Cyberspace

The new frontier for policing?

Fraser Sampson

Published in 2011, the UK Cyber Security Strategy states that:

That the United Kingdom even has a cyber security strategy is telling. Governments and their agencies—not only in the United Kingdom but worldwide—have struggled to distinguish criminality that specifically relies on the use of the hyper-connectivity of global information technology from “ordinary” crime that is simply enabled by using information and communication technology. Despite legislative interventions such as the Council of Europe Convention on Cybercrime (for an analysis of which see Vatis, 2010, p. 207) in 2001, cyberspace remains a largely unregulated jurisdictional outpost.

The first piece of criminal legislation to address the use—or rather the misuse—of computers in the United Kingdom was enacted in 1990. The recital to the Computer Misuse Act 1990 states that it was an act “to make provision for securing computer material against unauthorized access or modification; and for connected purposes.” This narrow, pre-Internet focus was very much predicated on the concept of a computer as a functional box (or network of boxes) containing “material” that required protection (Sampson 1991a, p. 211). Although the Act addressed unauthorized access, the concept of causing a computer to perform a function in furtherance of other crimes was also a central part of the new legislation (Sampson, 1991b, p. 58) which, for the first time in the United Kingdom, sought to catch up with computer technology that was becoming part of people’s everyday lives—a race in which the legislative process did not stand a chance.

While the legislation was amended in 2006 with the introduction of a new criminal offence of unauthorized acts to impair the operation of a computer or program, etc., looking back through today’s digital prism, the legislation has a decidedly analog look to it. When the legislation came into force we had little idea of the impact the “information super-highway” would have on our everyday lives, still less the engrenage effect of social media.

According to the UK’s 2011 Cyber Security Strategy, at the time of its publication 2 billion people were online and there were over 5 billion Internet-connected devices in existence. During that same year, the number of people being proceeded against for offences under the Computer Misuse Act 1991 in England and Wales, according to a document from the Ministry of Justice, was nine (Canham, 2012) with no people being proceeded against for the two offences under s.1(1) and s.1(3). Perhaps as surprisingly, the records from the Police National Legal Database (PNLD) used by all police forces in England and Wales for offence wordings, charging codes, and legal research show that during two weeks (chosen at random) in 2013 the Computer Misuse Act 1990 and its constituent parts were accessed as follows:

Between 4th and 10th March—907 times

Between 10th and 16th November—750 times

Reconciling these two data sets is difficult. While it is clear from the PNLD access data that law enforcement officials in England and Wales are still interrogating the 1990 legislation frequently (on average, around 825 times per week or 118 times per day or annually 42,900 times), the number of prosecutions for the correlative offences is vanishingly small. One of the many challenges with cybercrime and cyber-enabled criminality is establishing its size and shape.

The Shape of the Challenge

Just as the shape of our technology has changed beyond all recognition since 1990, so too has the shape of the challenge. The almost unconstrained development of Internet-based connectivity can be seen, on one hand, as a phenomenological emancipation of the masses, an extension of the Civil Data Movement and the citizens’ entitlement to publicly held data (see (Sampson and Kinnear, 2010). On the other hand, the empowerment it has given others (particularly sovereign states) to abuse cyberspace has been cast as representing the “end of privacy” prompting a petition to the United Nations for a “bill of digital rights.”

Steering a predictably middle course, the UK strategy sets out the key—and, it is submitted, most elusive—concept within the document: that of a “vibrant, resilient, and secure cyberspace.” The aspiration must surely be right but how can resilience and security be achieved within a vibrant space run by computers? In terms of both computers and our reliance upon them, we have moved so far from the original notion of boxes, functions, commands and programs, along with the consequences that can be brought about by their use, that a fundamental re-think is needed.

So what—and where—is cyberspace? Much has been written recently on the threat, risk and harm posed by “cybercrime,” “e-crime,” “cyber-enabled” criminality but the legislation has been left a long way behind. The EU has a substantial number of workstreams around its “Cybersecurity Strategy” and its own working definition of “cyberspace” though its own proposed Directive has no legal definition but rather one for Network and Information Security to match the agency established in 2004 with the same name. In the United Kingdom, a parliamentary question in 2012 asked the Secretary of State for Justice how many prosecutions there had been for “e-crime” in the past 5 years. In response, the Parliamentary Under Secretary of State gave statistics for ss 1(4), 2 and 3(5) of the Computer Misuse Act while the correlative Hansard entry uses the expression “cybercrime” in its heading.

Wherever it is, constitutional lawyers around the world have wrestled with the applicability of their countries’ legislation with the borderlessness of the virtual word of the Internet; the application of “analog” territorial laws to the indeterminable digital boundaries of the infinite global communications network is, it seems, proving to be too much for our conventional legal systems. Here is why.

When it comes to interpreting and applying law across our own administrative jurisdictional boundaries, an established body of internationally agreed principles, behavior, and jurisprudence has developed over time. Some attempts have been made to apply these legal norms to cyberspace. For example, the International Covenant on Civil and Political Rights sets out some key obligations of signatory states. In addition, activities executed within or via cyberspace should not be beyond the reach of other community protections such as those enshrined in the European Convention of Human Rights or the EU Charter of Fundamental Rights, particularly where issues such as online child sexual exploitation are involved. The first basic challenge that this brings however, is that of jurisdiction.

Cottim has identified five jurisdictional theories and approaches in this context, namely (Cottim A. 2010):

1. Territoriality theory: The theory that jurisdiction is determined by the place where the offence is committed, in whole or in part. This “territoriality theory” has its roots in the Westphalian Peace model of state sovereignty that has been in place since 1684 (see Beaulac, 2004, p. 181). This approach has at its heart the presumption that the State has sovereignty over the territory under discussion, a presumption that is manifestly and easily rebuttable in most “cyberspace” cases.

2. Nationality (or active personality) theory: Based primarily on the nationality of the person who committed the offence (see United States of America v. Jay Cohen; Docket No. 00-1574, 260 F.3d 68 (2d Cir., July 31, 2001) where World Sports Exchange, together with its President, were defendants in an FBI prosecution for conspiracy to use communications facilities to transmit wagers in interstate or foreign commerce. The defendants were charged with targeting customers in the United States inviting them to place bets...