A long time ago, Celtic pagans described “a time that is not a time and a place that is not a place.” Except for the fact that we are talking about hundreds of years ago, they might as well have been describing cyberspace.
How, exactly, would we describe the concept of cyberspace to people who were not experientially equipped to understand it? Is cyberspace an overlay on physical space? If so, what about such concepts as the Dark Web? Is that an overlay on an overlay on the physical space? Or was the old descriptor of an “information superhighway” more accurate with smaller highways and byways weaving in and out of the superstructure of the “highway”?
These seem like interesting theoretical questions with no particular purpose other than to help writers such as me tell our tales. That certainly is not the case if you happen to be an attorney. If you are an attorney, this discussion frames a most important question: “In what jurisdiction was the crime (or tort) committed?”
If you are a CISO or other C-Level executive, you also need to know the answer to this. The gotcha is that the answer can be very easy or quite complicated. It can dictate your policy. It can dictate how you enforce your policy. And there are a few wrinkles that add to the complications.
For example, when is an event a cyber event that requires special legal constructs created specifically for the cyberspace? Be warned, though, if the answer is that it is, in fact, a legitimate cyber event you have even more challenges because there are almost no laws that are specific to cyberspace and often those that do exist are quite outdated. Sadly, that state of affairs leads to the natural response of force-fitting physical space law into cyberspace events. But, happily, that approach is exactly the right one – no force-fitting necessary, though, since the issue is a physical world event that just happens to touch the cyberspace.
Let’s try an example. We’ll look at United States v. Love.
In this one we have multiple layers which makes it an interesting and informative case. Lauri Love is a UK citizen who allegedly hacked computers used by Federal (US) agents. At issue was should Love be extradited to the US to stand trial for his crimes. To complicate matters, Love suffers from Asperger Syndrome. The acts allegedly perpetrated by Love constituted crimes both in the US (Computer Fraud and Abuse Act – 18USC§1030) and in the UK (Computer Misuse Act 1990 s.1 and s.2). So, we have a cyber event that is considered a crime both from whence the crime was committed and against whom it was committed. That immediately raises jurisdictional issues.
If you stand in New Jersey and fire a gun into New York killing someone who is standing in New York, which state has jurisdiction? Both states might claim jurisdiction. It gets more complicated when there is more than one nation involved as in our case here. So, we now add a layer to the cyber layer and that is the layer of extradition. The final layer is Love’s health consideration. The UK took the position that there was a substantial risk of suicide if Love was moved to the US.
If we dissect the indictments—many of which currently are under seal—we see that the breakdown is, itself, an interesting example of the problem of force-fitting physical law into cyber issues and mischaracterizing physical space issues as cyberspace crimes.
Before we dig a bit further, let’s get a definition or two under our belts. What do we mean by a “cybercrime”? To answer that we need to get a definition of cyber science. You should note that these are my definitions, developed from my research on what little there is on the topic. I am publishing a paper on “Defining a Cyber Jurisprudence” at the ADFSL conference in May. But, I am sure that we can draw a couple of definitions, pre-publication.
Cyber Science: Cyber science is the study of phenomena caused or generated within the cyber space, which may or may not interact with phenomena caused or generated within the physical space.
Next, let’s define what we mean by cyber law:
Cyber Law: Cyber law is the set of obligations and duties applied to events related directly to cyber science.
And, finally, a cybercrime:
Cyber Crime: A cyber crime is crime or misdemeanour ocurring in the space defined by cyber science and comprising an act committed or omitted, in violation of public law either forbidding or commanding it.
These are important definitions because—going back to cyber science, the backdrop for the rest—we are talking about “…phenomena caused or generated within the cyber space.” That doesn’t mean that we are talking about an event in the physical space that simply touches the cyber space. That distinction is very important to the case(s) against Lauri Love.
There is one count from the Southern District of New York that relates directly to 18USC§1030. This covers computer hacking. This is applicable to the allegation that Love illegally accessed computers used by “government agents” (a government interest computer). The rest of the allegations, particularly from the District of New Jersey, are related to fraud and do not necessarily reference USC18§1030.
Then we have the jurisdictional debate. This has become very political and seems to be being tried in the media. The jurisdictional debate might or might not be separable from the hacking, and it might or might not be separable from the fraud charges. So, how do we decide?
Let’s go back to our definitions and ask: “Could the fraud activities have occurred without recourse to cyber space?” If we look at the conspiracy charges we find that they certainly could. However, the implication is that these charges are linked back to the USC18§1030 charges. In addition, there are charges connected with USC18§1028 which covers Fraud and related activity in connection with identification documents, authentication features, and information. There is no doubt that this could stand alone without recourse to cyberspace.
Taken together, does this mean that Mr. Love has a way out just because of the multiplicity of types of laws? The answer to that probably is no. However, what is interesting and useful is noting that laws that clearly are physical space laws are usable to address a crime that has tentacles in cyberspace without creating a new law to cover it (e.g., we don’t need a law specifically for fraud committed in cyberspace; fraud is fraud, whether or not it uses a computer).
On the other hand, if cyberspace is the only way the crime could be committed—back to our definition of cyber science—we need a law crafted to cover it. Computer hacking from the UK to the US would be pretty hard to do without resorting to cyberspace as a vehicle.
At its simplest, we find there are three definitions of jurisdiction: jurisdiction based upon physical geography, jurisdiction based upon people and jurisdiction based upon subject matter. Given these three—and there a few more that we don’t need to address at this point—it is clear that we can use our definition of cyber science to help us establish subject matter jurisdiction. If we find that an event is purely a cybercrime, we can apply subject matter jurisdiction to help us over the “place that is not a place” impact of geographical jurisdiction. We could, perhaps, stumble over the jurisdiction over individuals (people) as we have in the Lauri Love case but that is a topic for another blog.
So, the bottom line: when you are determining whether you have a crime that rises to the level of a cybercrime, look first to the definition of cyber science and then to the subject matter jurisdiction. When you have figured out what you have, call the appropriate authorities covering the jurisdiction.
