Introduction To IT LAW
Introduction To IT LAW
Introduction To IT LAW
Introduction to Information
Technology and the Law
1.1. Unpacking terminologies: Internet Law,
Computer Law or Information Technology Law?
• What Is Cyber Law?
• Cyber-law is any law that applies to the internet and
internet-related technologies.
• Cyber-law is one of the newest areas of the legal system.
This is because internet technology develops at such a rapid
pace.
• Cyber-law provides legal protections to people using the
internet. This includes both businesses and everyday
citizens. Understanding cyber law is of the utmost
importance to anyone who uses the internet.
• Cyber Law has also been referred to as the “law of the
internet.”
Cont…
• Cyber law, also called information technology law, or
Internet law, pertains to laws involving technology related
to the Internet and includes computers and networks.
• Cyber law is a newer area of the legal system. It pulls from
many areas of traditional law and provides legal protection
for individuals using the Internet.
• This type of law is wide reaching, encompassing cyber-
bullying and cyber stalking, access to the Internet,
intellectual property infringement, consumer protection,
financial crimes, freedom of expression, online privacy,
jurisdiction, freedom of religion, freedom of speech,
freedom of press, freedom of assembly, and also protects
citizen against unreasonable search and seizure.
Cont…
• Cyber security is one of the fastest-growing challenges
across the globe and is becoming increasingly important.
• Furthermore, cyber-security has enormous implications for
government security, economic prosperity, and public
safety.
• Cyber laws have been enacted by every nation.
• In the United States, the federal government and
individual states are improving cyber-security through
legislation, better security measures and security practices,
increasing fines for computer crimes, and addressing the
most serious cyber risks to critical infrastructure.
Cont…
• Cyber Law Terms and Laws
• There are three main terms that people need to know
related to cyber law.:
1)Information Technology Law. These laws refer to
digital information. It describes how this
information is gathered, stored, and transmitted.
2)Cyber Law/Internet Law. These laws cover usage
of the internet. This is a newer legal area. Many
laws can be undefined and vague.
3)Computer Law. This covers a large legal area. It
includes both the internet and laws related to
computer IP.
Cyber Law Trends
2.1.2Definition of Cybercrime
• “Cybercrime” is very a broad term that is often used to refer to different
concepts. Consequently, there is some debate as to the exact meaning of the
term. For the purposes of this course, cybercrime can be thought of as crime
that involves computers and computer networks.
• Generally, it refers to acts that involve criminal uses of the Internet or other
networked systems to cause harm to others or some form of a disturbance.
• It can include any criminal activity—not only on computers, networks, or the
Internet but also on mobile phones or other personal devices—that is
intended to cause harm to others.
• These are illegal activities that are conducted through global
electronic networks.
• In short, the term “cybercrime” refers to methods by which computers or
other electronic devices are used to carry out criminal activity and cause
harm to others.
Cont…
• A cybercrime could be the misuse of computer systems or networks to
carry out criminal offenses by unauthorized access to a computer
system, illegal interception or alteration of data, or misuse of electronic
devices.
• Other examples are the theft of intellectual property, that is, theft of a
patent, trade secret, or anything protected by copyright laws.
• It can also include attacks against computers to deliberately disrupt
processing or acts of espionage to make unauthorized copies of
classified data.
• It includes downloading illegal music, stealing money from bank
accounts, creating viruses, posting confidential business information on
the Internet, committing identity theft or fraud, trafficking in child porn,
money laundering and counterfeiting, and committing denial-of-service
attacks.
Cont…
• Other examples of cybercrimes include computer viruses;
malware; fake emails or websites; identity theft; cyber-
bullying, stalking, or harassment; hacking; online scams
(e.g., Nigerian scams); credit card theft; or phishing.
• The term “cybercrime” often encompasses other, more
specific categories of illegal behavior such as computer-
assisted crimes and computer-focused crimes.
• Other terms that refer to the same acts are computer crimes,
digital crimes, techno-crimes, and high-tech crimes. These
terms all refer to criminal activities that are committed by
the use of emerging digital, network, or computer
technologies, such as the Internet.
Cont…
• In the European Union, the Council of Europe provides a more
complete definition of cybercrime. It describes cybercrime as
“applied to three categories of criminal activities.
• The first covers traditional forms of crime such as fraud or
forgery, though in a cybercrime context relates specifically to
crimes committed over electronic communication networks and
information systems.
• The second concerns the publication of illegal
content over electronic media (i.e., child sexual abuse material or
incitement to racial hatred).
• The third includes crimes unique to electronic
networks, that is, attacks against information systems, denial
of service and hacking.”.
2.1.3.Key Terms Related to Cyber Crime
•
Cybercriminal:- are those who use mobile phones, laptop computers,
or network servers to commit a cybercrime. Although a criminal does
not need special computer skills to commit a computer crime, he or
she usually needs to have more than a basic level of computer
knowledge to commit a computer crime.
• Drop Account:-is an account that is opened by a criminal as a way to
receive profits from his or her criminal activity. Most times, the
accounts are opened with a false identity so they are difficult for law
enforcement to track.
• Advanced Persistent Threats:- (APTs) are attacks on computer
systems that involve multiple techniques or approaches. In some
instances, cybercriminals will use multiple techniques or methods in
their attacks rather than a single method to ensure a particular result.
Cont…
• Computer Forensics:- refers to the examination of computer components and their
contents, including hard drives, external drives, compact disks, and printers, to
investigate allegations of possible crimes and collect evidence of those crimes. Sub-
disciplines of computer forensics include malware forensics and mobile device
forensics. These sub-disciplines are focused on collecting evidence of wrongdoing
by use of malware and mobile devices .
• Malware:- which is short for “malicious software,” is a general term for software
programs that affect how a computer functions. Most malware is spread through an
email attachment. When the receiver opens the attachment, the malware installs
itself onto the victim’s computer.
• Crimeware:-refers to the software that is used to commit acts of cybercrime. The
term encompasses a multitude of different malicious, or potentially malicious,
software products. Examples of crimeware are bots and Trojan horses.
Cont…
• Botnet:- One form of malware is a botnet, or bot network.
These are comprised of many computers that have been
infected with malware that allows them to be controlled
remotely through commands sent through the Internet,
possibly from thousands of miles away.
• Packet Sniffers:- are small pieces of malware that are
attached to computer systems and have the capability of
“sniffing out” or inspecting data that is being sent along a
computer network. If an important piece of data is detected,
such as a password, that information is recorded and sent to
the criminal.
Cont…
• Personally Identifiable Information:- refers to any
information that can be used to identify an individual.
If stolen, a criminal can use this information to steal
that person’s identity or cause other harm to them.
Examples of PIIs are a person’s full name, Social
Security number (or other
federal identification number, such as a passport
number or driver’s license number), birth date and
place of birth, credit card account numbers, and
bank account information.
Cont…
• Cyber-terrorism:-is the use of the Internet by terrorist
groups who are attempting to affect a nation’s policies. As
defined by the Federal Emergency Management Agency,
cyber-terrorism is the “unlawful attacks and threats of attack
against computers, networks and the information stored
therein when done to intimidate or coerce a government or
its people in furtherance of political or social objectives.”.
• Zero-Day Exploit:- occurs when a computer hacker is able
to uncover a weakness in a software program that is
unknown to the owner or business and has not been
exploited by a cyber-criminal.
Cont…
• Exploit Kits:-are malicious programs that allow criminals to
identify vulnerabilities in computer systems and then spread
malware to those computers.
• Script Kiddies:-Hackers who do not possess the technical
skills to carry out complicated attacks are sometimes called
“script kiddies.” Their attacks are often aimed at systems
with weak security. They tend to make more mistakes and
are not as capable at hiding their attacks, which makes it
easier for law enforcement officials to track them down.
• Cyber Black markets:-are online stores that provide
criminals with the materials or tools they need to carry out
cybercrimes.
2.1.4. Motives of Cyber criminals
1. Financial Reasons
2. Disrupt Business
3. Terrorism
4. Theft (Nonfinancial)
5. Political Reasons
6. Amusement/Curiosity/Challenge
7. Organized Crime
8. Locating Victims
•
Despite privacy and ‘privacy-invading features’ being discussed in the
context of data protection, it has not always been easy to reconcile the
terms ‘data protection’, on the one hand, and ‘privacy’, on the other.
This is not helped by the fact that an agreed definition of privacy remains
elusive.
• The analysis of the multifaceted and slippery concept of privacy
continues to the present, but with no agreed conclusion or consensus,
much less the emergence of any workable legal definition.
• Westin suggested that ‘Privacy is the claim of individuals, groups or
institutions to determine for themselves when, how and to what extent
information about them is communicated to others’, a definition based on
the right of self-determination, which may be placed at particular risk by
the practice of data matching made so simple by modern information
technology (IT).
Cont…
• This notion was supported by Miller, in the specific context of
this technology, who considered privacy to be ‘the individual’s
ability to control the circulation of information relating to him’.
• Gavison, on the other hand, is critical of the ability to control
personal information as being a determinant of the definition of
privacy precisely because a dependence on subjective choice
makes both a realisation of the scope of the concept and the
provision of legal protection problematic.
• The definitional difficulties are exacerbated by the fact that
whether or not privacy is considered to have been invaded is a
very subjective issue, which will depend not only on the view
of the person whose privacy is being invaded, but also on who
is the invader and what information he or she is uncovering.
Cont…
• Whether or not there is an accepted and acceptable definition of
‘privacy’, it is usually recognised as a fundamental human
right, and accorded specific protection under human rights
conventions and national constitutions.
• In contrast, data protection is often viewed as a technical term
relating to specific information management practices – the
preferred stance of those who would see data protection primarily
as an aspect of business regulation.
• Even if the precise nature of the relationship between data
protection and privacy is elusive, one approach to the undeniable
tension between the rights of all those who would seek to exert
control over personal information can be
found in the terminology of risk and risk assessment, concepts
that are, perhaps, more familiar in a business environment.
Cont…
• Three risk factors can be identified that could be considered to be
elements of privacy.
• The first of these is the risk of injustice due to significant
inaccuracy in personal data, unjust inference, ‘function creep’ (the
gradual use of data for purposes other than those for which it was
collected), or reversal of the presumption of innocence, as seen in
data matching when correlation of information from disparate
sources may produce an impression that is greater than the sum of
the parts.
• The second risk is to one’s personal control over the collection of
personal information as a result of excessive and unjustified
surveillance (which would presumably include monitoring the use
of particular websites), collection of data without the data subject’s
consent, and also the prohibition or active discouragement of the
means to remedy these risks, such as the use of encryption and
anonymising software.
Cont…
• Finally, there is a risk to dignity as a result of exposure or
embarrassment due to an absence of transparency in
information procedures, physical intrusion into private
spaces, unnecessary identification or absence of anonymity,
or unnecessary or unjustified disclosure of personal
information without consent.
• data protection measures may be considered as risk
management devices that need to balance the risk to the
individual from unnecessary invasion of privacy with the
measures necessary to control that risk.
• The precise relationship between privacy and data
protection remains unresolved, and it is possible to continue
to find conflicting views.
Cont…
• Art 1 of the Data Protection Directive explicitly
protects the privacy of an individual with respect to the
processing of data; on the other hand, there is no mention of
the word ‘privacy’ in the Data Protection Act 1998 intended
to implement the Directive. In contrast, a parallel provision
has not been included in the General Data Protection
Regulation which makes very little mention of privacy at all.
Although this could be viewed as a move away from a focus
on privacy Costa and Poullet believe that ‘it is certain that
affirming the autonomy of the right to protection of personal
data does not imply denying privacy as its
fundament.’
Cont…
• Mayer Schönberger has further traced this development in terms
of a succession of generations of data protection legislation.
• Of these, he suggests that the first generation represents those
laws passed in the early 1970s that reacted to the onset of large
databanks and the overall phenomenon of data processing.
• The second generation, which emerged in the late 1970s, began
to focus more explicitly on the individual rights of citizens.
• This was further developed by the third generation of
regulation in the 1980s, which emphasised informational
participation and self-determination.
• The fourth generation, which Mayer-Schönberger suggests
focuses more on holistic and sectoral perspectives, is exemplified
by Directive 95/46/EC and emerged in the 1990s.
Personal data
• Personal data is defined in Art 2(a) of the Directive as ‘any information relating
to an identified or identifiable natural person. This person is known as the ‘data
subject’ and is someone who can be ‘identified , directly or indirectly, in particular
by reference to an identification number or to one or more factors specific to his
physical, physiological, mental, economic, cultural or social identity’.
• In contrast, DPA 98, s 1(1) defines personal data as data relating to a living
individual who can be identified from those data, or from a combination of those
data and other information in the possession of the data controller. This
specifically includes ‘any expression of opinion about the individual and any
indication of the intentions of the data controller or any other person in respect of
the individual.’
• In Art 8 the Directive identifies certain ‘special categories’ of data namely that
relating to ‘racial or ethnic origin, political opinions, religious or philosophical
beliefs, trade-union membership, and the processing of data concerning health or
sex life’, the processing of which is prohibited unless certain conditions are met as
discussed below. DPA 98 refers to this as ‘sensitive data’ and, in addition to the
above list, the definition includes data relating to criminal offences or related proceedings.
The data protection principles
• The Directive sets out to protect the privacy of data subjects with respect to
the processing of their personal data by embedding principles of good data
management within the legislative framework.
• Five of these principles are listed in Art 6:
1. personal data should be processed fairly and accurately
2. personal data should be collected for specific purposes and not further
processed for other purposes;
3. personal data processed should be relevant and not excessive;
4. personal data should be accurate and kept up to date; and
5. personal data should be kept no longer than is necessary.
6. processing in accordance with the rights of the data subject, security and
trans-border data flow which are dealt with elsewhere in the Directive.
7. Some guidance as to the interpretation of the Data Protection Principles in
contained in Pt II of DPA 98 Sch 1.
Exemptions Data protection principle
• National security.
• Crime and taxation
• Health, education and social work
• Regulatory activity
• Journalism, literature , self incrimination
• Research, history, statistics, Legal professional privilege
• Manual data held by public authorities
• Information available to public by or under any enactment
• Disclosures required by law or in connection with legal proceeding
• Parliamentary privilege, Negotiation, Exa mi nation
mark
• Domestic purposes, Corporate finance,
• Confidential references by data controller, J udicial appointments,
honour, Crown employme nt, Management forecast
1.2. Digital surveillance and the law
• In contrast to the laws relating to the protection of privacy and
personal data are those laws that justify, formalise, and regulate state
and private party actions likely to impact upon individuals’ normal
expectations of privacy, in the pursuit of other legitimate social,
political, and economic goals. These include laws that influence the
use of information technologies, such as telecommunications
and the internet, by:
• ● facilitating the tracing of links between individuals – for example,
permitting collection of ‘traffic data’ identifying when and with whom
technology users communicate;
• ● facilitating the collection of information about the detail of
individuals’ interactions – for example, permitting interception of the
content of their communications; or
• ● preventing the effective employment of surveillance
countermeasures – for example, forbidding, or limiting the utility of,
the use of encryption technologies.
Cont…
• In the digital information environment, the primary aim of UK state
surveillance has been to ensure that law enforcement and national security
agencies have suitable access and powers to maintain effective
investigatory practices across the diverse range of public communications
options.
• A secondary aim, motivated largely by external pressures – notably
European Court of Human Rights (ECtHR) rulings – has been to place
both access and investigatory powers within a legal framework.
• Such a framework, in theory, allows oversight of their lawful use,
meaningful penalties for their abuse, and greater public transparency about
their operation, without unduly compromising their effectiveness.
• While, on paper, considerable advances have been made toward
this second aim, achieving and maintaining a proportionate balance
between efficiency and legitimacy in an area in which technology is in a
state of constant flux is far from a simple task.
• As a result, both legislators and judiciary have struggled to keep pace with
developments.
Cont…
• A complicating factor is that powers granted to state agencies to access and
collect digital information generated by the public often produce, or permit the
production of, datasets relevant to commercial organisations. For example,
internet traffic data can be valuable to content providers
wishing to monitor potential infringements of their intellectual property, or to
advertising companies seeking to deploy ‘behavioural advertising’.1 This can
lead to pressure from commercial organisations for greater access to such
datasets, or for the wider grant of access and investigatory powers to the private
sector.
• Here, too, there is a delicate balancing act for legislature and judiciary
to consider – that is, the extent to which the business interests of commercial
organisations can be accommodated, without undue impact upon either the
public interest, or the perceived legitimacy of state access and investigatory
powers.
• Thus the requirement of a legal framework for the legitimate exercise of access
and investigatory powers by state agencies is mirrored by the need for a similar
framework for private entities – a need that, in the UK, is again being addressed
mainly following adverse rulings from the ECtHR
Cont…
• As the UK regulatory framework for surveillance has developed in
a piecemeal fashion, its legislative foundation is currently spread
across a range of Acts, including:
• Regulation of Investigatory Powers Act 2000 (RIPA 2000);
• Regulation of Investigatory Powers (Scotland) Act 2000 (RIPSA
2000);
• Data Retention and Investigatory Powers Act 2014 (DRIPA 2014);
• Intelligence Services Act 1994 (ISA 1994);
• Part III Police Act 1997 (PA 1997);
• Data Protection Act 1998 (DPA 1998);
• Protection of Freedoms Act 2012 (PoFA 2012);
• Human Rights Act 1998 (HRA)
Cont…
• In addition numerous regulatory/oversight bodies
have been created, the primary bodies being:
● Information Commissioner’s Office;
● Investigatory Powers Tribunal;
● Surveillance Camera Commissioner;
● Office of the Surveillance Commissioner;
● Interception of Communications Commissioner;
● Intelligence Services Commissioner;
● Commissioner for the Retention and Use of
Biometric Material.
Cont…
• the three key elements of the current regime for surveilling
the digital environment:
● the legal framework for the interception of content in
transit between parties – that is, the interception of
communications;
● the requirement upon public telecommunications providers,
including internet service providers (ISPs), to retain
communications traffic data – that is, data retention; and
● the requirements placed on users of encryption technologies
to make their communications accessible to the authorities
upon demand – that is, decryption powers.
Cont..
• The intention is to provide a single legal framework which deals with all
interception of communications in the United Kingdom, regardless of the
means of communication, how it is
licensed or at which point on the route of the communication it is
intercepted . . .
• The Government believes that it should not make any difference how a
communication is sent, whether by a public or non-public
telecommunications or mail system, by wireless telegraphy or any other
communication system.
• Nor should the form of the communication make
any difference; all interception which would breach Article 8 rights,
whether by telephone, fax, e-mail or letter, should all be treated the same
way in law.
• A single authorising framework for all forms of lawful interception of
communications will mean that each application will follow the same laid
down procedure and will be judged against a single set of criteria.
Cont…
• The result of the government’s consultation and deliberations post-
Halford was the Regulation of Investigatory Powers Act 2000 (RIPA
2000). This repealed the Interception of Communications Act
1985, but still maintained much of the pre-existing public
telecommunications interception regime, including the oversight
mechanisms. The Act itself is split into seven parts covering the
following:
• ‘Communications’;
• ‘Interception’;
• ‘Acquisition and disclosure of communications data’;
• ‘Surveillance and covert human intelligence sources’;
• ‘Investigation of electronic data protected by encryption etc’;
• ‘Scrutiny etc of investigatory powers and of the functions of the
intelligence services’; and
• ‘Miscellaneous and supplemental’.
Interception: basic principles
The Directive set out several categories of data to be retained. These were data
necessary to:
trace and identify the source of a communication, such as the telephone
number and subscriber name and address (telecoms), or user ID and name and
address of the subscriber or registered user (internet);
identify the destination of a communication, such as the number called, any
number to which a call is rerouted, name and address of subscriber/user
(telecoms), or user ID or telephone number of the intended recipient(s) of an
internet telephony call, and name and address of subscriber/user (internet);
identify the date, time, and duration of a communication;
identify the type of communication, such as the telephone or internet service
used;
identify users’ communication equipment, or what purports to be their
equipment; and
identify the location of mobile communication equipment, such as cell ID and
the geographic location of cell.
Encryption
2 The exercise of these freedoms, since it carries with it duties and responsibilities,
may be subject to such formalities, conditions, restrictions or penalties as are
prescribed by law and are necessary in a democratic society, in the interests of
national security, territorial integrity or
public safety, for the prevention of disorder or crime, for the protection of health or
morals, for the protection of the reputation or rights of others, for preventing the
disclosure of information received in confidence, or for maintaining the authority
and impartiality of the
judiciary.
Cont…
• The right is without frontiers. This means, subject to para. 2,
the right extends to publishing material on the internet,
notwithstanding interference with the right by governments
of other countries. The same point can be made about
proportionality as applies to the right of privacy. Paragraph 2
also highlights the fact that the right is subject to duties and
responsibilities.
• There are a number of points that can be made about the right
of freedom of expression. The exercise of the right might
conflict with national laws in countries other than the one in
which the person exercising it resides. Or the ‘victim’, if
there is one, may be in a different country. This immediately
brings into play jurisdictional issues.
4.2. Digital speech management: filtering and ranking