What is cyberlaw?
- June 2, 2015
- Clayton Rice, Q.C.
No one knows. Not that the question hasn’t been asked. But, rather, because the domain of cyberlaw, or cybersecurity law, is one where the parameters have not been defined. Recent hacking attacks against Sony Pictures, Target and Anthem have heightened public interest and recently motivated the U.S. Congress to propose cybersecurity legislation. The new bills prompted The Editorial Board of the New York Times to comment in an op-ed titled Shortcomings of Cybersecurity Bills on May 14, 2015, that: “These bills could help make American networks somewhat less vulnerable to hackers, but they would do so at a cost to the privacy of individuals.” I will begin, then, with a small but critical point about terminology.
Labels are important. They have temporal endurance. So consideration should be given to whether we are talking about cyberlaw or cybersecurity law. I prefer the term cyberlaw because it is not inherently limited. The term cybersecurity emphasizes security. In the vast and expanding world of cyberspace, the identifying description should be sufficiently flexible to embrace areas of the law beyond the known world of cyber infrastructure and the operators of cyber systems. So, cyberlaw it is.
The dynamism of cyberlaw may be dramatized by this question: Do you know where your data is? In Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World (2015), Bruce Schneier of the Berkman Center at Harvard Law School brings that question into focus, at pp. 220-1:
“Our laws are based on geographical location. For most of human history, this made a lot of sense. It makes less sense when it comes to the Internet; the Internet is just too international.
You’re obviously subject to the legal rules of the country you live in, but when you’re online, things get more complicated. You’re going to be affected by the rules of the country your hardware manufacturer lives in, the rules of the country your software vendor lives in, and the rules of the country your online cloud application provider lives in. You’re going to be affected by the rules of the country where your data resides, and the rules of whatever countries your data passes through as it moves around the Internet.”
The global issue in cyberspace governance and security was identified in a paper titled Privacy and Cyber Security: Emphasizing privacy protection in cyber security activities (2014) where the Office of the Privacy Commissioner of Canada put it this way, at p. 8:
“Given that information flowing through cyberspace is not constrained by national borders, ‘with whom we share data and where it ultimately resides in cyberspace is an inherently international concern.’ As such, citizens of every country face similar risks in the protection of their privacy rights. Issues of cyber security and privacy protection are global challenges that require a global response.”
The uncertainty and volatility of a body of international and domestic law, the corpus juris of cyberspace, are highlighted where Mr. Schneier concluded, at p. 221:
“It is hard to know where to start. In today’s cloud computing world, we often have no idea which companies actually host our data. An Internet company like Orbitz might host its infrastructure on a provider like Atlassian, which in turn hosts its infrastructure on a provider like Rackspace. Do you have any idea where your Orbitz data actually is?
We need to be able to know where our data is stored, and to specify which countries we want our data stored in, and which countries we want our data never to go near. In the meantime, we have to do the best we can. And recognize that in most cases we simply don’t know.”
That unknown feeds into the antagonism between privacy interests and big data. Big data is a broad term used to describe data sets that are so vast that traditional processing applications are inadequate. The term is often used to refer to the use of analytics to extract interpretative value from the data. The Office of the Privacy Commissioner described big data as follows, at p. 6:
“Big data can be defined as vast stores of information gathered from both traditional sources and, increasingly, new collection points (e.g. web data, sensor data, text data, time and location data gleaned from social networks). The insights derived through analysis of big data are often touted as the solution to almost any problem or issue. However, this data-driven approach raises two distinct issues from a cyber security perspective: how to secure information in a big data context and the use of new data analytics to sift through network information including personal information, in order to predict security incidents.”
Privacy law is an important component of cyberlaw that is thrown into stark relief in the big data conversation. The Office of the Privacy Commissioner concluded, at p. 6, that, “…evidence exists which shows that privacy concerns arise by virtue of the fact that big data analytics quite often means unrestricted collection of data, and sophisticated analysis that can yield very personal insights about individuals. This is also a process that could potentially motivate secondary uses of personal information that are unreasonable. Peter Wood, Chief Executive Officer of First Base Technologies LLP and a member of the ISACA London Chapter Security Advisory Group, explains that the crux of the issue is that big data’s volume and velocity ‘expands the boundaries of existing information security responsibilities and introduces significant new risks and challenges’.”
In Canada, the federal government announced budget initiatives on April 21, 2015, aimed at the enhancement of cybersecurity. The emphasis is on the protection of essential government cyber systems and infrastructure including Internet network pathways and connections. The object will be to detect and prevent cyber attackers from gaining access to government systems. The budget implies that legislation may require operators of vital cyber systems to meet security standards; implement cybersecurity initiatives; and, report security incidents. These speculative features may represent the content of the Protection of Canada’s Vital Cyber Systems Act that remains in the drafting stage. This legislation would be designed to protect government systems and infrastructure and would thus fall within the domain of public law. It would not appear to have a bearing on the privacy rights of citizens to know where their data is.
The role of lawyers in the growing field of cybersecurity law was examined in a paper titled The Emergence of Cybersecurity Law (2015) prepared by Hanover Research for the Indiana University Mauer School of Law. The key findings are summarized as follows, at p. 2:
- Cybersecurity is a growing priority for legal practitioners. Of the corporate law departments surveyed for the study, over half rated cybersecurity as a “high concern”.
- Corporations, including their legal counsel, can improve their preparedness for cyberthreats. Multiple studies have found that substantial numbers of corporate leaders lack full confidence in their organizations’ preparedness.
- Cybersecurity has become as much a legal issue as a technical one. Given the fragmented legal framework for data security and privacy issues, organizations must be aware of a “quilt” of laws and regulations they must be subject to.
- Lawyers are becoming more proactive in addressing cybersecurity concerns. Until very recently, companies primarily involved lawyers in the response to cybersecurity incidents, rather than in the planning against such crises.
- Lawyers need more education in both the legal and technical aspects of cybersecurity. Over two-thirds of the corporate law departments surveyed for the study rated improved cybersecurity training as “very” or “extremely” important.
Although the Mauer study purported to examine cyberlaw as a growing field, all of the findings related solely to cybersecurity issues.
In an article titled What is ‘cybersecurity law’? published in The Washington Post edition dated May 14, 2015, Professor Orin Kerr of The George Washington University Law School described cybersecurity law as including four topics. I will use his topics, injected with a Canadian flavour, as they are a good basis on which to sustain this conversation.
- The law governing steps that potential or actual victims of Internet intrusions can take in response to potential or actual intrusions
This has two components: (1) what steps can a victim take to monitor attacks, uncover evidence of an intrusion or trace it to its source; and (2) what are the legal limits of a victim’s response?
- The law governing liability for computer intrusions for both the perpetrator and the victim
This also has two components: (1) what is the criminal and/or civil liability of the person or entity that committed the intrusion (e.g., identity theft and trafficking in identity information under s. 402.2 of the Criminal Code; and, the law governing privileged communications between lawyer and client); and, (2) what is the potential civil liability for the entity that has been victimized, either for the intrusion itself or for failure to comply with breach notification statutes? (e.g., the liability of hospitals under provincial statutes for the theft of electronically stored patient records).
- The regulatory law of computer security
What are the regulatory authorities? What powers do different agencies have to enforce cybersecurity standards? What are the regulatory provisions in foreign countries where Canadian companies do business?
- Special issues raised by government network offence and defence
When a government network provider is attacked, to what extent does monitoring implicate privacy interests under s. 8 of the Charter of Rights? The security of federal government networks also raises the possible application of the Privacy Act and the Personal Information Protection and Electronic Documents Act (PIPEDA).
Cyberlaw, then, contains a global component that transcends national boundaries – a component that recognizes privacy as underpinning human dignity and other key values such as freedom of expression and freedom of association. It is the critical human rights issue in the digital world. To the four topics crafted by Professor Kerr, I add a fifth:
- The law of privacy
This topic also has two components: international law and national laws. Privacy is a human right recognized by international law. I specifically identify international law as part of the fifth topic to maintain its distinction from rights contained in national constitutions such as the Fourth Amendment to the Constitution of the United States. It is appropriate to keep international law separate for reasons of the law governing ratification of treaties and domestic laws regarding implementation of treaty obligations. The right to privacy in this context is contained in Article 12 of the Universal Declaration of Human Rights (1948) which provides that: “No one shall be subjected to arbitrary interference with his privacy…”. Article 12 is reflected in Article 17(1) of the International Covenant on Civil and Political Rights (1966) which states: “No one shall be subjected to arbitrary or unlawful interference with his privacy…”.
On December 18, 2013, the United Nations General Assembly adopted resolution 68/167 which expressed “deep concern” about the negative impact that surveillance and interception of communications may have on human rights. The General Assembly affirmed that the rights held by people offline must also be protected online and it called upon all States to protect the right to privacy in digital communications. In assessing what questions may be addressed under this fifth topic, the Office of the High Commissioner for Human Rights might be a good place to begin: “While the right to privacy under international human rights law is not absolute, any instance of interference must be subject to a careful and critical assessment of its necessity, legitimacy and proportionality.” (See: Office of the High Commissioner for Human Rights. The Right to Privacy in the Digital Age (2014).)
The law of privacy, both internationally and domestically, must also incorporate rights to encryption and online anonymity. On May 22, 2015, the United Nations received the Report of the Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression submitted in accordance with Human Rights Council resolution 25/2. The Report concluded as follows, at p. 16:
“Encryption and anonymity, and the security concepts behind them, provide the privacy and security necessary for the exercise of the right to freedom of opinion and expression in the digital age. Such security may be essential for the exercise of other rights, including economic rights, privacy, due process, freedom of peaceful assembly and association, and the right to life and bodily integrity. Because of their importance to the rights to freedom of opinion and expression, restrictions on encryption and anonymity must be strictly limited according to principles of legality, necessity, proportionality and legitimacy.”
The Report went on to recognize that discussion of encryption and anonymity have too often focused only on their potential for criminal purposes in times of terrorism. But emergent circumstances do not relieve States of their obligation to ensure respect for international human rights law. The Report recommended, at p. 17, that national laws should protect individuals in their use of encryption and anonymity tools, and that legislation and regulations should also include provisions enabling access to the use of these technologies by human rights defenders and journalists to secure their communications.
The Supreme Court of Canada has held that all Canadians have a right to online anonymity and a reasonable expectation of privacy in information stored on computers under s. 8 of the Charter of Rights in R. v. Spencer,  2 S.C.R. 212 and R. v. Vu,  3 S.C.R. 657. These opinions are consistent with the view that encryption and online anonymity are basic human rights that are essential swords in the protection of communications between journalists and their sources and critical shields against self-censorship. (See: Koebler. United Nations: Encryption and Online Anonymity Are Basic Human Rights. May 28, 2015. motherboard.vice.com.; Greenwald. No Place To Hide: Edward Snowdon, the NSA, and the U.S. Surveillance State (2014); and, Williams. Mass surveillance: Journalists confront the moment of hesitation. Index on Censorship. April 28, 2015)