Successfully reported this slideshow.
Your SlideShare is downloading. ×

Gillian Cafiero - "Codifying the Harm of Cybercrime": Injecting zemiology in the US’ Computer Fraud and Abuse Act (CFAA) and UK’s Computer Misuse Act (CMA).

Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Loading in …3
×

Check these out next

1 of 4 Ad

Gillian Cafiero - "Codifying the Harm of Cybercrime": Injecting zemiology in the US’ Computer Fraud and Abuse Act (CFAA) and UK’s Computer Misuse Act (CMA).

This work is a brief reflection on the ‘ambiguous nature of harms in Cyberspace’. It seeks to evaluate how
harm is coded in cyber-regulations paying particular attention to the political momentum around the UK’s
Computer Misuse Act (CMA) and the US’s Computer Fraud and Abuse Act (CFAA). Its intention is to inject an
element of zemiology into political discourse and advance a codification of cybercrime that can maximize
cyber-prosecutorial effectives and enhance the rule of law through transparency and coherence.
© by Tech and Law Center – www.techandlaw.net

This work is a brief reflection on the ‘ambiguous nature of harms in Cyberspace’. It seeks to evaluate how
harm is coded in cyber-regulations paying particular attention to the political momentum around the UK’s
Computer Misuse Act (CMA) and the US’s Computer Fraud and Abuse Act (CFAA). Its intention is to inject an
element of zemiology into political discourse and advance a codification of cybercrime that can maximize
cyber-prosecutorial effectives and enhance the rule of law through transparency and coherence.
© by Tech and Law Center – www.techandlaw.net

Advertisement
Advertisement

More Related Content

Slideshows for you (20)

Viewers also liked (20)

Advertisement

Similar to Gillian Cafiero - "Codifying the Harm of Cybercrime": Injecting zemiology in the US’ Computer Fraud and Abuse Act (CFAA) and UK’s Computer Misuse Act (CMA). (20)

More from Tech and Law Center (15)

Advertisement

Recently uploaded (20)

Gillian Cafiero - "Codifying the Harm of Cybercrime": Injecting zemiology in the US’ Computer Fraud and Abuse Act (CFAA) and UK’s Computer Misuse Act (CMA).

  1. 1. Codifying the Harm of Cybercrime Injecting zemiology in the US’ Computer Fraud and Abuse Act (CFAA) and UK’s Computer Misuse Act (CMA). Gillian Cafiero1 March, 2015 Abstract This work is a brief reflection on the ‘ambiguous nature of harms in Cyberspace’2. It seeks to evaluate how harm is coded in cyber-regulations paying particular attention to the political momentum around the UK’s Computer Misuse Act (CMA) and the US’s Computer Fraud and Abuse Act (CFAA). Its intention is to inject an element of zemiology into political discourse and advance a codification of cybercrime that can maximize cyber-prosecutorial effectiveness and enhance the rule of law through transparency and coherence. © by Tech and Law Center – www.techandlaw.net 1 1 Gillian is an MSc Criminal Justice Policy student at the London School of Economics and Political Science. She is the Editor of the Technology section of The Beaver, LSESU's official newspaper, and has experience working for several private and public institutions including the United Nations. Her research is primarily concerned with issues of data protection and cybersecurity. 2 Lessig, L (2013) Aaron's Laws - Law and Justice in a Digital Age https://www.youtube.com/watch?v=9HAw1i4gOU4
  2. 2. The New Year has been marked by a political de- sire to reform the rules that govern cyberspace. Last week, the UK’s government passed the Seri- ous Crime Act 2015, which amends the existing Computer Misuse Act 1990 (CMA)3. In January,O- bama’s Administration, introduced a proposal to amend the Computer Fraud and Abuse Act (CFAA)4 . The pace of legislative change is wel- come because the laws that govern cyberspace are in dire need of reform. However, are the new legislations taking us in the right direction? Following Aaron Swartz’s death in 2013, Laurence Lessing gave a lecture at Harvard Law School where he emphasized the need to address the ‘ambiguous nature of harms in Cyberspace’5. By this, he meant the need to distinguish between the illegal uses of technology that result in serious harm and those that do not; in other words, he was calling for the identification of a taxonomy of harm in cyberspace. Classifying different degrees of cybercrime accord- ing to the harm they cause could be a useful exer- cise for several reasons, for example: it would spur law enforcement agencies to target their limited resources more accurately, and it would strengthen the rule of law by enhancing the trans- parency and coherence of legislative measures. The current legal frameworks, particularly the CFAA and the CMA do not incentivise a classifica- tion of harm. The controversial reactions to the conviction of Barrett Brown- the activist/journalist who was prosecuted for (amongst other things) sharing links to hacked information- were a recent demonstration that there is still a strong disso- nance between the penalties pursued for ‘cyber- crimes’ and the level of harm that the public per- ceives them to have caused6. The changes in the US and the UK show some promise of including a taxonomy of harm within cyber-regulation but they fall short of defining key parameters of it. Obama’s proposal addresses an evaluation of the harm caused by cybercrimes in two ways. The first is by setting standards for the prosecution of contract-based violations of computer-system access. The current law on the subject is contradictive; some circuits7 hold that violations of terms and conditions fall outside the scope the of CFAA while others consider all viola- tions of contractual access rights as a violation of the statute. The reform criminalises violations of terms of use but limits liability to instances where: (a) the individual violates a restriction on a gov- ernment computer; (b) where an individual obtains information worth more than $5000 from violation of access rights; and (c) where the individual vio- lates the access rights in furtherance of a state or federal felony8. At face value, these measures are a valid attempt at restricting the impact of the CFAA to cases where the breach of contractual access rights has seriously harmful conse- quences. However, the wording of the legislation remains fairly open-ended and exposed to broad, ell-encompassing, prosecutorial interpretation9. The second way in which Obama’s proposal ad- dresses the notion of harm in cyberspace relates to violations of technological access barriers (in other words, code-based-hacks).The current CFAA classifies certain types of technological ac- cess violations as misdemeanours but others as 5- year-maximum felonies. The proposed reform would make all violations of technological access barriers 3-year-felonies, which could be raised up to a 10-year-felony if enhancements apply. The underlying assumption is that all unauthorized vio- lations of technological barriers cause a significant enough degree of harm to be considered criminal. However, it is recognized that some deserve sig- © by Tech and Law Center – www.techandlaw.net! 2 3 Serious Crimes Act 2015 http://www.legislation.gov.uk/ukpga/2015/9/pdfs/ukpga_20150009_en.pdf 4 Kerr, O. (2015)Obama’s Proposed Changes to the Computer Hacking Statute A Deep Dive http://www.washingtonpost.com/news/volokh-conspiracy/wp/2015/01/14/obamas-proposed-changes-to-the-computer-hacking-statute-a-deep-dive/ 5 Lessig, L. (2013)Aaron's Laws - Law and Justice in a Digital Agehttps://www.youtube.com/watch?v=9HAw1i4gOU4 6 Norton, Q. (2015) We Should All Step Back from Security Journalism: I’ll Go First https://medium.com/message/we-should-all-step-back-from-security-journalism-e474cd67e2fa 7 United States of America v NosalCr 08-0237 (N.D. Cal, Mar 12, 2013) 8 For a more in depth analysis refer to Orin Kerr’s article http://www.washingtonpost.com/news/volokh-conspiracy/wp/2015/01/14/obamas-proposed-changes-to-the-computer-hacking-statute-a-deep-dive/ 9 ibid
  3. 3. nificantly higher penalties than others. The contrast between (a) the new limitations im- posed on the prosecution of contract-based hacks, and (b) the proposal for the universal criminalisa- tion of code-based hacks, warrants some consid- eration. In my view, the distinction between code based violations and contract based violations is somewhat abstract. Ultimately both are violations of words10, be they in a terms and conditions document or in a code script. Both types of viola- tions can result in equally grave consequences and both can have little to no impact. Therefore, drafting the rules that govern these two types of access violations in such different waysappears to be a drive away from a harm-based legislation of cyberspace. In the UK, a similar trend is taking place. The Seri- ous Crimes Act 2015, which was introduced last week, adds a new clause to the Computer Misuse Act 1990 (CMA) designed to deal with cybercrimes that cause ‘serious’ harms. The new section (s. 3ZA) covers “unauthorised acts causing, or creat- ing risk of, serious damage”. The aggravated of- fences carry a 14-year maximum prison term, while in the current CMA offences carry a max-10- year imprisonment term11. Fundamentally, the at- tempt to differentiate instances where cyber- attacks have grave consequences is laudable. However,the wording of the new section is rather broad, and risks opening the floodgates for prose- cutions of all violations of computer systems as serious offences12. According to the new legislation a computer crime is serious, if it causes damage of a material kind. Damage of “a material kind” is that which affects “human welfare”, “the environment”, “the economy”and/or “national security”. Interestingly, the definition of human welfare in the Act includes the “disruption of a system of communication”13; presumably this refers to an assumption that, where any system of communication is disrupted, material damage is rendered to human welfare.In my view, all unauthorized access to computer sys- tems, regardless of the harm that it causes, could be considered a “disruption of a system of com- munication”. This is because any unauthorized access is a violation, on some level, of what Prof. Andrew Murray of the LSE calls identity “proxi- es”14. These proxies, things like user rights, pass- words or IP addresses, are the foundation of trust in cyberspace and violating them, by implication, is a disruption of our prized cyber-communication. While all system access violations cause “disrup- tion to a system of communication”, I am not per- suaded that they all impact “human welfare” in the way the term is commonly understood. It is my understanding that, the association of human wel- fare with any “disruption to a system of communi- cation” in the Serious Crimes Act, creates a broad- brush penalty that departs from a nuanced taxon- omy of the harms that cybercrimes can cause. Thelegislative reforms undertaken in the US and the UK fall short of resolving the ambiguity of the role of harm in cyber-regulation. Perhaps more importantly though, they start a motion of change that can be built on to develop a cyber-regulatory sphere that is attuned to the harms caused by cy- bercrimes. To do this, the question that we as a cyber-society need to address is:how can we inject our cyber-regulatory reforms witha taxonomy of harm that will deliver a better prosecutorial model? Several scholars have put forth the notion of a public interest defence for offences like those out- lined in the CFAA and the CMA. The lawyers and academics that promote this concept, like Greg Callus, create a parallel between violating cyber- legislation and violating data protection legisla- tion15. Their arguments are based on the notion that the violation of both these types of legislation can lead to the discovery of information that is ul- timately beneficial to the general public. Where this is the case, they argue, the violations of cyber- regulations should be defensible through public interest in the same way that data protection viola- tions can be protected. I think the ground for a public interest defence to cybercrimes should be handled cautiously. Firstly, cybercrime usually happens on an international scale and I am not persuaded that any human- indeed judges, lawyers and prosecutors- can overcome the challenges of assessing a universal “public interest”. Secondly, I am conscious that prosecutors already face enormous challenges when trying to investigate cybercrimes that, of- ten,have serious consequencesfor individuals, companies or nations. My concern is that including a public interest defence in the CFAA and the CMA might discourage investigations into cybercrime even when serious harm is being incurred. Finally, I am conscious that the inconsistency with which the “public interest defence” has been applied in © by Tech and Law Center – www.techandlaw.net! 3 10 Lessig, L. (2013)Aaron's Laws - Law and Justice in a Digital Age https://www.youtube.com/watch?v=9HAw1i4gOU4 11 Serious Crime Act 2015 http://www.legislation.gov.uk/ukpga/2015/9/pdfs/ukpga_20150009_en.pdf 12 The IT Law Community (2014) Computer Misuse Amendments http://www.scl.org/site.aspx?i=ne37488 13 2(3)(d) Serious Crimes Act 2015 (Part. II) http://www.legislation.gov.uk/ukpga/2015/9/pdfs/ukpga_20150009_en.pdf 14 Murray, D (2013) Information Technology Law. OUP: Oxford. p.390 15 Callus, G. (2012) A Typo in the Constitution http://gregcallus.tumblr.com/post/20539847136/theres-no-public-interest-defence-to-computer
  4. 4. other areas of the law, like data protection, would be detrimental to rendering cyber-regulation more transparent and coherent. While I have yet to understand how a functional taxonomy of cybercrime harms can be structured, I am entirely convinced that there is an urgent need for it to be created. Only once we attempt to map the degrees of harm in cyberspace will we witness cyber-prosecutorial resources engaged efficiently, a strong rule of (cyber)law and a fair distribution of penalties across cybercrimes. To this end, I urge you all to consider cyber-harm and share your vi- sion of it. © by Tech and Law Center – www.techandlaw.net! 4

×