transmitted directly from one controller to another if this is technically feasible.

Automated decisions

Automated decisions are decisions taken using personal data processed solely by automatic means without any human intervention. Under EU law, data subjects must not be subject to automated decisions which produce legal effects or have similarly significant effects.

How is this Enforced?

Computer Crime

Types of Cybercrime

  1. Crimes in which cyberspace infrastructure is merely an instrumentality of some other traditional crime (e.g., financial fraud),

  2. Distribution of criminal content (e.g., pornography and hate speech),

  3. Crimes directed against cyberspace infrastructure itself

Laws Concerning Crimes Against Information Systems

  • The UK Parliament adopted the Computer Misuse Act of 1990, which defined a series of computer-related criminal offences. This law has been subsequently amended from time to time.

  • In 1984, the US Congress adopted the Computer Fraud and Abuse Act, which has also been regularly amended. Many US states have additionally adopted their own statutes to prosecute computer crime.

  • The Council of Europe Convention on Cybercrime is a multilateral treaty… The Convention opened for signature in 2001, and as of July 2019 had been ratified by 44 member states of the Council of Europe and 19 non-European states including Canada, Japan and the US

Types of Crimes Against Computer Systems 1

  1. Improper access to a system

  2. Improper interference with data

  3. Improper interference with systems

Types of Crimes Against Computer Systems 2

  1. Improper interception of communications

  2. Producing hacking tools with improper intentions

Improper Access Law Example

The UK Computer Misuse Act 1990, for example, defines as criminal an action by a person which causes a computer to perform an act with the intent to secure unauthorized access to any program or data. Thus, the mere act of entering a password into a system without authorization in an effort to access that system constitutes a crime under the UK statute whether or not access is successfully achieved.

Improper Interference with Data Example

Improper system interference with data laws criminalize the act of inappropriately ’deleting, damaging, deteriorating, altering or suppressing’ data. (Budapest Convention at Art. 4; Directive 2013/40 at Art 5.)

Producing Hacking Tools

Many states also define as crimes the production or distribution of tools with the intention that they are used to facilitate other crimes against information systems. (Budapest Convention at Art. 6; Directive 2013/40, Art 7; Computer Misuse Act 1990, s.3A.) These laws can create challenges for those who produce or distribute security testing tools,…

// reveal.js plugins