“Cyberspace law” and web privacy violations

March 12, 2018

Because the Learn section of TalkRights features content produced by CCLA volunteers and interviews with experts in their own words, opinions expressed here do not necessarily represent the CCLA’s own policies or positions. For official publications, key reports, position papers, legal documentation, and up-to-date news about the CCLA’s work check out the In Focus section of our website.

 

Amidst the many cyberspace laws that are enacted worldwide to respond to the constant growth of new issues faced in the online world, some of the biggest crimes committed online, including those related to privacy, seem to go unpunished [1]. For instance, in 2014 Yahoo stated that more than 500 million of its user accounts had been hacked and the personal data they contained sold [2]. Yet, although it is alleged that Yahoo had concealed its knowledge of the massive breach and only revealed it two years later in 2016, the consequences faced by the Telecom giant for this massive cybersecurity breach were financial and reputational, not legal [3]. Indeed, enacting proper legislation to regulate online behavior is only half the battle: this is because while new laws are created to face new problems that arise, enforcing cyberspace Law is intrinsically more difficult than the enforcement of “traditional laws”, for a number of reasons listed below [4]:

What is Cyberspace Law?

Cyberspace Law, or “Cyberlaw”, is a term that refers to the aggregation of legal issues arising over the Internet [5]. Cyberspace Law regulates many areas including e-commerce (i.e. corporate liability of Internet providers and social media outlets), cyber crimes (crimes committed over the Internet, which in most cases have an impact on the victim’s information privacy) and privacy concerns [6].

  1. Jurisdictional Issues

The difficulty in prosecuting online behaviour stems first and foremost from issues pertaining to jurisdiction[7]. The term “jurisdiction” refers to the authority of a sovereign state to regulate certain conduct[8]. This is due to the fact that before a law enforcement agency can investigate a cybercrime case, it has to have jurisdiction [9]. Essentially, the challenge when it comes to jurisdiction issues lies in determining which agency or court has the authority in a particular matter to administer justice [10]. This is significant because if a court lacks jurisdiction or is not competent to try a case the proceedings are nullified, no matter how strong the evidence is or how well conducted the case may be [11].

Conflicts regarding jurisdiction can be based on a number of different things, including: the branch of law (ex: criminal law vs. international law), Type of case (i.e. criminal cases vs. international law cases), the “Grade” (or seriousness) of  the offense (i.e. summary offenses vs. indictable offenses), monetary damages (i.e. different courts handle cases based on the minimum or maximum monetary damages that can be obtained from a particular type of lawsuit), and the level of government (i.e. there are separate laws, law enforcement agencies and court systems for the different levels of government, for example, Federal vs. Provincial. Therefore, the difficulty here is determining which laws apply to a particular case or offense based on the level of government)[12]. Finally, jurisdiction and jurisdiction issues are largely based on the geographical area [13].

Geographical jurisdiction is one of the most significant factors that make it hard for law enforcement authorities to regulate online behaviour; this is because a particular law enforcement agency or court has jurisdiction only over crimes that take place in the geographic location where the agency or court has authority [14]. This generally includes the location of the perpetrator, the location of the victim, or the location where the crime actually occurred [15]. In the context of the Internet, this can often be much more difficult to determine than in the real world because, as we will elaborate later on, the anonymous aspect of the Internet and the digital nature of the evidence makes it much more difficult for authorities to bring wrongdoers to justice [16]. For instance, determining geographic jurisdiction for cybercrimes when it comes to Cyberspace law is more difficult than for “traditional” (or “terrestrial”) crimes because often the perpetrator is not in the same city or country as the victim[17].

 

To determine whether a law agency or court has jurisdiction, it must first determine whether a crime has actually taken place at all; In some cases, there is no law that covers the particular circumstance, and in others, the wrongful action that took place is a civil matter, not a criminal one [18]. For instance, if you entrusted your data to a company (eg. Yahoo and other social media platforms) and this company lost it, although the consequences for one can be disastrous there is no criminal recourse available to the victim [19]. Second, if a criminal offense has occurred, then the next step is to determine what law was violated [20].

 

Why is Geographic Jurisdiction Such a Big Problem When it Comes to Legislation?

Geographic jurisdiction is a big problem when it comes to regulating online behaviour because laws differ from country to country, and even from province to province [21]; therefore, an act that’s illegal in one location may not be against the law in another [22]. For instance, if a perpetrator is in a location where what he is doing is not against the law but is a crime in the location where the victim is, it will be difficult (if not impossible) to prosecute him [23]. This is because law enforcement agencies are only authorized to enforce the law within their jurisdictions [24]. For instance, a police officer in Ontario doesn’t have the authority to arrest someone in Quebec, and the Royal Canadian Mounted Police (RCMP) doesn’t have the authority to arrest someone in the United States [25].

Moreover, certain measures exist in international law that render possible the prosecution of individuals who commit crimes in another country, but the process is difficult, expensive and long to accomplish[26]. For instance, even though international law does not require countries to surrender a criminal or suspect to another, some countries have what are called “Mutual Legal Assistance Treaties” by which they mutually agree to do so[27]. However, those treaties generally require “double criminality”, which means that the action by the perpetrator must be considered a crime in both the jurisdiction where the perpetrator is located and the jurisdiction where the act was committed[28]. In addition, determining where the act was committed in the online context is another challenge in and by itself[29].

 

  1. Anonymity and Identity

Anonymity is also considered to be one of the biggest obstacles against global efforts to regulate online behaviour [30]. Over the Internet, concealing one’s identity is far easier to do than in the real world, which makes it more difficult for law enforcement authorities to track down perpetrators and uncover their identity [31]. When it comes to legislation, this is significant because if the identities of wrongdoers are incapable of being traced, any law that is put into place to hold individuals or businesses accountable for their actions over the Internet, no matter how well crafted or intended, cannot work and is therefore completely useless [32]. At the same time, anonymity is an essential privacy protection, relied upon in particular to human rights defenders, vulnerable groups or individuals in oppressive regimes, and everyday citizens wishing to communicate privately.

 

  1. Nature of the Evidence (Digital Evidence)

The digital nature of the evidence is another factor that makes cyber crimes more difficult to prosecute [33]. Indeed, digital evidence can be easily lost or changed as compared to “real world” evidence [34]. For instance, cyber criminals have greater ability to erase evidence, and investigators can accidentally lose or destroy the evidence simply by examining or trying to access it [35]. At the same time, it is also possible that digital evidence can be restored in some circumstances, and standards can be developed to establish the evidentiary value of digital evidence over time.

The branch of the law that comprises all the rules regarding the presentation of facts and proofs in proceedings before a court, including the rules that determine which evidence is admissible or not, is the law of evidence [36]. In addition, the law of evidence varies across countries and legal systems, which further explains why jurisdiction is such a big problem when it comes to prosecuting wrongful behavior online [37].

  1. Legal Conception and Expectation of Privacy

The reliance of some nations on outdated conceptions of privacy can also complicate the prosecution of cybercrimes[38]. In some countries, the legal conception of privacy is still based (in some respects) on pre-Information Age concepts and precedents that do not reflect our actuality[39]. For example: in California v. Greenwood, 486 U.S. 35 (1988), the defendant’s trash which was left outside on the curb was searched without a warrant and the drug paraphernalia found inside was used as evidence to convict him [40]. The Court of Appeal affirmed that Greenwood’s privacy had not been invaded by the search because “there was no expectation of privacy for things left [outside] that the public could access, and therefore privacy did not apply to the trash left for the public to see” [41]. Although this ruling took place in 1988 (i.e. before the Internet started becoming accessible to the public in 1991), it still applies to current computer technology and the Internet [42]. Some scholars argue that this significant because it basically means that personal information left out in a public domain or on the Internet, whether it is trash on the curb or a web site for example, is viewed as the same from a legal perspective [43]. Canadian courts, however, are developing a more nuanced view in recent cases[44].

Conclusion

Although many countries enact cyberlaws in order to keep up with the development of computer technology and the ever-changing online environment, Cyberspace law is a relatively new field that contains loopholes that, as explained above, can render the application of those laws quite difficult [45]. Furthermore, the concept of “reasonable expectation of privacy” is being debated, re-framed, and problematized in light of the changing ways in which information online can be collected, shared, stored, and accessed.

 

 

 

 

[1] Shinder, Deb. 2011. « What Makes Cybercrime Laws So Difficult To Enforce ». Published January 26th 2011 on TechRepublic.com. Accessed January 4th 2018 : https://www.techrepublic.com/blog/it-security/what-makes-cybercrime-laws-so-difficult-to-enforce/

[2]  Fiegerman, Seth. 2016. “Yahoo Says 500 Million Accounts Stolen”. Published September 23rd 2016 on the CNN official website. Accessed January 8th 2017: http://money.cnn.com/2016/09/22/technology/yahoo-data-breach/index.html

[3] Supra Note 2

[4] Valiquet, Dominique. 2011. “Cybercrime: Issues”. Library of Parliament Research Publications, Background Paper No. 2011-36-E. Published April 5th 2011 on the Parliament of Canada website. Accessed January 9th 2018: https://lop.parl.ca/Content/LOP/ResearchPublications/2011-36-e.htm#a2

[5] LaManche. 2017. « Lawyer Library : Guide to Cyberspace Law ». Published on the  Legal Match official website. Accessed January 7th 2017 : https://www.legalmatch.com/cyberspace-law-guide.html

[6] Supra Note 1

[7]  Ajayi, E.F.G. 2016. “Challenges to Enforcement of Cyber-crimes Law and Policy”. Journal of Internet and Information Systems Vol. 6 (1). DOI: 10.5897/JIIS2015.0089. Published August 2016. Accessed January 9th 2018 : http://www.academicjournals.org/journal/JIIS/article-full-text-pdf/930ADF960210. Page 4.

 [8] International Telecommunications Union (ITU). 2015. “Understanding Cybercrime: Phenomena, Challenges and Legal Response”. Published April 28th 2015 on the ITU official website. Accessed January 9th 2018: http://www.itu-ilibrary.org/science-and-technology/understanding-cybercrime_pub/80c0b5e9-en. Page 228.

[9] Supra Note 7, page 5.

[10] Supra Note 7, page 5.

[11] Supra Note 7, page 4.

[12] Supra Note 1

[13] Supra Note 1

[14] Supra Note 7, page 5.

[15] Supra Note 1

[16] Supra Note 8,  pages 80, 227-228.

[17] Supra Note 1

[18] Supra Note 1

[19] Supra Note 2

[20] Supra Note 1

[21] Supra Note 1

[22] Supra Note 1

[23] Supra Note 8, page 235.

[24] Supra Note 7, page 5.

[25] Supra Note 1

[26] Supra Note 5

[27] Supra Note 5

[28] Supra Note 5

[29] Supra Note 5

[30] Supra Note 7, page 4.

[31] Supra Note 7, page 4.

[32] Supra Note 7, page 4.

[33] Supra Note 7, page 7.

[34] Supra Note 7, page 7.

[35] Supra Note 8, pages 227 and 228.

[36] Supra Note 7, page 7.

[37] Debesu, Kahsay and Andualem Eshetu. 2012. “Evidence in Civil and Common Law Legal Systems”. Published September 4th 2012 on the Abyssinia Law official website. Accessed January 9th 2018: http://www.abyssinialaw.com/study-on-line/item/934-evidence-in-civil-and-common-law-legal-systems

[38] Subramanian, Ramesh and Steven Sedita. 2006. “Are Cybercrime Laws Keeping Up With the Triple Convergence of Information, Innovation and Technology?” Communications of the IIMA Vol. 6, Issue 1, Article 4. Accessed January 9th 2018: http://scholarworks.lib.csusb.edu/ciima/vol6/iss1/4/. Page 43.

[39] Supra Note 38, page 43.

[40] Supra Note 38, page 43.

[41] Supra Note 38, page 43.

[42] Supra Note 38, page 43.

[43] Supra Note 38, page 43.

[44] See for example R v Marakah 2017 SCC 59 or R v Jones 2017 SCC 60.

[45] Supra Note 7, pages 1-2.