Law,

Internet
and
Society
MODULE 4
Internet and Governance
Internet governance refers to the processes and mechanisms that are in place to
manage and regulate the global network of interconnected computer networks
known as the internet.
Given its borderless and decentralized nature, internet governance involves a
complex interplay of technical, policy, and societal considerations.
Various organizations, both governmental and non-governmental, play roles in
shaping and influencing internet governance.
The Issue of Jurisdiction
The issue of jurisdiction in internet governance refers to the challenge of
determining which laws, regulations, and legal frameworks apply to activities
and transactions that occur on the internet, especially when those activities cross
national borders.
The decentralized and global nature of the internet makes it difficult to apply
traditional concepts of jurisdiction, where physical boundaries and territories
define legal authority.
Challenges
Cross-Border Nature: The internet facilitates communication, commerce, and
interactions that can span multiple countries and jurisdictions. For example, a
website hosted in one country might be accessed by users from around the world.
This raises questions about which country's laws should apply in case of disputes
or legal issues.
Conflicting Laws: Different countries have varying laws and regulations related
to issues like freedom of speech, privacy, intellectual property, and cybersecurity.
When these laws conflict, it can create confusion and legal challenges for internet
users and service providers operating across borders.
Enforcement Challenges: Even if a country's laws apply to a specific online
activity, enforcing those laws can be difficult when the parties involved are
located in different jurisdictions. Traditional methods of law enforcement may not
be effective in the digital realm.
Data Localization: Some countries require that certain data be stored within their
borders, raising issues of data sovereignty and jurisdiction. This can clash with
the global nature of cloud computing and cross-border data flows.
Extraterritorial Application: Some countries attempt to extend their jurisdiction
beyond their borders by asserting that their laws apply to activities that have an
impact on their citizens, even if those activities occur outside their territory. This
can lead to conflicts when other countries disagree.
Internet Intermediaries: Internet platforms and service providers often find
themselves caught in the middle of jurisdictional disputes. They may be asked to
enforce laws from multiple countries, leading to challenges in balancing user
rights and legal obligations.
International Treaties and Agreements: Some attempts have been made to
establish international treaties or agreements to address jurisdictional issues
related to cybercrime, data protection, and intellectual property. However,
achieving consensus among different countries can be difficult.
Forum Shopping: Parties seeking a favorable legal outcome might strategically
choose the jurisdiction where they file a lawsuit. This can lead to a race to the
bottom in terms of regulatory standards.
Human Rights and Censorship: Jurisdictional conflicts can impact issues of
freedom of expression and human rights. Countries with restrictive internet
policies might try to exert control over content that is accessible to their citizens,
even if hosted abroad.
Need for International
Cooperation
Addressing the issue of jurisdiction in internet governance requires international
cooperation, dialogue, and the development of norms and frameworks that can
adapt to the global and rapidly evolving nature of the internet.
Multistakeholder approaches involving governments, the private sector, civil
society, and technical experts are important for finding balanced solutions that
respect the rights and interests of all stakeholders .
Application of International Law
International laws on cybercrime are designed to address and combat various
forms of criminal activity that occur in the digital realm.
These laws aim to establish a framework for cooperation among countries in
investigating, prosecuting, and preventing cybercrimes.
Several international treaties and agreements have been developed to address
cybercrime, each with its own focus and objectives.
Current Scenario
With respect to preventing, monitoring, criminalization, investigation and punishment of cybercrimes, many
sovereign countries of the world have in place extant laws and those that do not, are striving to enact
legislations, to tackle the challenge posed by cybercrime.
A summary of measures embarked upon at
international and regional levels to address
cybercrimes
G8
The G8 made public in 1997, a Ministers' Communiqué with action plan and
principles to combat cybercrime and protect data and systems from unauthorized
impairment.
It further mandated all law enforcement personnel must be trained and equipped
to address cybercrime, and designates all member countries to have a point of
contact on a 24 hours a day and 7 days a week basis.
The UN
The United Nations (UN) General Assembly in 1990 adopted a resolution
dealing with computer crime legislation.
In 2000 it also adopted a resolution on combating the criminal misuse of
information technology
While in 2002; it adopted a second resolution on the criminal misuse of
information technology.
International Telecommunication
Union
The International Telecommunication Union (ITU), as a specialized agency within the United Nations,
plays a leading role in the standardization and development of telecommunications and cybersecurity
issues.

The ITU was the lead agency of the World Summit on the Information Society (WSIS).

The World Summit on the Information Society (WSIS) was a two-phase United Nations-sponsored
summit on information, communication and, in broad terms, the information society that took place in
2003 in Geneva and in 2005 in Tunis.

In 2003, Geneva Declaration of Principles and the Geneva Plan of Action were released, which
highlights the importance of measures in the fight against cybercrime.

In 2005, the Tunis Commitment and the Tunis Agenda were adopted for the Information Society.
Council of Europe - Budapest
Convention
The Council of Europe (CoE) comprising 47 European member states in 2001 took the lead by putting
in place the first international Convention on Cybercrime, drafted in conjunction with USA, Canada,
and Japan and signed by its 46 member states but ratified by only 25 countries

The Convention alternatively referred to as Budapest Convention is the first transnational treaty on
crimes committed via the Internet and other computer networks, dealing particularly with
infringements of copyright, computer-related fraud, child pornography and violations of network
security.

It also contains a series of powers and procedures such as the search of computer networks and
interception
The main objective of the European Convention, set out in the preamble, is to
pursue a common criminal policy aimed at the protection of society against
cybercrime, especially by adopting appropriate legislation and fostering
international co-operation
International Law Without
Enforcement Mechanisms
The principles of international law in theory preserves the equality of states but
in reality, the George Orwell’s sagacious statement that “all animals are equal,
but some are more equal than others” is apt to descri.be the strength of nations in
their relation with one another.
With specific reference to cybercrime, the Budapest Convention is a well-known
subsisting treaty that have a status of international application.
if a state is a party to the treaty, but refuses to enforce provisions of the same in
its territory, what can other states in the comity do to ensure compliance of the
erring state?
Absence of one universal law
governing cybercrimes
The non-binding nature and lack of strict enforcement mechanisms of
international law is by and large, with respect to cybercrime laws appears to have
stultified the enforcement of cybercrime laws.
The only law that can frontally address the menace of cybercrimes, is that law
that would have only one jurisdiction, applicable globally, and not until the
political will is mustered to enact that universal law, humankind shall continue to
be plagued by challenges of enforcement posed to cybercrimes laws.
Cyber Warfare and Cyber
Terrorism
Cyberwar is typically conceptualized as state-on-state action equivalent to an
armed attack or use of force in cyberspace that may trigger a military response
with a proportional kinetic use of force.
Cyberterrorism can be considered the premeditated use of disruptive activities, or
the threat thereof, against computers and/or networks, with the intention to cause
harm or further social, ideological, religious, political or similar objectives, or to
intimidate any person in furtherance of such objectives
Cyberterrorists and Cyber Spies
Criminals, terrorists, and spies rely heavily on cyber-based technologies to
support organizational objectives.
Cyberterrorists are non-state actors (With State support in some cases) who
engage in cyberattacks to pursue their objectives.
Cyber spies are individuals who steal classified or proprietary information used
by governments or private corporations to gain a competitive strategic, security,
financial, or political advantage.
Cyber Warfare
Recent international events have raised questions on when a cyberattack could be
considered an act of war, and what sorts of response options are available to
victim nations.
Although there is no clear doctrinal definition of “cyberwarfare,” it is typically
conceptualized as state-on-state action equivalent to an armed attack or use of
force in cyberspace that may trigger a military response with a proportional
kinetic use of force
The 2014 Sony Hacks
The cyberattacks on Sony Entertainment illustrate the difficulties in categorizing
attacks and formulating a response policy.
On November 24, 2014, Sony experienced a cyberattack that disabled its
information technology systems, destroyed data and workstations, and released
internal emails and other materials.
Warnings surfaced that threatened “9/11-style” terrorist attacks on theaters
scheduled to show the film “The Interview”, causing some theaters to cancel
screenings and for Sony to cancel its widespread release.
Reference of Cyber-Vandalism
The Federal Bureau of Investigation (FBI) and the Director of National Intelligence (DNI)
attributed the cyberattacks to the North Korean government.

North Korea denied involvement in the attack, but praised a hacktivist group, called the
“Guardians of Peace,” for having done a “righteous deed.”

During a December 19, 2014, press conference, President Obama pledged to respond
proportionally to North Korea’s alleged cyber assault, “in a place, time and manner of our
choosing.”

President Obama referred to the incident as an act of “cyber-vandalism,”

Challenges in Cyberattack
Categorization
This incident illustrates challenges in cyberattack categorization, particularly
with respect to the actors involved and their motivations as well as issues of
sovereignty regarding where the actors were physically located.
With the globalized nature of the Internet, perpetrators can launch cyberattacks
from anywhere in the world and route the attacks through servers of third-party
countries.
Larger Questions!!
Was the cyberattack on Sony, a private corporation with headquarters in Japan,
an attack on the United States?
Further, could it be considered an act of terrorism, a use of force, or cybercrime?
In categorizing the attacks on Sony as an act of “cyber vandalism,” which
typically includes defacing websites and is usually the realm of politically
motivated actors known as “hacktivists,” President Obama raised questions of
what type of response could be considered “proportional,” and against whom.
What could be the Proportional
Response!!
Another potential policy question could be the circumstances under which a
country would commit troops to respond to a cyberattack.
Related to this is the question of whether countries have an effective deterrence
strategy in place.
According to the then Director of National Intelligence, James Clapper, “If they
get global recognition at a low cost and no consequence, they will do it again and
keep doing it again until we push back.”
 The Cyberwarfare Ecosystem: A
Variety of Threat Actors
Criminals, terrorists, and spies rely heavily on cyber-based technologies to support organizational
objectives.

Commonly recognized cyber-aggressors and representative examples of the harm they can inflict include
the following:

1. Cyber Terrorists

2. Cyber Spies

3. Cyber Thieves

4. Cyber Warriors

5. Cyber Activists
Cyber Terrorists
Cyber terrorists are state-sponsored and non-state actors who engage in
cyberattacks to pursue their objectives.
Transnational terrorist organizations, insurgents, and political groups have used
the Internet as a tool for planning attacks, radicalization and recruitment, a
method of propaganda distribution, and a means of communication, and for
disruptive purposes.
Cyber Spies
Cyber spies are individuals who steal classified or proprietary information used
by governments or private corporations to gain a competitive strategic, security,
financial, or political advantage.
These individuals often work at the behest of, and take direction from, foreign
government entities.
Targets include government networks, cleared defense contractors, and private
companies.
Cyber Thieves
Cyber thieves are individuals who engage in illegal cyberattacks for monetary
gain.
Examples include an organization or individual who illegally accesses a
technology system to steal and use or sell credit card numbers and someone who
deceives a victim into providing access to a financial account
Cyber Warriors
Cyber warriors are agents or quasi-agents of nation-states who develop
capabilities and undertake cyberattacks in support of a country’s strategic
objectives.
These entities may or may not be acting on behalf of the government with
respect to target selection, timing of the attack, and type(s) of cyberattack and are
often blamed by the host country when accusations are levied by the nation that
has been attacked.
Strategy of States to Evade
Responsibility
Often, when a foreign government is provided evidence that a cyberattack is
emanating from its country, the nation that has been attacked is informed that the
perpetrators acted of their own volition and not at the behest of the government.
In August 2012 a series of cyberattacks were directed against Saudi Aramco, the
world’s largest oil and gas producer.
The attacks compromised 30,000 computers and the code was apparently
designed to disrupt or halt oil production.
Some security officials have suggested that Iran may have supported this attack.
However, numerous groups, some with links to nations with objectives counter
to Saudi Arabia, have claimed credit for this incident
Cyber Activists
Cyber activists are individuals who perform cyberattacks for pleasure,
philosophical, political, or other nonmonetary reasons.
Examples include someone who attacks a technology system as a personal
challenge (who might be termed a “classic” hacker), and a “hacktivist” such as a
member of the cyber-group Anonymous who undertakes an attack for political
reasons.
The activities of these groups can range from nuisance-related denial of service
attacks and website defacement to disrupting government and private corporation
business processes.
Cyber Warfare
there isn't a single comprehensive international treaty or convention specifically
addressing cyber warfare or cyber terrorism in the same way that there are
treaties for traditional warfare or terrorism.
However, there are existing international laws and agreements that touch on
various aspects of cyber activities, including cyber warfare and cyber terrorism.
These laws and agreements are generally part of broader frameworks related to
international law, cybersecurity, and human rights.
United Nations Charter
The UN Charter prohibits the use of force by one state against another except in
cases of self-defense or when authorized by the UN Security Council.
Cyber attacks that cause significant harm could potentially be considered a use of
force and might trigger these provisions.
Tallinn Manual
The Tallinn Manual is a non-binding document created by a group of legal
experts that seeks to provide guidance on how international law applies to cyber
warfare.
The manual discusses various scenarios and issues related to state-sponsored
cyber activities.
Between 2009 and 2012, the Tallinn Manual was written at the invitation of the
Tallinn-based NATO Cooperative Cyber Defence Centre of Excellence by an
international group of approximately twenty experts.
In April 2013, the manual was published by Cambridge University Press.
UN Group of Governmental Experts
(GGE) Reports:
The UN has convened groups of governmental experts to study issues related to
international security and cyberspace.
These reports provide recommendations on responsible state behavior in
cyberspace, and while they are not legally binding, they do contribute to the
development of norms.
Convention on Cybercrime (Budapest
Convention)
The Budapest Convention of 2001 is the first international treaty seeking to
address internet and computer crime by harmonizing national laws, improving
investigative techniques, and fostering international cooperation.
It focuses on issues like cybercrime, but its provisions can also have implications
for certain cyber warfare and cyber terrorism activities.
The Budapest Convention had been ratified by a significant number of countries,
both within and outside Europe.
However, it's worth noting that not all countries have adopted or ratified the
convention.
Additionally, the landscape of cybercrime continues to evolve rapidly, and new
challenges and threats have emerged since the convention was first adopted.
G7, G20 Declarations and Resolutions
Groups like the G7 and G20 have issued declarations and resolutions related to
cybersecurity and responsible state behavior in cyberspace.
These documents reflect the shared stance of participating countries.
International Humanitarian Law
(IHL)
IHL, also known as the laws of armed conflict, seeks to protect civilians and
combatants who are no longer participating in hostilities.
It's applicable to cyber warfare as well if cyber attacks are used in the context of
armed conflicts.
Principles of distinction, proportionality, and necessity apply to cyber operations,
just as they do in traditional warfare.
The principle of distinction requires parties to an armed conflict to distinguish
between lawful military targets and civilian persons or objects that must be
protected.
The principle of proportionality prohibits attacks that may cause harm to
civilians or civilian objects that would be excessive in relation to the concrete
and direct military advantage anticipated from the attack. This principle aims to
prevent disproportionate use of force.
The principle of necessity dictates that parties to an armed conflict must use only
the amount of force that is necessary to achieve a legitimate military objective.
Conclusion
It's important to note that the evolving nature of technology and the global
political landscape makes it challenging to create universally agreed-upon laws
and agreements.
Efforts continue to develop and refine international norms and legal frameworks
for dealing with cyber warfare and cyber terrorism.